Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 14, 2021, 9:48 a.m.	Aug. 14, 2021, 9:52 a.m.

Size	1.3MB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`fef6b272e83c2db9338ad55ffb6e8f6e`
SHA256	`90d3303cc9628d39013556750168afdcb0d3196d95ae004fd5a9642238636875`
CRC32	`50B532DD`
ssdeep	`24576:2cFXB3P/KiY386VWysaBaotyaD8u9hZ0Bc0TU522c:tWzXko8awdc0Ty22c`
Yara	OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature IsPE32 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\update.dll,TMethodImplementationIntercept
1768
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\update.dll,
1648
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\update.dll,dbk_fcall_wrapper
2752
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\update.dll,dbkFCallWrapperAddr
2816
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\update.dll,
2308

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
192.52.167.44	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 14, 2021, 9:48 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (33 events)

Time & API	Arguments	Status	Return
CryptGenKey Aug. 14, 2021, 9:48 a.m.	crypto_handle: 0x00314ea8 algorithm_identifier: 0x00000001 () flags: 67108865 key: provider_handle: 0x003144f8	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00314ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: ¤RSA2KqÆn½LU,N÷9ç¿ÖÚ\¹«XnzðtY¶BGÑúD:Úÿ"²Ï±L¤¡(²$½ó« ;H6AÑY9Ï¸yÚé\#&ÉÌ5Ù ÛzÂ£:ûË2 [KG«q¡rûþñäsR;¸ãí#_k@¿9¥ÄÊõR5#1BP $>Ï.Ë34øH°ãÚqHjÍn¥A(ðôâ`ÀÛQûKâ·a>'IODúN¶r Ðng¿¾òØëSUj/Â6ãpõ¶u¯þÍîº¡_Â!Ç«×£'3ÂýºÍQÄÏÏî.äqI´F\|vìùABÃ[ øCa´2Wþd>Á½´ÐÌ61Øö79¨Ôn)ÔÌZë³Òvo/;2MèÂÝE`k-Ó}:4«ì×ÝâË']1Trå"Ã"Vé¹«\|é)7ÌÆBw9)b5â/>~ß!¾nç}tf×Ksh.ò#úE Rªõ"µKh ¤i\ dß¶°}GW Pªáè_XNb® ³Áçª&cël6:o© ñ^Ábß·T´ØTévW5Âx( ÞWµµøwºÐÛOó»òOÌø©xæJxw3-r=Mÿyªay;ÓÏ }³rkò7v3ô}T¶¬ðÐÏýPÿu crypto_handle: 0x00314ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00314ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: ¤RSA1KqÆn½LU,N÷9ç¿ÖÚ\¹«XnzðtY¶BGÑúD:Úÿ"²Ï±L¤¡(²$½ó*« ;H6AÑY9Ï¸yÚé\#&ÉÌ5Ù ÛzÂ£:ûË2 [KG«q¡rûþñäsR;¸ãí#_k@¿ crypto_handle: 0x00314ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptGenKey Aug. 14, 2021, 9:48 a.m.	crypto_handle: 0x00315080 algorithm_identifier: 0x00006610 () flags: 1 key: f 5¼U~JÅ¼éÒè\|ëSûB«§kÉì`Rüd8 Ú provider_handle: 0x003150d8	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: f 5¼U~JÅ¼éÒè\|ëSûB«§kÉì`Rüd8 Ú crypto_handle: 0x00315080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Aug. 14, 2021, 9:48 a.m.	crypto_handle: 0x00315080 algorithm_identifier: 0x00006610 () flags: 1 key: f fø]îËÉ^¼ÿBHþICÐ·÷MWºë¹ provider_handle: 0x003150d8	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: f fø]îËÉ^¼ÿBHþICÐ·÷MWºë¹ crypto_handle: 0x00315080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Aug. 14, 2021, 9:48 a.m.	crypto_handle: 0x00674e60 algorithm_identifier: 0x00000001 () flags: 67108865 key: provider_handle: 0x006744b0	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: ¤RSA2;ºË#7É'päå®.g~À E ¿ÚÉuÛüûÿõAËè¸õ/¼vØ<U&¯"©öÓ%u ®gi³óØ8ÕOaRFdvAàþEÈNñl~ÍY1²YSfþª¤´fÊêûrz¨¾KìEBÉ¨ß;û¢Ðµ[z\|ø$ÞÐ>@òj`VÍÊ7uX×g\=rpÙúâ·íÈ·zòzhÌ½½ªí%Mø9ØEf AÃ±#¬D¢ú¾«DóeRÌU¢ñIþ ÔMCC¶Åï1P%5ããì©;ÎµK-µäÕÛ±Bñè)KAGìJ}Où¿dRJÊ(È-,,ÚKFMþ\bOÓé-lÝ~mB»Ð5ín5Y^äeRÑûÉPÞ àÞ.]ó´óUp+õö¶Y÷SxE´K&°ó>WPåABr[ 3NJ¼×QõDl7ÇmeX%3;_ ìmÃÔ§-êßo¬âäÙ¼[©D¸KxÅèE )q"`ñ4.c¦ã f@l9¸b6ÊSV ÇvêNÜ/«÷.ÏbÍg¶2Qsàz½ñã©"á/ñÿs6L¤cKß[9Þ¾]çj×dTß°óÞ)tt¹Üãø\|ÔLñüÂßçYAHoåd±Ïn×ÄÊ3&(£Ò¯a8ùÇõ9óEs crypto_handle: 0x00674e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: ¤RSA1;ºË#7É'päå®.g~À E ¿ÚÉuÛüûÿõAËè¸õ/¼vØ<U&¯"©öÓ%u ®gi³óØ8ÕOaRFdvAàþEÈNñl~ÍY1²YSfþª¤´fÊêûrz¨¾KìEBÉ¨ crypto_handle: 0x00674e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptGenKey Aug. 14, 2021, 9:48 a.m.	crypto_handle: 0x00675038 algorithm_identifier: 0x00006610 () flags: 1 key: f në+BbNòûTa!Ø%ß"w¢7E¹WÃ provider_handle: 0x00675090	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00675038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: f në+BbNòûTa!