Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 21, 2023, 5:58 p.m.	April 21, 2023, 6:17 p.m.

Size	3.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`dc26d49b647e26665fe94dfe5a3b6cff`
SHA256	`2ccb241464087a1296d795e47d12ee60295876126e2cbece750241ce0cf32a89`
CRC32	`E960B3B6`
ssdeep	`98304:+KKaz/ACVrPAcKHrV+LRzADH6G3ILhAUATHCxyRocMd4v6:J5nVrohHrOADaG3ILlDxyRqdE6`
Yara	UPX_Zero - UPX packed file NSIS_Installer - Null Soft Installer IsPE32 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

smwd5306.exe "C:\Users\test22\AppData\Local\Temp\smwd5306.exe"
2564
- cmd.exe cmd /C ""C:\Program Files\Common Files\Goobzo\GBUpdate\smu.exe" /install /pin:1 /rdr:1 "/s:N4LjSLF" "/is:1" "/it:1" "/ih:1" "/ei:1" "/ci:1" "/fi:1" "/oi:1" "/urlset:searching""
  2696
  - smu.exe "C:\Program Files\Common Files\Goobzo\GBUpdate\smu.exe" /install /pin:1 /rdr:1 "/s:N4LjSLF" "/is:1" "/it:1" "/ih:1" "/ei:1" "/ci:1" "/fi:1" "/oi:1" "/urlset:searching"
    2756
- sc.exe "C:\Windows\system32\sc.exe" start SMUpd
  2828
- cmd.exe cmd /C ""C:\Program Files\Common Files\Goobzo\GBUpdate\smp.exe" "uninstall1" "Search""
  2216
  - smp.exe "C:\Program Files\Common Files\Goobzo\GBUpdate\smp.exe" "uninstall1" "Search"
    2464
- cmd.exe cmd /C ""C:\Program Files\Common Files\Goobzo\GBUpdate\smp.exe" "install1" "http://www-searching.com/?s=N4LjSLF&pi=3" "Search""
  2736
  - smp.exe "C:\Program Files\Common Files\Goobzo\GBUpdate\smp.exe" "install1" "http://www-searching.com/?s=N4LjSLF&pi=3" "Search"
    2824
- cmd.exe cmd /C ""C:\Program Files\Common Files\Goobzo\GBUpdate\smp.exe" "install2" "http://www-searching.com/?s=N4LjSLF&pi=3""
  1528
  - smp.exe "C:\Program Files\Common Files\Goobzo\GBUpdate\smp.exe" "install2" "http://www-searching.com/?s=N4LjSLF&pi=3"
    2192
    - dw20.exe dw20.exe -x -s 888
      2544
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
pwvz71qp-ur1xo6pn.netdna-ssl.com
d23ocewf5ttxmu.cloudfront.net	A 18.67.47.49 A 18.67.47.220 A 18.67.47.213 A 18.67.47.131 A 54.192.60.3 A 54.192.60.84 A 54.192.60.52 A 54.192.60.209	54.230.169.173

IP Address	Status	Action
164.124.101.2	Active	Moloch
18.67.47.49	Active	Moloch
54.192.60.3	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49174 -> 18.67.47.49:80	2016879	ET POLICY Unsupported/Fake Windows NT Version 5.0	Potential Corporate Privacy Violation
TCP 192.168.56.101:49173 -> 18.67.47.49:80	2016879	ET POLICY Unsupported/Fake Windows NT Version 5.0	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameA April 21, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 21, 2023, 5:58 p.m.			0	0
IsDebuggerPresent April 21, 2023, 5:59 p.m.			0	0
IsDebuggerPresent April 21, 2023, 5:59 p.m.			0	0
IsDebuggerPresent April 21, 2023, 5:59 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 21, 2023, 5:51 p.m.	buffer: SERVICE_NAME: SMUpd TYPE : 10 WIN32_OWN_PROCESS STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x7d0 PID : 2888 FLAGS : console_handle: 0x0000000000000007	1	1	0

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey April 21, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069be30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069be70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003dbf30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003dbf70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007ebef0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007ebf30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (4 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files (x86)\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\(Default)

