Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 7, 2024, 9:29 a.m.	June 7, 2024, 9:31 a.m.

Size	2.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`fb2f90584265d465b4046c9a4e7c9bfa`
SHA256	`ae61a84a75768acf39d02fe54a1952219b53f04054b0f3c16ac836f56dd3ae46`
CRC32	`17D5009F`
ssdeep	`49152:sH8KUUxZTMj1B0bLdzT8T9EilfJxb549+mcUtqYvqH6RXgFiKo79:sHCyo0bRkEiDvOFM6n`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

lenin.exe "C:\Users\test22\AppData\Local\Temp\lenin.exe"
2548
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2792
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2852

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.186.192	34.117.186.192
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.4.15

IP Address	Status	Action
104.26.5.15	Active	Moloch
147.45.47.126	Active	Moloch
164.124.101.2	Active	Moloch
34.117.186.192	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 147.45.47.126:58709 -> 192.168.56.101:49165	2400022	ET DROP Spamhaus DROP Listed Traffic Inbound group 23	Misc Attack
TCP 192.168.56.101:49165 -> 147.45.47.126:58709	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 147.45.47.126:58709 -> 192.168.56.101:49165	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49165 -> 147.45.47.126:58709	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 147.45.47.126:58709 -> 192.168.56.101:49165	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	A Network Trojan was detected
TCP 192.168.56.101:49168 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 147.45.47.126:58709	2046270	ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 147.45.47.126:58709	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 147.45.47.126:58709	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49168 104.26.5.15:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=db-ip.com	1f:af:15:cd:f8:f8:ee:30:f9:6e:6e:54:bc:9a:a7:c7:77:70:6d:25

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA June 7, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (13 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 7, 2024, 9:29 a.m.			0	0
IsDebuggerPresent June 7, 2024, 9:29 a.m.			0	0
IsDebuggerPresent June 7, 2024, 9:29 a.m.			0	0
IsDebuggerPresent June 7, 2024, 9:29 a.m.			0	0
IsDebuggerPresent June 7, 2024, 9:29 a.m.			0	0
IsDebuggerPresent June 7, 2024, 9:29 a.m.			0	0
IsDebuggerPresent June 7, 2024, 9:29 a.m.			0	0
IsDebuggerPresent June 7, 2024, 9:29 a.m.			0	0
IsDebuggerPresent June 7, 2024, 9:29 a.m.			0	0
IsDebuggerPresent June 7, 2024, 9:29 a.m.			0	0
IsDebuggerPresent June 7, 2024, 9:29 a.m.			0	0
IsDebuggerPresent June 7, 2024, 9:29 a.m.			0	0
IsDebuggerPresent June 7, 2024, 9:29 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 7, 2024, 9:29 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW June 7, 2024, 9:29 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 7, 2024, 9:29 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	ofqranmj
section	xphgbovu
section	.taggant

One or more processes crashed (50 out of 117 events)