Ø%ß"w¢7E¹WÃ crypto_handle: 0x00675038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Aug. 14, 2021, 9:48 a.m.	crypto_handle: 0x00675038 algorithm_identifier: 0x00006610 () flags: 1 key: f ñ9t¨q µW8¼çè@ï2Ú èìÌFëÁÐ0éæö provider_handle: 0x00675090	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00675038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: f ñ9t¨q µW8¼çè@ï2Ú èìÌFëÁÐ0éæö crypto_handle: 0x00675038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Aug. 14, 2021, 9:48 a.m.	crypto_handle: 0x00674e70 algorithm_identifier: 0x00000001 () flags: 67108865 key: provider_handle: 0x006744c0	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674e70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: ¤RSA2·ì<R"¨ ë=+9 ö[ jþyê¸\|RÝ;é°q]~vª¬î½\ÅÇeiøîñN7h4\eÕØÏ² dO'Ñ6/º¤²I¸QÍ§F´#ÅÀ÷ý¨4~~Éee«ÍãYÜåIàlZ½gyg³ LðÊè#d6åç¡#,ÿMa#J+ëåÎ'á5ÇÜî2V .¿ÿ÷´QÕBWÊ(5õ)áµ¨føc} wJÄ^K`ê¹9dÁ¯ä"95AÂ¦ÔÀWÕé0Ð±+ØåýÌ?§ ´R:æG·q¸!«&Ït!ûÏE@8ÇÌ$eïgðiÝÄDPR&471Âà,3ìö0/!N«ç½®EþÔ¦vO''«þ¥\Å(î¦ÈÕÝf¬©ïäÞê&¥ÝéëÌJ$ç*Ðµ÷zÊBÕ{ÕÉ'ìè£sq îsIá+U3¶Zvc[cXp('Û}¥²ÕQM9xêüÃ¶#7oÑ;Óëk¢:cÈnPû ÍÜ"F!ÀÝÞàÇ³÷:kkÆó Lp6F9_¥ôvñïRÀUØ Ýþºnýøz Z:×ÚïÀt´¸àcüoJ#¡ÈðÂ_É/]^zSÛÜ'IüK¼Ñ½^chI(ÀÙ½#PV£R¸JyåàÂÂñ®[ÞÂ×Íï crypto_handle: 0x00674e70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674e70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: ¤RSA1·ì<R"¨ ë=+9 ö[ jþyê¸\|RÝ;é°q]~vª¬î½\ÅÇeiøîñN7h4\eÕ*ØÏ² dO'Ñ6/º¤²I¸QÍ§F´#ÅÀ÷ý¨4~~Éee«ÍãYÜåIàlZ½gyg³ crypto_handle: 0x00674e70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptGenKey Aug. 14, 2021, 9:48 a.m.	crypto_handle: 0x00675048 algorithm_identifier: 0x00006610 () flags: 1 key: f Å`ÝãÒ%¨Æè>$3¾-b£)±ãI0öçÃi<< provider_handle: 0x006750a0	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00675048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: f Å`ÝãÒ%¨Æè>$3¾-b£)±ãI0öçÃi<< crypto_handle: 0x00675048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Aug. 14, 2021, 9:48 a.m.	crypto_handle: 0x00675048 algorithm_identifier: 0x00006610 () flags: 1 key: f ¦êeÇhÑTúèîÜnÝWî5j-2ëPÆW5¤Ý:Ë provider_handle: 0x006750a0	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00675048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Aug. 14, 2021, 9:48 a.m.	buffer: f ¦êeÇhÑTúèîÜnÝWî5j-2ëPÆW5¤Ý:Ë crypto_handle: 0x00675048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 14, 2021, 9:48 a.m.	stacktrace: rundll32+0x1326 @ 0x4d1326 rundll32+0x1901 @ 0x4d1901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff exception.instruction: add byte ptr [eax], al exception.exception_code: 0xc0000005 exception.symbol: dbkFCallWrapperAddr+0xd3a74 TMethodImplementationIntercept-0x1744e8c update+0x133630 exception.address: 0x1f43630 registers.esp: 2816036 registers.edi: 0 registers.eax: 459644 registers.ebp: 2816152 registers.edx: 9 registers.ebx: 0 registers.esi: 459644 registers.ecx: 0	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (25 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f46000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ff1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74d31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 19484672 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73520000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73431000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73432000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b86000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ff1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74d31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b86000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ff1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74d31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:48 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f01000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 218 seconds, actually delayed analysis time by 217 seconds