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 21, 2023, 5:58 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 21, 2023, 5:58 p.m.	stacktrace: Free+0x8a89 accdownload+0x22e89 @ 0x72cb2e89 Get-0x144e1 accdownload+0x110f @ 0x72c9110f Utility101+0x1a Utility102-0xa6 accdownload+0x1987a @ 0x72ca987a smwd5306+0x1ff6 @ 0x401ff6 smwd5306+0x13a8 @ 0x4013a8 exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e0 5b eb 38 8b 45 ec exception.exception_code: 0xc000001d exception.symbol: Free+0xa9c6 accdownload+0x24dc6 exception.address: 0x72cb4dc6 registers.esp: 1632792 registers.edi: 1925775360 registers.eax: 1 registers.ebp: 1632848 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 1633008 registers.ecx: 1563789461	1	0	0
__exception__ April 21, 2023, 5:58 p.m.	stacktrace: Free+0x8aac accdownload+0x22eac @ 0x72cb2eac Get-0x144e1 accdownload+0x110f @ 0x72c9110f Utility101+0x1a Utility102-0xa6 accdownload+0x1987a @ 0x72ca987a smwd5306+0x1ff6 @ 0x401ff6 smwd5306+0x13a8 @ 0x4013a8 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a c7 45 exception.instruction: in eax, dx exception.exception_code: 0xc0000096 exception.symbol: Free+0xaa88 accdownload+0x24e88 exception.address: 0x72cb4e88 registers.esp: 1632792 registers.edi: 1925775360 registers.eax: 1447909480 registers.ebp: 1632848 registers.edx: 22104 registers.ebx: 0 registers.esi: 1633008 registers.ecx: 10	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	POST method with no referer header	suspicious_request	POST http://d23ocewf5ttxmu.cloudfront.net/br.ashx?pid={PID}&aid={AID}&ss=0&s=N4LjSLF&v=2.1.5.306&md5=15adccbdf2e3e994baa9e12797b52a14&mid=AAA0A3AGAJA9A9A7A3AJieie777G3DiL7L77793D1JiAA1&uid=A14B9EAF-39FF-49F6-A848-E4C05A9C6A9C
suspicious_features	POST method with no referer header	suspicious_request	POST http://d23ocewf5ttxmu.cloudfront.net/br.ashx?pid={PID}&aid={AID}&ss=0&s=N4LjSLF&v=2.1.5.306&md5=3d0118e6f5b93e2a167614e8a0d320e7&mid=AAA0A3AGAJA9A9A7A3AJieie777G3DiL7L77793D1JiAA1&uid=A14B9EAF-39FF-49F6-A848-E4C05A9C6A9C
suspicious_features	POST method with no referer header	suspicious_request	POST http://d23ocewf5ttxmu.cloudfront.net/br.ashx?pid={PID}&aid={AID}&ss=0&s=N4LjSLF&v=2.1.5.306&md5=271b06c792838b8d992c8cd45f4a3897&mid=AAA0A3AGAJA9A9A7A3AJieie777G3DiL7L77793D1JiAA1&uid=A14B9EAF-39FF-49F6-A848-E4C05A9C6A9C

Performs some HTTP requests (3 events)

request	POST http://d23ocewf5ttxmu.cloudfront.net/br.ashx?pid={PID}&aid={AID}&ss=0&s=N4LjSLF&v=2.1.5.306&md5=15adccbdf2e3e994baa9e12797b52a14&mid=AAA0A3AGAJA9A9A7A3AJieie777G3DiL7L77793D1JiAA1&uid=A14B9EAF-39FF-49F6-A848-E4C05A9C6A9C
request	POST http://d23ocewf5ttxmu.cloudfront.net/br.ashx?pid={PID}&aid={AID}&ss=0&s=N4LjSLF&v=2.1.5.306&md5=3d0118e6f5b93e2a167614e8a0d320e7&mid=AAA0A3AGAJA9A9A7A3AJieie777G3DiL7L77793D1JiAA1&uid=A14B9EAF-39FF-49F6-A848-E4C05A9C6A9C
request	POST http://d23ocewf5ttxmu.cloudfront.net/br.ashx?pid={PID}&aid={AID}&ss=0&s=N4LjSLF&v=2.1.5.306&md5=271b06c792838b8d992c8cd45f4a3897&mid=AAA0A3AGAJA9A9A7A3AJieie777G3DiL7L77793D1JiAA1&uid=A14B9EAF-39FF-49F6-A848-E4C05A9C6A9C