Time & API	Arguments	Status
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: lenin+0x44e0b9 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 4513977 exception.address: 0x118e0b9 registers.esp: 2817436 registers.edi: 0 registers.eax: 1 registers.ebp: 2817452 registers.edx: 20127744 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 0c 24 c7 04 24 d2 84 fe 7f ff 04 exception.symbol: lenin+0x18f6db exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 1636059 exception.address: 0xecf6db registers.esp: 2817404 registers.edi: 1968898280 registers.eax: 29147 registers.ebp: 4005548052 registers.edx: 13893632 registers.ebx: 15556591 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb e9 f6 00 00 00 89 d6 8b 14 24 81 c4 04 00 00 exception.symbol: lenin+0x18f4b7 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 1635511 exception.address: 0xecf4b7 registers.esp: 2817404 registers.edi: 1968898280 registers.eax: 29147 registers.ebp: 4005548052 registers.edx: 0 registers.ebx: 15530471 registers.esi: 3 registers.ecx: 1373866323	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 50 b8 a2 ef b6 77 01 c7 58 57 89 2c 24 bd 98 exception.symbol: lenin+0x190103 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 1638659 exception.address: 0xed0103 registers.esp: 2817400 registers.edi: 15530963 registers.eax: 27934 registers.ebp: 4005548052 registers.edx: 1614089496 registers.ebx: 15530471 registers.esi: 3 registers.ecx: 1373866323	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 52 e9 73 00 00 00 01 fb 55 bd ca 85 9d 1e e9 exception.symbol: lenin+0x18fe1f exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 1637919 exception.address: 0xecfe1f registers.esp: 2817404 registers.edi: 15558897 registers.eax: 27934 registers.ebp: 4005548052 registers.edx: 1614089496 registers.ebx: 15530471 registers.esi: 3 registers.ecx: 1373866323	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 3c 24 e9 71 fe ff ff 29 exception.symbol: lenin+0x18fe7f exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 1638015 exception.address: 0xecfe7f registers.esp: 2817404 registers.edi: 15533577 registers.eax: 236777 registers.ebp: 4005548052 registers.edx: 1614089496 registers.ebx: 0 registers.esi: 3 registers.ecx: 1373866323	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 52 89 e2 81 ec 04 00 00 00 89 2c 24 bd 04 00 exception.symbol: lenin+0x30b9e2 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3193314 exception.address: 0x104b9e2 registers.esp: 2817404 registers.edi: 0 registers.eax: 27939 registers.ebp: 4005548052 registers.edx: 2345 registers.ebx: 1609728 registers.esi: 17087889 registers.ecx: 3909414019	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb e9 97 00 00 00 89 3c 24 e9 db 00 00 00 81 c3 exception.symbol: lenin+0x3118e5 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3217637 exception.address: 0x10518e5 registers.esp: 2817400 registers.edi: 65535 registers.eax: 17109496 registers.ebp: 4005548052 registers.edx: 2101 registers.ebx: 17106997 registers.esi: 2775756617 registers.ecx: 372	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 68 3f 8e ef 67 89 04 24 68 1a fb f5 4f 8b 04 exception.symbol: lenin+0x3113d3 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3216339 exception.address: 0x10513d3 registers.esp: 2817404 registers.edi: 65535 registers.eax: 17142164 registers.ebp: 4005548052 registers.edx: 2101 registers.ebx: 17106997 registers.esi: 2775756617 registers.ecx: 372	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 68 77 56 94 5d e9 07 01 00 00 2d ff ff ff ff exception.symbol: lenin+0x311af1 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3218161 exception.address: 0x1051af1 registers.esp: 2817404 registers.edi: 50665 registers.eax: 17112376 registers.ebp: 4005548052 registers.edx: 2101 registers.ebx: 0 registers.esi: 2775756617 registers.ecx: 372	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 50 89 34 24 e9 36 00 00 00 52 89 e2 56 be 64 exception.symbol: lenin+0x317160 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3240288 exception.address: 0x1057160 registers.esp: 2817404 registers.edi: 6368783 registers.eax: 33322 registers.ebp: 4005548052 registers.edx: 17165358 registers.ebx: 0 registers.esi: 2775756617 registers.ecx: 14288	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 68 2d ca 28 64 89 3c 24 68 f1 db e9 7c 5f c1 exception.symbol: lenin+0x316f52 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3239762 exception.address: 0x1056f52 registers.esp: 2817404 registers.edi: 1259 registers.eax: 0 registers.ebp: 4005548052 registers.edx: 17135674 registers.ebx: 0 registers.esi: 2775756617 registers.ecx: 14288	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 51 54 8b 0c 24 81 c4 04 exception.symbol: lenin+0x31c30e exception.instruction: in eax, dx exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3261198 exception.address: 0x105c30e registers.esp: 2817396 registers.edi: 1259 registers.eax: 1447909480 registers.ebp: 4005548052 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 17147799 registers.ecx: 20	