Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 4, 2021, 11:07 a.m.	May 4, 2021, 11:17 a.m.

Size	765.8KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`090148a4d527120eaaa7d5d2f0aa5bf1`
SHA256	`6bbdcec0763847706f9b75674aad231ff23afd2b212138fc630a86f69f8180d8`
CRC32	`914E35DE`
ssdeep	`12288:3PUeeAItC66s5xvpAjrarTo7skY2XqzB3jn/:n9I0S5xv0JYk5qzB3j/`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature Win_Trojan_AgentTesla_IN_Zero - Win Trojan AgentTesla IsPE32 - (no description)

LFI_874_103_116.exe C:\Users\test22\AppData\Local\Temp\LFI_874_103_116.exe
2196
- cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 2196 & erase C:\Users\test22\AppData\Local\Temp\LFI_874_103_116.exe & RD /S /Q C:\\ProgramData\\939833468218216\\* & exit
  2668
  - taskkill.exe taskkill /pid 2196
    1896
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
205.185.120.57	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49206 -> 205.185.120.57:80	2010067	ET POLICY Data POST to an image file (jpg)	A Network Trojan was detected
TCP 205.185.120.57:80 -> 192.168.56.101:49206	2026537	ET HUNTING Suspicious EXE Download Content-Type image/jpeg	Potential Corporate Privacy Violation
TCP 205.185.120.57:80 -> 192.168.56.101:49206	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49206 -> 205.185.120.57:80	2010067	ET POLICY Data POST to an image file (jpg)	A Network Trojan was detected
TCP 205.185.120.57:80 -> 192.168.56.101:49206	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49206 -> 205.185.120.57:80	2010067	ET POLICY Data POST to an image file (jpg)	A Network Trojan was detected
TCP 205.185.120.57:80 -> 192.168.56.101:49206	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49206 -> 205.185.120.57:80	2010067	ET POLICY Data POST to an image file (jpg)	A Network Trojan was detected
TCP 192.168.56.101:49206 -> 205.185.120.57:80	2010067	ET POLICY Data POST to an image file (jpg)	A Network Trojan was detected
TCP 192.168.56.101:49206 -> 205.185.120.57:80	2010067	ET POLICY Data POST to an image file (jpg)	A Network Trojan was detected
TCP 192.168.56.101:49206 -> 205.185.120.57:80	2010067	ET POLICY Data POST to an image file (jpg)	A Network Trojan was detected
TCP 192.168.56.101:49206 -> 205.185.120.57:80	2027108	ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2	A Network Trojan was detected
TCP 192.168.56.101:49206 -> 205.185.120.57:80	2029236	ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 205.185.120.57:80	2029846	ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA May 4, 2021, 11:16 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 4, 2021, 11:16 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2021, 11:16 a.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 4, 2021, 11:16 a.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1	0
WriteConsoleW May 4, 2021, 11:16 a.m.	buffer: ERROR: The process "2196" not found. console_handle: 0x0000000b	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 4, 2021, 11:16 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://205.185.120.57/6.jpg
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://205.185.120.57/1.jpg
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://205.185.120.57/2.jpg
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://205.185.120.57/3.jpg
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://205.185.120.57/4.jpg
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://205.185.120.57/5.jpg
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://205.185.120.57/7.jpg
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://205.185.120.57/main.php
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://205.185.120.57/

Performs some HTTP requests (9 events)

request	POST http://205.185.120.57/6.jpg
request	POST http://205.185.120.57/1.jpg
request	POST http://205.185.120.57/2.jpg
request	POST http://205.185.120.57/3.jpg
request	POST http://205.185.120.57/4.jpg
request	POST http://205.185.120.57/5.jpg
request	POST http://205.185.120.57/7.jpg
request	POST http://205.185.120.57/main.php
request	POST http://205.185.120.57/

Sends data using the HTTP POST Method (9 events)

request	POST http://205.185.120.57/6.jpg
request	POST http://205.185.120.57/1.jpg
request	POST http://205.185.120.57/2.jpg
request	POST http://205.185.120.57/3.jpg
request	POST http://205.185.120.57/4.jpg
request	POST http://205.185.120.57/5.jpg
request	POST http://205.185.120.57/7.jpg
request	POST http://205.185.120.57/main.php
request	POST http://205.185.120.57/

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 4, 2021, 11:16 a.m.	process_identifier: 2196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72852000 process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW May 4, 2021, 11:16 a.m.	total_number_of_free_bytes: 13726273536 free_bytes_available: 13726273536 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Steals private information from local Internet browsers (3 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Chromium\User Data\Local State
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Local State

