Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 17, 2024, 10:36 a.m.	Oct. 17, 2024, 10:44 a.m.

Size	842.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`d16b9f62e697777a3b63f53c95a8c65c`
SHA256	`f47857662ee05b4e6f3063940f737f87c116faaa25cf8ea9e7e0d6fb3d4ef166`
CRC32	`34B8A062`
ssdeep	`12288:vYV6MorX7qzuC3QHO9FQVHPF51jgcQ+uBYzSR5+YxKFQSj55m6Ul9jeCoAK59UZZ:8BXu9HGaVHQZa2QXFpPm6ULr60RKOh`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

mso-install.exe "C:\Users\test22\AppData\Local\Temp\mso-install.exe"
1792
- deploy-mso.dst.exe C:\Users\test22\AppData\Roaming\mv\components\deploy-mso.dst.exe -s -pjabu2bn_tk5mysq
  2620
- deploy-mso.exe "C:\Users\test22\AppData\Roaming\mv\components\deploy-mso.exe" /configure C:\Users\test22\AppData\Local\Temp\install.xml
  2680
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\test22\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\test22\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\test22\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
    2792
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\test22\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\test22\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\test22\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
    2900

Name	Response	Post-Analysis Lookup
officecdn.microsoft.com	CNAME office-f-net.trafficmanager.net A 173.222.248.90 CNAME a245.dscd.akamai.net CNAME office-cdn.edgesuite.net CNAME officecdn.microsoft.com.delivery.microsoft.com A 173.222.248.74	38.96.206.65
cacerts.digicert.com	CNAME fp2e7a.wpc.2be4.phicdn.net CNAME fp2e7a.wpc.phicdn.net A 152.195.38.76	152.195.38.76
ecs.office.com	CNAME s-0005.s-msedge.net CNAME ecs-office.s-0005.s-msedge.net A 52.113.194.132 CNAME ecs.office.trafficmanager.net CNAME s-0005-office.config.skype.com	52.113.194.132
nexusrules.officeapps.live.com	CNAME prod.nexusrules.live.com.akadns.net A 52.111.227.14	52.111.243.30
www.microsoft.com	A 23.40.45.184 CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net CNAME www.microsoft.com-c-3.edgekey.net CNAME e13678.dscb.akamaiedge.net	104.94.217.134
mrodevicemgr.officeapps.live.com	CNAME prod.mrodevicemgr.live.com.akadns.net A 52.109.124.190	52.109.124.190

IP Address	Status	Action
152.195.38.76	Active	Moloch
164.124.101.2	Active	Moloch
173.222.248.74	Active	Moloch
185.25.60.13	Active	Moloch
195.130.214.155	Active	Moloch
23.40.45.184	Active	Moloch
52.109.124.190	Active	Moloch
52.111.227.14	Active	Moloch
52.113.194.132	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49163 -> 185.25.60.13:8080	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.103:49165 -> 185.25.60.13:8080	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.103:49163 -> 185.25.60.13:8080	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.103:49163 -> 185.25.60.13:8080	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 185.25.60.13:8080 -> 192.168.56.103:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.25.60.13:8080 -> 192.168.56.103:49165	2008438	ET MALWARE Possible Windows executable sent when remote host claims to send a Text File	A Network Trojan was detected
TCP 185.25.60.13:8080 -> 192.168.56.103:49165	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 52.111.227.14:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49179 -> 52.109.124.190:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 52.109.124.190:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49178 -> 52.109.124.190:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 52.113.194.132:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49192 -> 195.130.214.155:8080	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 185.25.60.13:8080 -> 192.168.56.103:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.25.60.13:8080 -> 192.168.56.103:49163	2008438	ET MALWARE Possible Windows executable sent when remote host claims to send a Text File	A Network Trojan was detected
TCP 185.25.60.13:8080 -> 192.168.56.103:49163	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49171 52.111.227.14:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 08	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=nexusrules.officeapps.live.com	77:cd:ad:85:c4:22:05:fc:29:52:25:2e:5f:93:84:61:cd:0f:2b:26
TLS 1.2 192.168.56.103:49179 52.109.124.190:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 03	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=mrodevicemgr.officeapps.live.com	6b:a3:4c:fa:eb:6a:87:c6:1b:da:fc:77:c8:2c:29:8c:66:17:14:96
TLS 1.2 192.168.56.103:49180 52.109.124.190:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 03	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=mrodevicemgr.officeapps.live.com	6b:a3:4c:fa:eb:6a:87:c6:1b:da:fc:77:c8:2c:29:8c:66:17:14:96
TLS 1.2 192.168.56.103:49178 52.109.124.190:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 03	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=mrodevicemgr.officeapps.live.com	6b:a3:4c:fa:eb:6a:87:c6:1b:da:fc:77:c8:2c:29:8c:66:17:14:96
TLS 1.2 192.168.56.103:49172 52.113.194.132:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 03	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=ecs.office.com	e6:c0:ff:d8:a6:41:8f:1f:de:e2:1b:3b:90:b8:4e:4b:7b:e9:08:0d