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: lenin+0x31aa82 exception.address: 0x105aa82 exception.module: lenin.exe exception.exception_code: 0xc000001d exception.offset: 3254914 registers.esp: 2817396 registers.edi: 1259 registers.eax: 1 registers.ebp: 4005548052 registers.edx: 22104 registers.ebx: 0 registers.esi: 17147799 registers.ecx: 20	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 4e 37 2d 12 01 exception.symbol: lenin+0x31d66d exception.instruction: in eax, dx exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3266157 exception.address: 0x105d66d registers.esp: 2817396 registers.edi: 1259 registers.eax: 1447909480 registers.ebp: 4005548052 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 17147799 registers.ecx: 10	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 50 e8 03 00 00 00 20 58 c3 58 exception.symbol: lenin+0x322fc7 exception.instruction: int 1 exception.module: lenin.exe exception.exception_code: 0xc0000005 exception.offset: 3289031 exception.address: 0x1062fc7 registers.esp: 2817364 registers.edi: 0 registers.eax: 2817364 registers.ebp: 4005548052 registers.edx: 12516 registers.ebx: 17182948 registers.esi: 17182948 registers.ecx: 0	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 68 db 9c 6d 7a ff 34 24 8b 14 24 83 c4 04 55 exception.symbol: lenin+0x323c6d exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3292269 exception.address: 0x1063c6d registers.esp: 2817404 registers.edi: 17210122 registers.eax: 26476 registers.ebp: 4005548052 registers.edx: 4294943408 registers.ebx: 33661843 registers.esi: 57146083 registers.ecx: 6379	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 68 e3 9f 5c 39 89 04 24 52 50 b8 6e 20 ff 6e exception.symbol: lenin+0x3333ab exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3355563 exception.address: 0x10733ab registers.esp: 2817404 registers.edi: 15519870 registers.eax: 29961 registers.ebp: 4005548052 registers.edx: 6 registers.ebx: 33662065 registers.esi: 17275990 registers.ecx: 0	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 57 50 89 e0 e9 8a fe ff ff b8 21 a3 6e 77 e9 exception.symbol: lenin+0x332c66 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3353702 exception.address: 0x1072c66 registers.esp: 2817404 registers.edi: 15519870 registers.eax: 29961 registers.ebp: 4005548052 registers.edx: 4294940540 registers.ebx: 33662065 registers.esi: 17275990 registers.ecx: 262633	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 3c 24 53 55 68 e3 37 7d 5e 5d 81 exception.symbol: lenin+0x337e7f exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3374719 exception.address: 0x1077e7f registers.esp: 2817396 registers.edi: 15519870 registers.eax: 17268660 registers.ebp: 4005548052 registers.edx: 0 registers.ebx: 33662065 registers.esi: 29354323 registers.ecx: 4294940540	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 1c 24 bb 69 c3 ed 7b 51 50 89 e0 exception.symbol: lenin+0x338628 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3376680 exception.address: 0x1078628 registers.esp: 2817396 registers.edi: 17296119 registers.eax: 26946 registers.ebp: 4005548052 registers.edx: 467018786 registers.ebx: 33662065 registers.esi: 29354323 registers.ecx: 1005619807	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 56 89 04 24 b8 3d a7 9f 0c e9 49 00 00 00 89 exception.symbol: lenin+0x338722 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3376930 exception.address: 0x1078722 registers.esp: 2817396 registers.edi: 17272079 registers.eax: 26946 registers.ebp: 4005548052 registers.edx: 0 registers.ebx: 2737031528 registers.esi: 29354323 registers.ecx: 1005619807	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 68 28 c3 33 39 89 04 24 e9 54 00 00 00 bf 19 exception.symbol: lenin+0x33e7f5 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3401717 exception.address: 0x107e7f5 registers.esp: 2817396 registers.edi: 17272079 registers.eax: 31540 registers.ebp: 4005548052 registers.edx: 2130566132 registers.ebx: 2737031528 registers.esi: 17325310 registers.ecx: 1631322112	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 51 55 e9 cd ff ff ff 5b 01 d6 5a 57 e9 2b 01 exception.symbol: lenin+0x33ebb1 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3402673 exception.address: 0x107ebb1 registers.esp: 2817396 registers.edi: 17272079 registers.eax: 322689 registers.ebp: 4005548052 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 17296814 registers.ecx: 1631322112	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 81 e9 ba 82 ad 6c 57 e9 6b 02 00 00 89 04 24 exception.symbol: lenin+0x35a664 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3516004 exception.address: 0x109a664 registers.esp: 2817360 registers.edi: 17426415 registers.eax: 30914 registers.ebp: 4005548052 registers.edx: 2130566132 registers.ebx: 56308 registers.esi: 17404847 registers.ecx: 17409001	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 57 e9 80 02 00 00 81 ec 04 00 00 00 89 0c 24 exception.symbol: lenin+0x35a589 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3515785 exception.address: 0x109a589 registers.esp: 