Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 12, 2021, 9:40 a.m.	July 12, 2021, 9:52 a.m.

Size	4.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2e666d262882b4262701b63378d44cb2`
SHA256	`b0bc5a3dae0127da8f7743df8dc4014e9ba08c5a29928448aed8764242050da2`
CRC32	`88D0FDEA`
ssdeep	`98304:PZTNS/1tZErtAOG7JHkDtbbWRNaOV6mDwaitoigLYaX9Q5:tNS/1q6Omt9hV6WLiSiS9Q5`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

bat_english.exe "C:\Users\test22\AppData\Local\Temp\bat_english.exe"
2448
- cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im bat_english.exe /f & timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\Temp\bat_english.exe" & del C:\ProgramData\*.dll & exit
  2680
  - taskkill.exe taskkill /im bat_english.exe /f
    2740
  - timeout.exe timeout /t 6
    2848

Name	Response	Post-Analysis Lookup
sergeevih43.tumblr.com	A 74.114.154.18 A 74.114.154.22	74.114.154.22

IP Address	Status	Action
162.55.223.232	Active	Moloch
164.124.101.2	Active	Moloch
74.114.154.18	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA July 12, 2021, 9:40 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 12, 2021, 9:40 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 12, 2021, 9:40 a.m.	buffer: SUCCESS: The process "bat_english.exe" with PID 2448 has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW July 12, 2021, 9:40 a.m.	buffer: Waiting for 6 console_handle: 0x00000007	1	1
WriteConsoleW July 12, 2021, 9:40 a.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 12, 2021, 9:40 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 events)

section
section	eda deer
section	.themida
section	.loadcon
section	.boot

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ July 12, 2021, 9:40 a.m.	stacktrace: bat_english+0x3d9629 @ 0x7d9629 bat_english+0x3d96c6 @ 0x7d96c6 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x75f4b727 registers.esp: 1638148 registers.edi: 6492160 registers.eax: 1638148 registers.ebp: 1638228 registers.edx: 2130566132 registers.ebx: 1572907 registers.esi: 2004710443 registers.ecx: 1182007296	1
__exception__ July 12, 2021, 9:40 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 e9 be ee ed ff exception.symbol: bat_english+0x409402 exception.instruction: in eax, dx exception.module: bat_english.exe exception.exception_code: 0xc0000096 exception.offset: 4232194 exception.address: 0x809402 registers.esp: 1638268 registers.edi: 17378821 registers.eax: 1750617430 registers.ebp: 6492160 registers.edx: 22614 registers.ebx: 4194304 registers.esi: 7279554 registers.ecx: 20	1
__exception__ July 12, 2021, 9:40 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: bat_english+0x409476 exception.instruction: in eax, dx exception.module: bat_english.exe exception.exception_code: 0xc0000096 exception.offset: 4232310 exception.address: 0x809476 registers.esp: 1638268 registers.edi: 17378821 registers.eax: 1447909480 registers.ebp: 6492160 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 7279554 registers.ecx: 10	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://162.55.223.232/947
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://162.55.223.232/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://162.55.223.232/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://162.55.223.232/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://162.55.223.232/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://162.55.223.232/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://162.55.223.232/vcruntime140.dll
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://162.55.223.232/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://sergeevih43.tumblr.com/

Performs some HTTP requests (9 events)

request	POST http://162.55.223.232/947
request	GET http://162.55.223.232/freebl3.dll
request	GET http://162.55.223.232/mozglue.dll
request	GET http://162.55.223.232/msvcp140.dll
request	GET http://162.55.223.232/nss3.dll
request	GET http://162.55.223.232/softokn3.dll
request	GET http://162.55.223.232/vcruntime140.dll
request	POST http://162.55.223.232/
request	GET https://sergeevih43.tumblr.com/

Sends data using the HTTP POST Method (2 events)

request	POST http://162.55.223.232/947
request	POST http://162.55.223.232/

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 12, 2021, 9:40 a.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x777ff000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:40 a.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77770000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:40 a.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00499000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:40 a.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00483000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:40 a.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00483000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:40 a.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e82000 process_handle: 0xffffffff	1

Steals private information from local Internet browsers (3 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Chromium\User Data\Local State
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Local State