Queries for the computername (15 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 17, 2024, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 17, 2024, 10:36 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0

Command line console output was observed (28 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: The term 'Get-AppxPackage' is not recognized as the name of a cmdlet, function, console_handle: 0x00000023	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: script file, or operable program. Check the spelling of the name, or if a path console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: At line:1 char:27 console_handle: 0x00000047	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: + $package = Get-AppxPackage <<<< Microsoft.Office.Desktop -allUsers; if (!$pa console_handle: 0x00000053	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ckage) { $Error.Add("Package is not installed")}; if ($error.Count -eq 0) { Out console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: -File -FilePath 'C:\Users\test22\AppData\Local\Temp\Office.ValidateResult.scrat console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\tes console_handle: 0x00000077	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: t22\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encodin console_handle: 0x00000083	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: g ascii; Out-File -FilePath 'C:\Users\test22\AppData\Local\Temp\Office.Validate console_handle: 0x0000008f	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: Error.scratch' -InputObject $error -Encoding ascii;} console_handle: 0x0000009b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Get-AppxPackage:String) [], Com console_handle: 0x000000a7	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: mandNotFoundException console_handle: 0x000000b3	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000bf	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: The term 'Get-AppxPackage' is not recognized as the name of a cmdlet, function, console_handle: 0x00000023	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: script file, or operable program. Check the spelling of the name, or if a path console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: At line:1 char:27 console_handle: 0x00000047	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: + $package = Get-AppxPackage <<<< Microsoft.Office.Desktop -allUsers; if (!$pa console_handle: 0x00000053	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ckage) { $Error.Add("Package is not installed")}; if ($error.Count -eq 0) { Out console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: -File -FilePath 'C:\Users\test22\AppData\Local\Temp\Office.ValidateResult.scrat console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\tes console_handle: 0x00000077	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: t22\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encodin console_handle: 0x00000083	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: g ascii; Out-File -FilePath 'C:\Users\test22\AppData\Local\Temp\Office.Validate console_handle: 0x0000008f	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: Error.scratch' -InputObject $error -Encoding ascii;} console_handle: 0x0000009b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Get-AppxPackage:String) [], Com console_handle: 0x000000a7	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: mandNotFoundException console_handle: 0x000000b3	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000bf	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 102 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d750 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059de10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059de10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059de10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059db10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059de10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059de10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059de10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059de10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059de10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059de10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059de10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dbd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dbd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dbd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dbd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dbd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dbd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dbd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dbd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dbd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dbd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dbd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dbd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dbd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dbd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059dc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 17, 2024, 10:36 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://185.25.60.13:8080/distr/components/deploy-mso.ver
suspicious_features	Connection to IP address	suspicious_request	GET http://185.25.60.13:8080/distr/components/deploy-mso.dst
suspicious_features	Connection to IP address	suspicious_request	GET http://195.130.214.155:8080/logUserActivity.php?u=3FE1525F8E2065C102140EB6C463BC5D&t=1729181842&m=common&a=run_Component:%20deploy-mso%20(pid%20=%201603)