2817364 registers.edi: 17426415 registers.eax: 30914 registers.ebp: 4005548052 registers.edx: 2130566132 registers.ebx: 56308 registers.esi: 17404847 registers.ecx: 17439915	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 57 53 bb e4 fe fa 39 e9 49 02 00 00 31 c8 59 exception.symbol: lenin+0x35a874 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3516532 exception.address: 0x109a874 registers.esp: 2817364 registers.edi: 1375758944 registers.eax: 30914 registers.ebp: 4005548052 registers.edx: 2130566132 registers.ebx: 4294939096 registers.esi: 17404847 registers.ecx: 17439915	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb e9 4c 00 00 00 68 c4 bb 69 39 e9 ad fe ff ff exception.symbol: lenin+0x35c048 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3522632 exception.address: 0x109c048 registers.esp: 2817360 registers.edi: 1375758944 registers.eax: 30060 registers.ebp: 4005548052 registers.edx: 152916527 registers.ebx: 4294939096 registers.esi: 17404847 registers.ecx: 17413771	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 53 bb 40 5c f9 79 52 ba 00 00 00 00 81 ea 49 exception.symbol: lenin+0x35ba07 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3521031 exception.address: 0x109ba07 registers.esp: 2817364 registers.edi: 1375758944 registers.eax: 30060 registers.ebp: 4005548052 registers.edx: 152916527 registers.ebx: 4294939096 registers.esi: 17404847 registers.ecx: 17443831	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 51 53 89 24 24 e9 be fc ff ff 51 89 e1 e9 da exception.symbol: lenin+0x35ba49 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3521097 exception.address: 0x109ba49 registers.esp: 2817364 registers.edi: 1375758944 registers.eax: 606898512 registers.ebp: 4005548052 registers.edx: 0 registers.ebx: 4294939096 registers.esi: 17404847 registers.ecx: 17416631	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 51 50 c7 04 24 40 b1 c7 22 81 24 24 60 d1 1f exception.symbol: lenin+0x35c59a exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3523994 exception.address: 0x109c59a registers.esp: 2817364 registers.edi: 1375758944 registers.eax: 32566 registers.ebp: 4005548052 registers.edx: 894562048 registers.ebx: 4294939096 registers.esi: 17404847 registers.ecx: 17449665	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 57 89 e7 81 c7 04 00 00 00 50 b8 04 00 00 00 exception.symbol: lenin+0x35c966 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3524966 exception.address: 0x109c966 registers.esp: 2817364 registers.edi: 1375758944 registers.eax: 8055126 registers.ebp: 4005548052 registers.edx: 894562048 registers.ebx: 0 registers.esi: 17404847 registers.ecx: 17419909	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 53 e9 00 fe ff ff 83 c4 04 68 cb 03 94 2b 89 exception.symbol: lenin+0x35d900 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3528960 exception.address: 0x109d900 registers.esp: 2817360 registers.edi: 1375758944 registers.eax: 29619 registers.ebp: 4005548052 registers.edx: 1235606717 registers.ebx: 0 registers.esi: 17404847 registers.ecx: 17420321	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 50 54 58 05 04 00 00 00 83 e8 04 33 04 24 31 exception.symbol: lenin+0x35d3de exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3527646 exception.address: 0x109d3de registers.esp: 2817364 registers.edi: 1375758944 registers.eax: 29619 registers.ebp: 4005548052 registers.edx: 1235606717 registers.ebx: 0 registers.esi: 17404847 registers.ecx: 17449940	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb e9 0c 06 00 00 55 e9 38 03 00 00 5a 81 c3 09 exception.symbol: lenin+0x35d1f1 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3527153 exception.address: 0x109d1f1 registers.esp: 2817364 registers.edi: 1375758944 registers.eax: 0 registers.ebp: 4005548052 registers.edx: 1235606717 registers.ebx: 0 registers.esi: 1358981728 registers.ecx: 17423396	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb e9 bd 01 00 00 53 bb 04 00 00 00 e9 e4 00 00 exception.symbol: lenin+0x35e5f9 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3532281 exception.address: 0x109e5f9 registers.esp: 2817364 registers.edi: 17424187 registers.eax: 26420 registers.ebp: 4005548052 registers.edx: 1236131775 registers.ebx: 15534010 registers.esi: 0 registers.ecx: 17451546	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 68 00 5a 6a 68 89 1c 24 89 3c 24 e9 23 00 00 exception.symbol: lenin+0x35e701 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3532545 exception.address: 0x109e701 registers.esp: 2817364 registers.edi: 17424187 registers.eax: 26420 registers.ebp: 4005548052 registers.edx: 4294944028 registers.ebx: 15534010 registers.esi: 322689 registers.ecx: 17451546	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 29 c9 ff 34 0f 81 04 24 be 03 fb 2f ff 34 24 exception.symbol: lenin+0x362b07 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3549959 exception.address: 0x10a2b07 registers.esp: 2817364 registers.edi: 17470341 registers.eax: 27087 registers.ebp: 4005548052 registers.edx: 0 registers.ebx: 65786 registers.esi: 322689 