Creates executable files on the filesystem (6 events)

file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /im bat_english.exe /f & timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\Temp\bat_english.exe" & del C:\ProgramData\*.dll & exit
cmdline	C:\Windows\System32\cmd.exe /c taskkill /im bat_english.exe /f & timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\Temp\bat_english.exe" & del C:\ProgramData\*.dll & exit

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\bat_english.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "bat_english.exe")

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 12, 2021, 9:40 a.m.	show_type: 0 filepath_r: C:\Windows\System32\cmd.exe parameters: /c taskkill /im bat_english.exe /f & timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\Temp\bat_english.exe" & del C:\ProgramData\*.dll & exit filepath: C:\Windows\System32\cmd.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 event)

Time & API	Arguments	Status	Return	Repeated
Process32NextW July 12, 2021, 9:40 a.m.	snapshot_handle: 0x000002f4 process_name: bat_english.exe process_identifier: 2448	1	1	0

An executable file was downloaded by the process bat_english.exe (6 events)

Time & API	Arguments	Status	Return
InternetReadFile July 12, 2021, 9:40 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Àð/AVAVAVéÒVAV]ó@WAV1VAV]óBWAV]óDWAV]óEWAV¦ñ@WAVOò@WAV@VÖAVOòBWAVOòEWÀAVOòAWAVOò¾VAVOòCWAVRichAVPELØbë[à"!Øf)Ýðp£s@pæPÀæÈ@xüÐPà0âTâ@ð8.texttÖØ `.rdataüþðÜ@@.data,HðÜ@À.rsrcx@à@@.relocàPä@B request_handle: 0x00cc000c	1	1
InternetReadFile July 12, 2021, 9:40 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÂU±É£;âÉ£;âÉ£;âÀÛ¨âÙ£;âWüâË£;âÁ8ãÇ£;âÁ?ãÂ£;âÁ:ãÍ£;âÁ>ãÛ£;âëÃ:ãÀ£;âÉ£:âw£;âÀ?ãÈ£;âÀ>ãÝ£;âÀ;ãÈ£;âÀÄâÈ£;âÀ9ãÈ£;âRichÉ£;âPELÄ_ë[à"!zà@3@A@Àt´Þ, xúÐ0h¹TT¹h¸@ôl¾.textÊxz `.rdata^ef~@@.data¼ä@À.didat8æ@À.rsrcx è@@.reloch0ì@B request_handle: 0x00cc000c	1	1
InternetReadFile July 12, 2021, 9:40 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $¦È¼Aâ©Òâ©Òâ©ÒV5=à©ÒëÑAú©Ò;ËÓá©Òâ©Ó"©Ò;ËÑë©Ò;ËÖî©Ò;Ë×ô©Ò;ËÚ©Ò;ËÒã©Ò;Ë-ã©Ò;ËÐã©ÒRichâ©ÒPEL8'Yà"!P± Ðaz@AðCÏôR,øx8?4:ðf8È(@Pð@@.textr `.data( @À.idata6P @@.didat4p6@À.rsrcø8@@.reloc4:<<@B request_handle: 0x00cc000c	1	1
InternetReadFile July 12, 2021, 9:40 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $#4gâZßgâZßgâZßnÉßsâZß¾[ÞeâZßùBßcâZß¾YÞjâZß¾_ÞmâZß¾^ÞlâZßE[ÞoâZß¬[ÞdâZßgâ[ßâZß¬^ÞmãZß¬ZÞfâZß¬¥ßfâZß¬XÞfâZßRichgâZßPELbë[à"!êwð@·»@ =T°pæÐÀ}pTÈ@ø.textèê `.rdataRTî@@.datatG`"B@À.rsrcp°d@@.reloc}À~h@B request_handle: 0x00cc000c	1	1
InternetReadFile July 12, 2021, 9:40 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¢l$æ JOæ JOæ JOïuÙOê JO?oKNä JO?oINä JO?oONì JO?oNNí JOÄmKNä JO-nKNå JOæ KO~ JO-nNNò JO-nJNç JO-nµOç JO-nHNç JORichæ JOPEL¿bë[à"!¶b¼ÐP ±@¨¸È0xÐ@`ÐþT(ÿ@Ðl.textË´¶ `.rdata DÐFº@@.data @À.rsrcx0@@.reloc`@@B request_handle: 0x00cc000c	1	1
InternetReadFile July 12, 2021, 9:40 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ù£NEÍEÍEÍñ"GÍLà^NÍEÌlÍúÉUÍúÎVÍúÈAÍúÅ_ÍúÍDÍú2DÍúÏDÍRichEÍPEL8'Yà"!ê ® @¼@A°ð À H?0 °8è@¼.textÄéê `.dataDî@À.idata¸ð@@.rsrc ö@@.reloc 0ü@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00478600', u'virtual_address': u'0x006c1000', u'entropy': 7.9410349604092945, u'name': u'eda deer', u'virtual_size': u'0x00478410'}