Performs some HTTP requests (14 events)

request	GET http://185.25.60.13:8080/distr/components/deploy-mso.ver
request	GET http://185.25.60.13:8080/distr/components/deploy-mso.dst
request	GET http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
request	HEAD http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v64.cab
request	GET http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v64.cab
request	GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
request	GET http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl
request	GET http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
request	GET http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
request	HEAD http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v64_16.0.14332.20791.cab
request	HEAD http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v64_16.0.14332.20303.cab
request	GET http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v64_16.0.14332.20303.cab
request	HEAD http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab
request	GET http://195.130.214.155:8080/logUserActivity.php?u=3FE1525F8E2065C102140EB6C463BC5D&t=1729181842&m=common&a=run_Component:%20deploy-mso%20(pid%20=%201603)

Allocates read-write-execute memory (usually to unpack itself) (50 out of 278 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02620000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71981000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71982000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02741000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02742000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0254a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02523000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02524000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02542000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02525000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0254c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02526000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02543000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02544000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02548000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02549000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Oct. 17, 2024, 10:37 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 9925480448 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1	0
GetDiskFreeSpaceExW Oct. 17, 2024, 10:37 a.m.	total_number_of_free_bytes: 9925574656 free_bytes_available: 9925574656 root_path: C:\Windows\system32 total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Roaming\mv\components\x64\cleanospp.exe
file	C:\Users\test22\AppData\Roaming\mv\components\x64\msvcr100.dll
file	C:\Users\test22\AppData\Roaming\mv\components\deploy-mso.exe
file	C:\Users\test22\AppData\Roaming\mv\components\x86\cleanospp.exe
file	C:\Users\test22\AppData\Roaming\mv\components\deploy-mso.dst.exe
file	C:\Users\test22\AppData\Roaming\mv\components\x86\msvcr100.dll

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\mv\components\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell.exe -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\test22\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\test22\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\test22\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\test22\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\test22\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\test22\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Roaming\mv\components\x86\cleanospp.exe
file	C:\Users\test22\AppData\Roaming\mv\components\deploy-mso.exe
file	C:\Users\test22\AppData\Roaming\mv\components\deploy-mso.dst.exe
file	C:\Users\test22\AppData\Roaming\mv\components\x86\msvcr100.dll

Executes one or more WMI queries (4 events)

wmi	SELECT * FROM Win32_Processor
wmi	SELECT * FROM Win32_ComputerSystemProduct
wmi	SELECT * FROM Win32_BIOS
wmi	SELECT * FROM Win32_DiskDrive

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (13 events)

Time & API	Arguments	Status	Return
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x00000398 process_name: mobsync.exe process_identifier: 1800	1	1
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x00000398 process_name: pw.exe process_identifier: 1944	1	1
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x00000398 process_name: taskhost.exe process_identifier: 872	1	1
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x00000398 process_name: conhost.exe process_identifier: 1952	1	1
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x00000398 process_name: mso-install.exe process_identifier: 1792	1	1
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x00000398 process_name: WmiPrvSE.exe process_identifier: 2056	1	1
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x00000398 process_name: rundll32.exe process_identifier: 2156	1	1
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x00000398 process_name: rundll32.exe process_identifier: 2204	1	1
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x00000398 process_name: rundll32.exe process_identifier: 2240	1	1
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x00000398 process_name: svchost.exe process_identifier: 2440	1	1
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x00000398 process_name: mscorsvw.exe process_identifier: 2468	1	1
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x00000398 process_name: mscorsvw.exe process_identifier: 2512	1	1
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x00000398 process_name: sppsvc.exe process_identifier: 2560	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 17, 2024, 10:37 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process mso-install.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Oct. 17, 2024, 10:37 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $b`÷÷&¤&¤&¤h¤+¤j¤«¤k¤>¤¸¡^¤$¤_¥0¤_¥5¤_¥ ¤/y¤,¤/y ¤#¤&¤,¤±_¥¤±_¥'¤´_f¤'¤±_¥'¤Rich&¤PELÇ}\|^à¼ùá @@@@µ4tµ< à!ÐTB@ `ìª .text `.rdata2£ ¤ @@.data°8Ð®@À.gfidsèÀ@@.rsrc à âÂ@@.reloc!"¤@B request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00056400', u'virtual_address': u'0x000fe000', u'entropy': 7.935888349874035, u'name': u'UPX1', u'virtual_size': u'0x00057000'}

entropy

7.93588834987

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0007be00', u'virtual_address': u'0x00155000', u'entropy': 7.61828381994666, u'name': u'.rsrc', u'virtual_size': u'0x0007c000'}

entropy

7.61828381995

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Queries for potentially installed applications (50 out of 79 events)