registers.ecx: 1971716238	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 55 89 e5 81 c5 04 00 00 00 51 b9 39 12 77 77 exception.symbol: lenin+0x3630f9 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3551481 exception.address: 0x10a30f9 registers.esp: 2817364 registers.edi: 17470341 registers.eax: 27087 registers.ebp: 4005548052 registers.edx: 0 registers.ebx: 78313 registers.esi: 322689 registers.ecx: 4294942852	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb e9 9c 00 00 00 5c 81 f9 3c a6 ff ff 0f 85 91 exception.symbol: lenin+0x365bfa exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3562490 exception.address: 0x10a5bfa registers.esp: 2817364 registers.edi: 17470341 registers.eax: 17481202 registers.ebp: 4005548052 registers.edx: 1016734161 registers.ebx: 78313 registers.esi: 322689 registers.ecx: 4294942852	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 57 68 e2 21 bd 11 89 04 24 c7 04 24 01 04 be exception.symbol: lenin+0x365c0d exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3562509 exception.address: 0x10a5c0d registers.esp: 2817364 registers.edi: 17470341 registers.eax: 17481202 registers.ebp: 4005548052 registers.edx: 1016734161 registers.ebx: 78313 registers.esi: 157417 registers.ecx: 4294944316	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 51 e9 a9 00 00 00 81 ed f1 a6 0d 71 81 f5 51 exception.symbol: lenin+0x367287 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3568263 exception.address: 0x10a7287 registers.esp: 2817360 registers.edi: 17470341 registers.eax: 28869 registers.ebp: 4005548052 registers.edx: 1757547130 registers.ebx: 17459248 registers.esi: 157417 registers.ecx: 4294944316	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 52 89 2c 24 bd d7 e3 47 3e 89 e9 e9 64 ff ff exception.symbol: lenin+0x366e5c exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3567196 exception.address: 0x10a6e5c registers.esp: 2817364 registers.edi: 17470341 registers.eax: 4294941908 registers.ebp: 4005548052 registers.edx: 1757547130 registers.ebx: 17488117 registers.esi: 157417 registers.ecx: 3939837675	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb e9 2f f8 ff ff 82 77 2d a8 49 72 e8 d5 a3 25 exception.symbol: lenin+0x36d749 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3594057 exception.address: 0x10ad749 registers.esp: 2817364 registers.edi: 13668 registers.eax: 26460 registers.ebp: 4005548052 registers.edx: 2130566132 registers.ebx: 17510915 registers.esi: 17465333 registers.ecx: 1631322112	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 56 89 0c 24 68 00 3e 97 7b ff 34 24 59 51 89 exception.symbol: lenin+0x36ccfb exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3591419 exception.address: 0x10accfb registers.esp: 2817364 registers.edi: 13668 registers.eax: 26460 registers.ebp: 4005548052 registers.edx: 4133064296 registers.ebx: 17510915 registers.esi: 4294944072 registers.ecx: 1631322112	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 50 e9 41 02 00 00 8b 2c 24 52 e9 09 06 00 00 exception.symbol: lenin+0x375552 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3626322 exception.address: 0x10b5552 registers.esp: 2817364 registers.edi: 0 registers.eax: 2817094248 registers.ebp: 4005548052 registers.edx: 26708 registers.ebx: 17522463 registers.esi: 4178184 registers.ecx: 17308320	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb e9 1a 00 00 00 33 1c 24 31 1c 24 33 1c 24 8b exception.symbol: lenin+0x389c7d exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3710077 exception.address: 0x10c9c7d registers.esp: 2817360 registers.edi: 17601538 registers.eax: 27271 registers.ebp: 4005548052 registers.edx: 2130566132 registers.ebx: 1971716070 registers.esi: 17534995 registers.ecx: 1631322112	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 51 d1 77 7a 81 2c 24 70 47 38 4f exception.symbol: lenin+0x389b20 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3709728 exception.address: 0x10c9b20 registers.esp: 2817364 registers.edi: 17628809 registers.eax: 27271 registers.ebp: 4005548052 registers.edx: 2130566132 registers.ebx: 1971716070 registers.esi: 17534995 registers.ecx: 1631322112	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb 51 e9 fc 00 00 00 01 f0 5e 05 45 e7 fb 7e 05 exception.symbol: lenin+0x3895ee exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3708398 exception.address: 0x10c95ee registers.esp: 2817364 registers.edi: 17604417 registers.eax: 27271 registers.ebp: 4005548052 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 17534995 registers.ecx: 986940520	1
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: fb e9 32 00 00 00 bb 61 3d 57 7d e9 00 00 00 00 exception.symbol: lenin+0x38fa9b exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3734171 exception.address: 0x10cfa9b registers.esp: 2817364 registers.edi: 270814347 registers.eax: 17630535 registers.ebp: 4005548052 registers.edx: 0 registers.ebx: 17605809 registers.esi: 51243347 registers.ecx: 17308320	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET https://db-ip.com/demo/home.php?s=175.208.134.152