entropy

7.94103496041

description

A section with a high entropy has been found

entropy

0.992196813699

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 12, 2021, 9:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Queries for potentially installed applications (45 events)

Time & API	Arguments	Status
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1
RegOpenKeyExA July 12, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess July 12, 2021, 9:40 a.m.	status_code: 0x00000001 process_identifier: 2448 process_handle: 0x00000190		0	0
NtTerminateProcess July 12, 2021, 9:40 a.m.	status_code: 0x00000001 process_identifier: 2448 process_handle: 0x00000190	1	0	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /im bat_english.exe /f & timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\Temp\bat_english.exe" & del C:\ProgramData\*.dll & exit
cmdline	taskkill /im bat_english.exe /f
cmdline	C:\Windows\System32\cmd.exe /c taskkill /im bat_english.exe /f & timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\Temp\bat_english.exe" & del C:\ProgramData\*.dll & exit

Communicates with host for which no DNS query was performed (1 event)

host

162.55.223.232

Checks for the presence of known windows from debuggers and forensic tools (27 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA July 12, 2021, 9:40 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 12, 2021, 9:40 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets\??????

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\bat_english.exe

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Collects information about installed applications (32 events)

Time & API	Arguments	Status
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Reader 9 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	1
RegQueryValueExA July 12, 2021, 9:40 a.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (1 event)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation July 12, 2021, 9:40 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 12, 2021, 9:40 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: bat_english+0x409476 exception.instruction: in eax, dx exception.module: bat_english.exe exception.exception_code: 0xc0000096 exception.offset: 4232310 exception.address: 0x809476 registers.esp: 1638268 registers.edi: 17378821 registers.eax: 1447909480 registers.ebp: 6492160 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 7279554 registers.ecx: 10	1	0	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
DrWeb	Trojan.PWS.Stealer.26450
MicroWorld-eScan	Trojan.GenericKD.37216973
FireEye	Generic.mg.2e666d262882b426
CAT-QuickHeal	Trojan.Chapak
ALYac	Trojan.GenericKD.37216973
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_60% (W)
Alibaba	Trojan:Win32/Chapak.7d2e8560
K7GW	Riskware ( 0040eff71 )
K7AntiVirus	Riskware ( 0040eff71 )
BitDefenderTheta	Gen:NN.ZexaF.34790.@31@ae0gNrjO
Cyren	W32/Trojan.NNUY-0661
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenCBL.ANP
TrendMicro-HouseCall	TROJ_GEN.R002H09G721
Paloalto	generic.ml
Kaspersky	Trojan.Win32.Chapak.ezts
BitDefender	Trojan.GenericKD.37216973
Avast	Win32:DangerousSig [Trj]
Rising	Trojan.Generic@ML.81 (RDMK:zMLpWXuq/Fa3uRv67t8sDA)
Ad-Aware	Trojan.GenericKD.37216973
Emsisoft	Trojan.GenericKD.46589278 (B)
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Trojan.rc
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Trojan.Gen
Avira	TR/Chapak.ylasi
MAX	malware (ai score=81)
Microsoft	Trojan:Win32/Vidar.AA!MTB
Gridinsoft	Trojan.Win32.Gen.dd!n
GData	Trojan.GenericKD.37216973
Cynet	Malicious (score: 99)
Acronis	suspicious
McAfee	Artemis!2E666D262882
VBA32	Trojan.Chapak
Malwarebytes	Trojan.Downloader
APEX	Malicious
Yandex	Trojan.Chapak!EM4E3WWqv/I
Ikarus	Trojan.Win32.Generic
Fortinet	W32/Chapak.EZTS!tr
AVG	Win32:DangerousSig [Trj]
Cybereason	malicious.310279
Panda	Trj/CI.A
Qihoo-360	Win32/Trojan.Chapak.HgIASYEA

bat_english.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All