Time & API	Arguments	Status
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000006e0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042 base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033 base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0116-0409-1000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0116-0409-1000-0000000FF1CE}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0409-1000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0409-1000-0000000FF1CE}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0000-1000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0000-1000-0000000FF1CE}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.1 (x64 en-US) base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.1 (x64 en-US)	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HashTab base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HashTab	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000006e0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Oct. 17, 2024, 10:37 a.m.	regkey_r: SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Executes one or more WMI queries which can be used to identify virtual machines (3 events)

wmi	SELECT * FROM Win32_Processor
wmi	SELECT * FROM Win32_BIOS
wmi	SELECT * FROM Win32_ComputerSystemProduct

Communicates with host for which no DNS query was performed (2 events)

host	185.25.60.13
host	195.130.214.155

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Roaming\mv\components\deploy-mso.dst.exe

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Oct. 17, 2024, 10:37 a.m.	key_handle: 0x000003e4 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Collects information about installed applications (16 events)

Time & API	Arguments	Status
RegQueryValueExW Oct. 17, 2024, 10:37 a.m.	key_handle: 0x000006e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 한국어 언어 팩 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042\DisplayName	1
RegQueryValueExW Oct. 17, 2024, 10:37 a.m.	key_handle: 0x000006e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\DisplayName	1
RegQueryValueExW Oct. 17, 2024, 10:37 a.m.	key_handle: 0x000006e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Maintenance Service regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName	1
RegQueryValueExW Oct. 17, 2024, 10:37 a.m.	key_handle: 0x000006e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Firefox (x64 en-US) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.1 (x64 en-US)\DisplayName	1
RegQueryValueExW Oct. 17, 2024, 10:37 a.m.	key_handle: 0x000006e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HashTab 6.0.0.34 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HashTab\DisplayName	1
RegQueryValueExW Oct. 17, 2024, 10:37 a.m.	key_handle: 0x000006e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 19.00 (x64) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Oct. 17, 2024, 10:37 a.m.	key_handle: 0x000006e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW Oct. 17, 2024, 10:37 a.m.	key_handle: 0x000006e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Oct. 17, 2024, 10:37 a.m.	key_handle: 0x000006e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Oct. 17, 2024, 10:37 a.m.	key_handle: 0x000006e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Oct. 17, 2024, 10:37 a.m.	key_handle: 0x000006e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Oct. 17, 2024, 10:37 a.m.	key_handle: 0x000006e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Oct. 17, 2024, 10:37 a.m.	key_handle: 0x000006e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Oct. 17, 2024, 10:37 a.m.	key_handle: 0x000006e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Oct. 17, 2024, 10:37 a.m.	key_handle: 0x000006e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Oct. 17, 2024, 10:37 a.m.	key_handle: 0x000006e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Bkav	W32.AIDetectMalware
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_60% (D)
Elastic	malicious (moderate confidence)
Kaspersky	VHO:Trojan.Win32.PoverTel.djn
McAfeeD	ti!F47857662EE0
Trapmine	malicious.high.ml.score
Sophos	Mal/Generic-R
Jiangmin	Trojan.Povertel.aj
Antiy-AVL	Trojan[Packed]/Win32.Autoit
Kingsoft	Win32.Trojan.PoverTel.gen
Microsoft	Program:Win32/Wacapew.C!ml
ZoneAlarm	VHO:Trojan.Win32.PoverTel.gen
DeepInstinct	MALICIOUS
Malwarebytes	MachineLearning/Anomalous.100%
MaxSecure	Trojan.Malware.300983.susgen
Paloalto	generic.ml
alibabacloud	Trojan:Win/Wacapew.C9nj

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Creates a suspicious Powershell process (2 events)

option	-noprofile				value	Does not load current user profile
option	-noprofile				value	Does not load current user profile

mso-install.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All