Allocates read-write-execute memory (usually to unpack itself) (46 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 704512 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d41000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ea0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x030f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03100000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03110000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03120000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03130000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:29 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

lenin.exe tried to sleep 232 seconds, actually delayed analysis time by 232 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (13 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW June 7, 2024, 9:29 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 7, 2024, 9:29 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 7, 2024, 9:29 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 7, 2024, 9:29 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 7, 2024, 9:29 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 7, 2024, 9:29 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 7, 2024, 9:29 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 7, 2024, 9:29 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 7, 2024, 9:29 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 7, 2024, 9:29 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 7, 2024, 9:29 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 7, 2024, 9:29 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 7, 2024, 9:29 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (50 out of 3360 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\jgaaimajipbpdogpdglhaphldakikgef\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\agoakfejjabomempkjlepdflaleeobhb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Sync Extension Settings\ebfidpplhabeedpnhjnobghokpiioolj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\igkpcodhieompeloncfnbekccinhapdb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Sync Extension Settings\anokgmphncpekkhclmingpimjmcooifb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Sync Extension Settings\agoakfejjabomempkjlepdflaleeobhb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Sync Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Sync Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Sync Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\flpiciilemghbmfalicajoolhkkenfel\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates a suspicious process (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW June 7, 2024, 9:29 a.m.	thread_identifier: 2796 thread_handle: 0x000001c4 process_identifier: 2792 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001c8	1	1	0
CreateProcessInternalW June 7, 2024, 9:29 a.m.	thread_identifier: 2856 thread_handle: 0x000001d0 process_identifier: 2852 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001cc	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 7, 2024, 9:29 a.m.	snapshot_handle: 0x000004c4 process_name: taskhost.exe process_identifier: 2372	1	1	0
Process32NextW June 7, 2024, 9:29 a.m.	snapshot_handle: 0x000004c4 process_name: lenin.exe process_identifier: 2548	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x000ab400', u'virtual_address': u'0x00001000', u'entropy': 7.989727275984775, u'name': u' \\x00 ', u'virtual_size': u'0x00189000'}