Sends data using the HTTP POST Method (3 events)

request	POST http://d23ocewf5ttxmu.cloudfront.net/br.ashx?pid={PID}&aid={AID}&ss=0&s=N4LjSLF&v=2.1.5.306&md5=15adccbdf2e3e994baa9e12797b52a14&mid=AAA0A3AGAJA9A9A7A3AJieie777G3DiL7L77793D1JiAA1&uid=A14B9EAF-39FF-49F6-A848-E4C05A9C6A9C
request	POST http://d23ocewf5ttxmu.cloudfront.net/br.ashx?pid={PID}&aid={AID}&ss=0&s=N4LjSLF&v=2.1.5.306&md5=3d0118e6f5b93e2a167614e8a0d320e7&mid=AAA0A3AGAJA9A9A7A3AJieie777G3DiL7L77793D1JiAA1&uid=A14B9EAF-39FF-49F6-A848-E4C05A9C6A9C
request	POST http://d23ocewf5ttxmu.cloudfront.net/br.ashx?pid={PID}&aid={AID}&ss=0&s=N4LjSLF&v=2.1.5.306&md5=271b06c792838b8d992c8cd45f4a3897&mid=AAA0A3AGAJA9A9A7A3AJieie777G3DiL7L77793D1JiAA1&uid=A14B9EAF-39FF-49F6-A848-E4C05A9C6A9C

Allocates read-write-execute memory (usually to unpack itself) (50 out of 79 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72431000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72432000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00432000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00442000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00443000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0050b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00507000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00472000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00456000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00444000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00505000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00611000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:58 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72431000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72432000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00572000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00592000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00593000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0061b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00617000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00594000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00615000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00596000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00599000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (3 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\Application\chrome.exe
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Preferences

Creates executable files on the filesystem (24 events)

file	C:\Users\test22\AppData\Local\Temp\nstEF53.tmp\nsExec.dll
file	C:\Program Files\Common Files\Goobzo\GBUpdate\smoi32.dll
file	C:\Program Files\Common Files\Goobzo\GBUpdate\smi32.exe
file	C:\Program Files\Common Files\Goobzo\GBUpdate\smi64.exe
file	C:\Program Files\Common Files\Goobzo\GBUpdate\SBIEBrowserHelperObject.dll
file	C:\Program Files\Common Files\Goobzo\GBUpdate\smri32.dll
file	C:\Users\test22\AppData\Local\Temp\nstEF53.tmp\nsDialogs.dll
file	C:\Program Files\Common Files\Goobzo\GBUpdate\smp.exe
file	C:\Program Files\Common Files\Goobzo\GBUpdate\smoi64.dll
file	C:\Program Files\Common Files\Goobzo\GBUpdate\sma.exe
file	C:\Program Files\Common Files\Goobzo\GBUpdate\smci64.dll
file	C:\Users\test22\AppData\Local\Temp\nstEF53.tmp\System.dll
file	C:\ProgramData\SearchModule\smhe.js
file	C:\Program Files\Common Files\Goobzo\GBUpdate\Updater.exe
file	C:\Program Files\Common Files\Goobzo\GBUpdate\smri64.dll
file	C:\Program Files\Common Files\Goobzo\GBUpdate\smfi32.dll
file	C:\Program Files\Common Files\Goobzo\GBUpdate\smei32.dll
file	C:\Program Files\Common Files\Goobzo\GBUpdate\smei64.dll
file	C:\Program Files\Common Files\Goobzo\GBUpdate\smu.exe
file	C:\Program Files\Common Files\Goobzo\GBUpdate\SMUninstall.exe
file	C:\Program Files\Common Files\Goobzo\GBUpdate\smfi64.dll
file	C:\Program Files\Common Files\Goobzo\GBUpdate\Search.lnk
file	C:\Users\test22\AppData\Local\Temp\nstEF53.tmp\AccDownload.dll
file	C:\Program Files\Common Files\Goobzo\GBUpdate\smci32.dll

