Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 26, 2021, 8:53 a.m.	May 26, 2021, 9:38 a.m.

Size	173.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`c43aa3df483f13d1690fa6d26b38c203`
SHA256	`ff02f3af7f48e2c04f6e6026a7bfe11697625b0963c2751b4aa0597a4528a67b`
CRC32	`2ECEC0E3`
ssdeep	`3072:9EZe3Ps0yeGQDSfFKe0HCQdseKrxXM04P0E+r+s1M:9X3P0bZV0iSIXM0S0E+B`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

0551038.exe C:\Users\test22\AppData\Local\Temp\0551038.exe
1340

Name	Response	Post-Analysis Lookup
ahsanulalam.buet.ac.bd	A 103.94.135.216	103.94.135.216

IP Address	Status	Action
103.94.135.216	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 103.94.135.216:80 -> 192.168.56.101:49204	2029136	ET MALWARE AZORult v3.3 Server Response M1	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 26, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 26, 2021, 9:36 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://ahsanulalam.buet.ac.bd/bvyukiu/index.php

Performs some HTTP requests (1 event)

request

POST http://ahsanulalam.buet.ac.bd/bvyukiu/index.php

Sends data using the HTTP POST Method (1 event)

request

POST http://ahsanulalam.buet.ac.bd/bvyukiu/index.php

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 26, 2021, 9:36 a.m.	process_identifier: 1340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72262000 process_handle: 0xffffffff	1	0	0

Steals private information from local Internet browsers (50 out of 99 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs-journal\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs-journal\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\Web Data

Creates executable files on the filesystem (48 events)

file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-errorhandling-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\ucrtbase.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-datetime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\softokn3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\mozglue.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\freebl3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\nssdbm3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\vcruntime140.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-debug-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-handle-l1-1-0.dll

Drops an executable to the user AppData folder (48 events)

file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-debug-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\freebl3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\vcruntime140.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\mozglue.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\nssdbm3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-errorhandling-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\ucrtbase.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-datetime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\softokn3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-process-l1-1-0.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW May 26, 2021, 9:36 a.m.	snapshot_handle: 0x00000328 process_name: taskhost.exe process_identifier: 812	1	1	0
Process32NextW May 26, 2021, 9:36 a.m.	snapshot_handle: 0x00000328 process_name: 0551038.exe process_identifier: 1340	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00026800', u'virtual_address': u'0x00002000', u'entropy': 7.886228864328326, u'name': u'.text', u'virtual_size': u'0x000266ec'}

entropy

7.88622886433

description

A section with a high entropy has been found

entropy

0.892753623188

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (2 events)

url	http://ip-api.com/json
url	https://dotbit.me/a/

Yara rule detected in process memory (16 events)

description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications over HTTP	rule	Network_HTTP
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	Run a KeyLogger	rule	KeyLogger
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 78 events)

Time & API	Arguments	Status
RegOpenKeyExA May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x0000035c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x0000036c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000370 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000374 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000390 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000398 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000003a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000003b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000003b4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000003b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000003d0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000003d4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000003d8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000003dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000003e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000003e8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000003f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000003f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000003fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000408 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000040c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000410 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000414 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000418 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000420 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000424 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2021, 9:36 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000428 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Attempts to access Bitcoin/ALTCoin wallets (16 events)

file	C:\Users\test22\AppData\Roaming\Adobe\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\EditPlus\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\EditPlus\wallet.dat
file	C:\Users\test22\AppData\Roaming\HNC\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\Identities\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\Macromedia\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\HNC\wallet.dat
file	C:\Users\test22\AppData\wallet.dat
file	C:\Users\test22\AppData\Roaming\Microsoft\wallet.dat
file	C:\Users\test22\AppData\Roaming\Microsoft\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\Macromedia\wallet.dat
file	C:\Users\test22\AppData\Roaming\Identities\wallet.dat
file	C:\Users\test22\AppData\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\wallet.dat
file	C:\Users\test22\AppData\Roaming\Adobe\wallet.dat

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\filezilla\recentservers.xml
registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\

Harvests information related to installed instant messenger clients (1 event)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x000003e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x000003fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x00000408 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x00000410 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x00000418 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x00000420 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x00000428 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x00000430 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x00000448 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x00000450 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x00000478 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x00000480 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW May 26, 2021, 9:36 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.c43aa3df483f13d1
Sangfor	Trojan.Win32.Save.a
ESET-NOD32	a variant of Win32/Injector.EPKO
APEX	Malicious
MaxSecure	Trojan.Malware.300983.susgen
Ikarus	Trojan.MSIL.Inject
Microsoft	Program:Win32/Wacapew.C!ml
Malwarebytes	MachineLearning/Anomalous.94%
BitDefenderTheta	Gen:NN.ZemsilF.34692.km0@aezheFk

Harvests credentials from local email clients (2 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook

Appends a known CryptoMix ransomware file extension to files that have been encrypted (16 events)

file	C:\Users\test22\AppData\Roaming\Identities\.wallet
file	C:\Users\test22\AppData\Roaming\Adobe\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\Macromedia\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\HNC\.wallet
file	C:\Users\test22\AppData\Roaming\Adobe\.wallet
file	C:\Users\test22\AppData\Roaming\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\Microsoft\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\Macromedia\.wallet
file	C:\Users\test22\AppData\.wallet
file	C:\Users\test22\AppData\Roaming\EditPlus\wallets\.wallet
file	C:\Users\test22\AppData\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\.wallet
file	C:\Users\test22\AppData\Roaming\Identities\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\EditPlus\.wallet
file	C:\Users\test22\AppData\Roaming\HNC\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\Microsoft\.wallet

0551038.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All