entropy

7.98972727598

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001400', u'virtual_address': u'0x0018a000', u'entropy': 7.835758883330173, u'name': u'.rsrc', u'virtual_size': u'0x00001934'}

entropy

7.83575888333

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001a2c00', u'virtual_address': u'0x0044e000', u'entropy': 7.953270263945492, u'name': u'ofqranmj', u'virtual_size': u'0x001a3000'}

entropy

7.95327026395

description

A section with a high entropy has been found

entropy

0.99537037037

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000004c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000004e8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004e8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000004e8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000004e8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000004e8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x000004e8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA June 7, 2024, 9:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Communicates with host for which no DNS query was performed (1 event)

host

147.45.47.126

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 83 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA June 7, 2024, 9:29 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 7, 2024, 9:29 a.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131	reg_value	C:\Users\test22\AppData\Local\RageMP131\RageMP131.exe
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA June 7, 2024, 9:29 a.m.	key_handle: 0x000004e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\ICQ\0001
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Appends a known CryptoMix ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 7, 2024, 9:29 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 51 54 8b 0c 24 81 c4 04 exception.symbol: lenin+0x31c30e exception.instruction: in eax, dx exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3261198 exception.address: 0x105c30e registers.esp: 2817396 registers.edi: 1259 registers.eax: 1447909480 registers.ebp: 4005548052 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 17147799 registers.ecx: 20	1	0	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetectMalware
tehtris	Generic.Malware
Skyhigh	BehavesLike.Win32.RisePro.vc
ALYac	Gen:Trojan.Heur.uE0auSCX6Oak
Cylance	Unsafe
VIPRE	Gen:Trojan.Heur.uE0auSCX6Oak
K7AntiVirus	Trojan ( 005376ae1 )
BitDefender	Gen:Trojan.Heur.uE0auSCX6Oak
K7GW	Trojan ( 005376ae1 )
Cybereason	malicious.84265d
Arcabit	Trojan.Heur.uE0auSCX6Oak
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
Avast	Win32:PWSX-gen [Trj]
ClamAV	Win.Packed.Risepro-10030665-0
Kaspersky	VHO:Trojan-PSW.Win32.RisePro.gen
MicroWorld-eScan	Gen:Trojan.Heur.uE0auSCX6Oak
Emsisoft	Gen:Trojan.Heur.uE0auSCX6Oak (B)
McAfeeD	Real Protect-LS!FB2F90584265
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.fb2f90584265d465
Sophos	Mal/RisePro-A
Google	Detected
MAX	malware (ai score=83)
Gridinsoft	Trojan.Heur!.038120A1
Microsoft	Trojan:Win32/RisePro.RP!MTB
ZoneAlarm	VHO:Trojan-PSW.Win32.RisePro.gen
GData	Gen:Trojan.Heur.uE0auSCX6Oak
AhnLab-V3	Trojan/Win.RisePro.R649725
BitDefenderTheta	AI:Packer.AC3650CA1C
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.MalPack
Panda	Trj/Genetic.gen
Zoner	Probably Heur.ExeHeaderL
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:PWSX-gen [Trj]

lenin.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All