Creates executable files on the filesystem (7 events)

file	C:\ProgramData\sqlite3.dll
file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Creates a suspicious process (2 events)

cmdline	cmd.exe /c taskkill /pid 2196 & erase C:\Users\test22\AppData\Local\Temp\LFI_874_103_116.exe & RD /S /Q C:\\ProgramData\\939833468218216\\* & exit
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /pid 2196 & erase C:\Users\test22\AppData\Local\Temp\LFI_874_103_116.exe & RD /S /Q C:\\ProgramData\\939833468218216\\* & exit

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\LFI_874_103_116.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 2196)

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 4, 2021, 11:16 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c taskkill /pid 2196 & erase C:\Users\test22\AppData\Local\Temp\LFI_874_103_116.exe & RD /S /Q C:\\ProgramData\\939833468218216\\* & exit filepath: cmd.exe	1	1	0

An executable file was downloaded by the process lfi_874_103_116.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile May 4, 2021, 11:16 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¢l$æ JOæ JOæ JOïuÙOê JO?oKNä JO?oINä JO?oONì JO?oNNí JOÄmKNä JO-nKNå JOæ KO~ JO-nNNò JO-nJNç JO-nµOç JO-nHNç JORichæ JOPEL¿bë[à"!¶b¼ÐP ±@¨¸È0xÐ@`ÐþT(ÿ@Ðl.textË´¶ `.rdata DÐFº@@.data @À.rsrcx0@@.reloc`@@B request_handle: 0x00cc000c	1	1
InternetReadFile May 4, 2021, 11:16 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELê=Sv?à!ÐàXà` 8Ã °ÐL ü'ð¬Ñp.textÀÎÐ`0`.data°àÖ@@À.rdata$ð®æ@@@.bss @À.edata°@0@.idataL Ð®@0À.CRTàº@0À.tls ð¼@0À.relocü'(¾@0B/4`0æ@@B/19È@è@B/35MPì@B/51`C`Dô@B/63 °8@B/77ÀF@B/89ÐR request_handle: 0x00cc000c	1	1
InternetReadFile May 4, 2021, 11:16 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Àð/AVAVAVéÒVAV]ó@WAV1VAV]óBWAV]óDWAV]óEWAV¦ñ@WAVOò@WAV@VÖAVOòBWAVOòEWÀAVOòAWAVOò¾VAVOòCWAVRichAVPELØbë[à"!Øf)Ýðp£s@pæPÀæÈ@xüÐPà0âTâ@ð8.texttÖØ `.rdataüþðÜ@@.data,HðÜ@À.rsrcx@à@@.relocàPä@B request_handle: 0x00cc000c	1	1
InternetReadFile May 4, 2021, 11:16 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÂU±É£;âÉ£;âÉ£;âÀÛ¨âÙ£;âWüâË£;âÁ8ãÇ£;âÁ?ãÂ£;âÁ:ãÍ£;âÁ>ãÛ£;âëÃ:ãÀ£;âÉ£:âw£;âÀ?ãÈ£;âÀ>ãÝ£;âÀ;ãÈ£;âÀÄâÈ£;âÀ9ãÈ£;âRichÉ£;âPELÄ_ë[à"!zà@3@A@Àt´Þ, xúÐ0h¹TT¹h¸@ôl¾.textÊxz `.rdata^ef~@@.data¼ä@À.didat8æ@À.rsrcx è@@.reloch0ì@B request_handle: 0x00cc000c	1	1
InternetReadFile May 4, 2021, 11:16 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $¦È¼Aâ©Òâ©Òâ©ÒV5=à©ÒëÑAú©Ò;ËÓá©Òâ©Ó"©Ò;ËÑë©Ò;ËÖî©Ò;Ë×ô©Ò;ËÚ©Ò;ËÒã©Ò;Ë-ã©Ò;ËÐã©ÒRichâ©ÒPEL8'Yà"!P± Ðaz@AðCÏôR,øx8?4:ðf8È(@Pð@@.textr `.data( @À.idata6P @@.didat4p6@À.rsrcø8@@.reloc4:<<@B request_handle: 0x00cc000c	1	1
InternetReadFile May 4, 2021, 11:16 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $#4gâZßgâZßgâZßnÉßsâZß¾[ÞeâZßùBßcâZß¾YÞjâZß¾_ÞmâZß¾^ÞlâZßE[ÞoâZß¬[ÞdâZßgâ[ßâZß¬^ÞmãZß¬ZÞfâZß¬¥ßfâZß¬XÞfâZßRichgâZßPELbë[à"!êwð@·»@ =T°pæÐÀ}pTÈ@ø.textèê `.rdataRTî@@.datatG`"B@À.rsrcp°d@@.reloc}À~h@B request_handle: 0x00cc000c	1	1
InternetReadFile May 4, 2021, 11:16 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ù£NEÍEÍEÍñ"GÍLà^NÍEÌlÍúÉUÍúÎVÍúÈAÍúÅ_ÍúÍDÍú2DÍúÏDÍRichEÍPEL8'Yà"!ê ® @¼@A°ð À H?0 °8è@¼.textÄéê `.dataDî@À.idata¸ð@@.rsrc ö@@.reloc 0ü@B request_handle: 0x00cc000c	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 4, 2021, 11:16 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (4 events)

url	https://www.nuget.org/packages/Newtonsoft.Json.Bson
url	https://github.com/Fody/Costura/graphs/contributors
url	https://www.newtonsoft.com/jsonschema
url	https://discord.com/