Queries for potentially installed applications (50 out of 105 events)

Time & API	Arguments	Status
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000168 options: 0 access: 0x02000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb6 base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb6	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb6 base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb6	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Aug. 14, 2021, 9:48 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1 base_handle: 0x80000002 key_handle: 0x0000016c options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1	1

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 47efc539d26141843dcacb07f6880c291eeb6481

Communicates with host for which no DNS query was performed (1 event)

host

192.52.167.44

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: MarkAny Inc. e-PageSafer V2.5 NoAX ( Basic )_2.5.1.18 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: TouchEn nxKey with E2E for 32bit regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: INISafeWeb 5.0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: INISafeWeb 6.0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb6\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Delfino G3 (x86) version 3.6.6.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: G2BRUN regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: WIZVERA Process Manager 1,0,5,4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8941A397-4065-4F41-92CE-0EB610846EED}_is1\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW Aug. 14, 2021, 9:48 a.m.	key_handle: 0x0000016c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.fef6b272e83c2db9
K7AntiVirus	Spyware ( 0057f3611 )
K7GW	Spyware ( 0057f3611 )
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Spy.Danabot.S
APEX	Malicious
Kaspersky	HEUR:Trojan-Banker.Win32.Danabot.gen
Avast	Win32:BankerX-gen [Trj]
Rising	Trojan.Generic@ML.88 (RDML:e/a9aUzdfJ8ivNcDTZGblg)
McAfee-GW-Edition	BehavesLike.Win32.Infected.th
Ikarus	Trojan-Spy.Agent
Avira	HEUR/AGEN.1144074
Microsoft	Trojan:Win32/Sabsik.TE.B!ml
GData	Win32.Trojan.PSE.N7EEU0
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Danabot.R430712
McAfee	Artemis!FEF6B272E83C
Malwarebytes	Trojan.DanaBot
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Danabot.S!tr
AVG	Win32:BankerX-gen [Trj]
Panda	Trj/GdSda.A

update.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All