Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 23, 2024, 5:13 p.m.	July 23, 2024, 5:14 p.m.

Size	497.0B
Type	vCalendar calendar file
MD5	`7be2232d72dff43cf090b194542cf229`
SHA256	`cf3d1e5f216aecae06b627f9de9f1f25d3d408cff97a55ce606d8a6debe97ebc`
CRC32	`351E2992`
ssdeep	`12:E3fmzBMa72cCQDDZlSQnpSQbDbM/wozqEdK/Qsh1:E3fC97bDVl7pjTozFdK1v`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "xxxTjYJCi" C:\Users\test22\AppData\Local\Temp\download.ics
2552
- OUTLOOK.EXE "C:\PROGRA~2\MICROS~1\Office12\OUTLOOK.EXE" /ical "C:\Users\test22\AppData\Local\Temp\download.ics"
  2660

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\12.0\Registration\{90120000-0030-0000-0000-0000000FF1CE}\DigitalProductID

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Allocates read-write-execute memory (usually to unpack itself) (33 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x2ff05000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71ab1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7201a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x719d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x719d2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71a61000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70312000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70191000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x701ef000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x701ef000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6feb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ff7e000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02df0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03190000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03190000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fb91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fb93000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fb61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fb63000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f881000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f861000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76161000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75e61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 5:14 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d41000 process_handle: 0xffffffff	1

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://www.microsoft.com/isapi/redir.dll?prd=outlook

Yara rule detected in process memory (18 events)

description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications over HTTP	rule	Network_HTTP
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	email clients info stealer	rule	infoStealer_emailClients_Zero
description	Run a KeyLogger	rule	KeyLogger

Queries for potentially installed applications (41 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x0002001f regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall		2
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000344 options: 0 access: 0x0002001f regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: AddressBook base_handle: 0x00000344 key_handle: 0x00000338 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: Connection Manager base_handle: 0x00000344 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: DirectDrawEx base_handle: 0x00000344 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: EditPlus base_handle: 0x00000344 key_handle: 0x000002c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: ENTERPRISE base_handle: 0x00000344 key_handle: 0x000002c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: Managed base_handle: 0x000002c4 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\Managed		2
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: Fontcore base_handle: 0x00000344 key_handle: 0x00000210 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: Google Chrome base_handle: 0x00000344 key_handle: 0x00000214 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000344 key_handle: 0x0000036c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: IE40 base_handle: 0x00000344 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: IE4Data base_handle: 0x00000344 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: IE5BAKEX base_handle: 0x00000344 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: IEData base_handle: 0x00000344 key_handle: 0x0000035c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: MobileOptionPack base_handle: 0x00000344 key_handle: 0x00000360 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: SchedulingAgent base_handle: 0x00000344 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: WIC base_handle: 0x00000344 key_handle: 0x00000398 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000344 key_handle: 0x000003b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000344 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000344 key_handle: 0x000003b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x00000344 key_handle: 0x000003b4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x00000344 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x00000344 key_handle: 0x000003a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x00000344 key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x00000344 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x00000344 key_handle: 0x0000042c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000344 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x00000344 key_handle: 0x00000514 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x00000344 key_handle: 0x00000454 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x00000344 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x00000344 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x00000344 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000344 key_handle: 0x0000046c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x00000344 key_handle: 0x0000048c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x00000344 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000344 key_handle: 0x0000047c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x00000344 key_handle: 0x00000480 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000344 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000344 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1	0
RegOpenKeyExW July 23, 2024, 5:14 p.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x00000344 key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1	0

Harvests credentials from local email clients (3 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Store Root
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046\000b0413
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager\Shared

download.ics

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All