Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 23, 2021, 10:05 a.m.	April 23, 2021, 10:09 a.m.

Size	273.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`7c41e064f77799275788d55d09d1ff3e`
SHA256	`4d4f335669d4e7a200c2b9f31430a6090ab922ba476e0d3aafe0a2462b0978fa`
CRC32	`DCCBA99A`
ssdeep	`6144:SqbQBrkT5xbZosSEEzZ0FTs2s5EM5udsJNsoX0Wq:SqbQBQxbIHUvbMNbE3`
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasDebugData - DebugData Check HasRichSignature - Rich Signature Check win_files_operation - Affect private profile

soft.exe "C:\Users\test22\AppData\Local\Temp\soft.exe"
8564
- cmd.exe "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\soft.exe"
  7072
  - PING.EXE ping 127.0.0.1
    4980

Name	Response	Post-Analysis Lookup
up.ufile.io	A 104.27.194.88 A 104.27.195.88	104.27.194.88
hirezz.com	A 162.144.12.143	162.144.12.143
iplogger.org	A 88.99.66.31	88.99.66.31

IP Address	Status	Action
104.27.194.88	Active	Moloch
162.144.12.143	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49812 -> 104.27.194.88:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49813 -> 104.27.194.88:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49809 -> 162.144.12.143:80	2032342	ET MALWARE Win32/Unk Downloader CnC Activity	Malware Command and Control Activity Detected
TCP 192.168.56.102:49814 -> 104.27.194.88:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49811 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49812 104.27.194.88:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	47:ea:38:25:90:4e:67:30:f9:3d:f5:b5:f2:9a:2a:da:67:5a:ef:97
TLSv1 192.168.56.102:49813 104.27.194.88:443	None	None	None
TLSv1 192.168.56.102:49814 104.27.194.88:443	None	None	None
TLSv1 192.168.56.102:49811 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 23, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (20 events)

Time & API	Arguments	Status	Return
WriteConsoleA April 23, 2021, 10:05 a.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 10:05 a.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 10:05 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 10:05 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 10:05 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 10:05 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 10:05 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 10:05 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 10:05 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 10:05 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 10:05 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 10:05 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 10:05 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 10:05 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 10:05 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 10:05 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 10:05 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 10:05 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 10:05 a.m.	buffer: Ping statistics for 127.0.0.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA April 23, 2021, 10:05 a.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (2 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 23, 2021, 10:05 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://hirezz.com/test/includes/image.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://hirezz.com/test/includes/image.php?id=00009CF9F2321904909678
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://hirezz.com/test/includes/image.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1ib2a7
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://up.ufile.io/v1/upload/create_session
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://up.ufile.io/v1/upload/chunk
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://up.ufile.io/v1/upload/finalise

Performs some HTTP requests (7 events)

request	GET http://hirezz.com/test/includes/image.php
request	GET http://hirezz.com/test/includes/image.php?id=00009CF9F2321904909678
request	POST http://hirezz.com/test/includes/image.php
request	GET https://iplogger.org/1ib2a7
request	POST https://up.ufile.io/v1/upload/create_session
request	POST https://up.ufile.io/v1/upload/chunk
request	POST https://up.ufile.io/v1/upload/finalise

Sends data using the HTTP POST Method (4 events)

request	POST http://hirezz.com/test/includes/image.php
request	POST https://up.ufile.io/v1/upload/create_session
request	POST https://up.ufile.io/v1/upload/chunk
request	POST https://up.ufile.io/v1/upload/finalise

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 23, 2021, 10:05 a.m.	process_identifier: 8564 region_size: 208896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 23, 2021, 10:05 a.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Steals private information from local Internet browsers (7 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local State

Creates a suspicious process (2 events)

cmdline	"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\soft.exe"
cmdline	C:\Windows\System32\cmd.exe /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\soft.exe"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\soft.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 23, 2021, 10:05 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\soft.exe" filepath: C:\Windows\System32\cmd.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW April 23, 2021, 10:05 a.m.	snapshot_handle: 0x00000384 process_name: mobsync.exe process_identifier: 9120	1	1
Process32NextW April 23, 2021, 10:05 a.m.	snapshot_handle: 0x00000384 process_name: pw.exe process_identifier: 2552	1	1
Process32NextW April 23, 2021, 10:05 a.m.	snapshot_handle: 0x00000384 process_name: taskhost.exe process_identifier: 1932	1	1
Process32NextW April 23, 2021, 10:05 a.m.	snapshot_handle: 0x00000384 process_name: soft.exe process_identifier: 8564	1	1
Process32NextW April 23, 2021, 10:05 a.m.	snapshot_handle: 0x00000384 process_name: slui.exe process_identifier: 7688	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002e200', u'virtual_address': u'0x00016000', u'entropy': 7.64782986227465, u'name': u'.data', u'virtual_size': u'0x0002ee1c'}

entropy

7.64782986227

description

A section with a high entropy has been found

entropy

0.678308823529

description

Overall entropy of this PE file is high

Queries for potentially installed applications (50 out of 209 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus		2
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1	0
RegOpenKeyExW April 23, 2021, 10:05 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\soft.exe"
cmdline	C:\Windows\System32\cmd.exe /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\soft.exe"
cmdline	ping 127.0.0.1

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions

Harvests information related to installed instant messenger clients (1 event)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml

Collects information about installed applications (44 events)

Time & API	Arguments	Status
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HashTab 6.0.0.34 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HashTab\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Maintenance Service regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 7 Update 51 (64-bit) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F86417051FF}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 KOR Language Pack regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 x64 Minimum Runtime - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Office 64-bit Components 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002A-0000-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared 64-bit MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002A-0409-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared 64-bit MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002A-0412-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 한국어 언어 팩 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Python 2.7.18 (64-bit) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6}\DisplayName	1
RegQueryValueExW April 23, 2021, 10:05 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 x64 Additional Runtime - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04}\DisplayName	1

Harvests credentials from local email clients (4 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Store Root
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Expresses interest in specific running processes (1 event)

process: potential process injection target

smss.exe

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Razy.854061
FireEye	Generic.mg.7c41e064f7779927
McAfee	Artemis!7C41E064F777
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0057a93c1 )
Alibaba	TrojanPSW:Win32/GenKryptik.f6e5edd1
K7GW	Trojan ( 0057a93c1 )
Cybereason	malicious.4f7779
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenKryptik.FDVB
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.Win32.Kpot.gen
BitDefender	Gen:Variant.Razy.854061
Ad-Aware	Gen:Variant.Razy.854061
Sophos	Mal/Generic-S
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Emsisoft	Gen:Variant.Razy.854061 (B)
Ikarus	Trojan.Win32.Krypt
eGambit	Unsafe.AI_Score_99%
Avira	TR/Kryptik.fynue
MAX	malware (ai score=80)
Microsoft	Trojan:Win32/Wacatac.B!ml
AegisLab	Trojan.Win32.Kpot.i!c
GData	Gen:Variant.Razy.854061
Cynet	Malicious (score: 100)
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.34678.ruW@a0JF5ebi
VBA32	Trojan.MTA.01011
Malwarebytes	Spyware.KpotStealer
TrendMicro-HouseCall	TROJ_GEN.R002C0WDK21
Rising	Trojan.GenKryptik!8.AA55 (CLOUD)
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/GenKryptik.FDVB!tr
Webroot	W32.Rogue.Gen
AVG	Win32:TrojanX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_90% (W)
Qihoo-360	Win32/Trojan.Kryptik.HwoCtZ4A

soft.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All