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall base_handle: 0x80000002 key_handle: 0x000002f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA May 4, 2021, 11:16 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x000002f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	cmd.exe /c taskkill /pid 2196 & erase C:\Users\test22\AppData\Local\Temp\LFI_874_103_116.exe & RD /S /Q C:\\ProgramData\\939833468218216\\* & exit
cmdline	taskkill /pid 2196
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /pid 2196 & erase C:\Users\test22\AppData\Local\Temp\LFI_874_103_116.exe & RD /S /Q C:\\ProgramData\\939833468218216\\* & exit

Communicates with host for which no DNS query was performed (1 event)

host

205.185.120.57

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Attempts to access Bitcoin/ALTCoin wallets (19 events)

file	C:\Users\test22\AppData\Roaming\Bitcoin\
file	C:\Users\test22\AppData\Roaming\Electrum\wallets\
file	C:\Users\test22\AppData\Roaming\Litecoin\
file	C:\Users\test22\AppData\Roaming\Namecoin\
file	C:\Users\test22\AppData\Roaming\Terracoin\
file	C:\Users\test22\AppData\Roaming\Primecoin\
file	C:\Users\test22\AppData\Roaming\Freicoin\
file	C:\Users\test22\AppData\Roaming\devcoin\
file	C:\Users\test22\AppData\Roaming\Franko\
file	C:\Users\test22\AppData\Roaming\Megacoin\
file	C:\Users\test22\AppData\Roaming\Infinitecoin\
file	C:\Users\test22\AppData\Roaming\Ixcoin\
file	C:\Users\test22\AppData\Roaming\Anoncoin\
file	C:\Users\test22\AppData\Roaming\BBQCoin\
file	C:\Users\test22\AppData\Roaming\digitalcoin\
file	C:\Users\test22\AppData\Roaming\Mincoin\
file	C:\Users\test22\AppData\Roaming\GoldCoin (GLD)\
file	C:\Users\test22\AppData\Roaming\YACoin\
file	C:\Users\test22\AppData\Roaming\Florincoin\

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\LFI_874_103_116.exe

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA May 4, 2021, 11:16 a.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\00000004
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

MicroWorld-eScan	Trojan.GenericKD.46212578
FireEye	Generic.mg.090148a4d527120e
McAfee	RDN/Generic.grp
Cylance	Unsafe
Sangfor	Hacktool.MSIL.Lore.MTB
K7AntiVirus	Trojan ( 0057b9131 )
Alibaba	VirTool:MSIL/Witch.fd70e049
K7GW	Trojan ( 0057b9131 )
Cybereason	malicious.505c37
Arcabit	Trojan.Generic.D2C125E2
BitDefenderTheta	Gen:NN.ZemsilF.34686.Vm1@aSEpCnl
Cyren	W32/MSIL_Kryptik.ECQ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/PSW.Agent.OJQ
TrendMicro-HouseCall	TrojanSpy.MSIL.WITCH.USMANDU21
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	HEUR:Trojan.MSIL.Witch.gen
BitDefender	Trojan.GenericKD.46212578
Paloalto	generic.ml
APEX	Malicious
Tencent	Msil.Trojan.Witch.Dkr
Ad-Aware	Trojan.GenericKD.46212578
Sophos	Mal/Generic-S
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	RDN/Generic.grp
Emsisoft	Trojan.GenericKD.46212578 (B)
Ikarus	Trojan.MSIL.Inject
Jiangmin	Trojan.MSIL.yzrh
eGambit	PE.Heur.InvalidSig
Avira	TR/Kryptik.yesux
Microsoft	VirTool:MSIL/Lore!MTB
ViRobot	Trojan.Win32.Z.Wacatac.784184
GData	Win32.Trojan.OskiStealer.HCFJMC
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.Generic.C4445959
ALYac	Trojan.GenericKD.46212578
MAX	malware (ai score=87)
Malwarebytes	Trojan.MalPack.MSIL
Rising	Trojan.GenKryptik!8.AA55 (CLOUD)
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/GenKryptik.FEPC!tr
AVG	Win32:MalwareX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_80% (W)

LFI_874_103_116.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All