Creates a shortcut to an executable file (14 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\SendTo\EditPlus.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Search.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
file	C:\Program Files\Common Files\Goobzo\GBUpdate\Search.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Chrome.lnk

Drops a binary and executes it (2 events)

file	C:\Program Files\Common Files\Goobzo\GBUpdate\smu.exe
file	C:\Program Files\Common Files\Goobzo\GBUpdate\smp.exe

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\nstEF53.tmp\nsDialogs.dll
file	C:\Users\test22\AppData\Local\Temp\nstEF53.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nstEF53.tmp\nsExec.dll
file	C:\Users\test22\AppData\Local\Temp\nstEF53.tmp\AccDownload.dll

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 21, 2023, 5:58 p.m.	show_type: 0 filepath_r: C:\Windows\system32\sc.exe parameters: start SMUpd filepath: C:\Windows\System32\sc.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (33 events)

Time & API	Arguments	Status	Return
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: smss.exe process_identifier: 224	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: csrss.exe process_identifier: 304	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: wininit.exe process_identifier: 352	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: csrss.exe process_identifier: 360	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: services.exe process_identifier: 444	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: lsm.exe process_identifier: 468	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: svchost.exe process_identifier: 572	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: svchost.exe process_identifier: 652	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: svchost.exe process_identifier: 724	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: svchost.exe process_identifier: 784	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: svchost.exe process_identifier: 832	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: audiodg.exe process_identifier: 900	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: svchost.exe process_identifier: 992	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: spoolsv.exe process_identifier: 324	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: svchost.exe process_identifier: 1048	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: srvany.exe process_identifier: 1284	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: KMService.exe process_identifier: 1436	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: taskhost.exe process_identifier: 1600	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: sppsvc.exe process_identifier: 1820	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: svchost.exe process_identifier: 1896	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: dwm.exe process_identifier: 1260	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: explorer.exe process_identifier: 1452	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: pw.exe process_identifier: 988	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: SearchIndexer.exe process_identifier: 1160	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: SearchProtocolHost.exe process_identifier: 936	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: SearchFilterHost.exe process_identifier: 2000	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: mobsync.exe process_identifier: 2280	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: pw.exe process_identifier: 2324	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: taskhost.exe process_identifier: 2380	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: smwd5306.exe process_identifier: 2564	1	1
Process32NextW April 21, 2023, 5:58 p.m.	snapshot_handle: 0x00000244 process_name: process_identifier: 15		0

Expresses interest in specific running processes (1 event)

process

smwd5306.exe

Queries for potentially installed applications (50 out of 68 events)

Time & API	Arguments	Status
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000244 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: 7-Zip base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: AddressBook base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: Connection Manager base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: DirectDrawEx base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: Fontcore base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: HashTab base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HashTab	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: IE40 base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: IE4Data base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: IE5BAKEX base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: IEData base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: MobileOptionPack base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: Mozilla Firefox 105.0.1 (x64 en-US) base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.1 (x64 en-US)	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: MozillaMaintenanceService base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: SchedulingAgent base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: WIC base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: {1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1}	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F86417051FF} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F86417051FF}	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: {3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3}	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: {50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C}	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: {90120000-0028-0412-1000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-1000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: {90120000-002A-0000-1000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002A-0000-1000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: {90120000-002A-0409-1000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002A-0409-1000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: {90120000-002A-0412-1000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002A-0412-1000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: {92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033 base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: {92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042 base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: {A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6}	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: {EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04}	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: AddressBook base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: Connection Manager base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: DirectDrawEx base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: EditPlus base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: ENTERPRISE base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: Fontcore base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: Google Chrome base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: IE40 base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: IE4Data base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: IE5BAKEX base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: IEData base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: MobileOptionPack base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: SchedulingAgent base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: WIC base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:58 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\system32\sc.exe" start SMUpd
cmdline	C:\Windows\System32\sc.exe start SMUpd

Installs itself for autorun at Windows startup (1 event)

service_name

SMUpd

service_path

C:\Program Files\Common Files\Goobzo\GBUpdate\smu.exe \service

Created a service where a service was also not started (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW April 21, 2023, 5:58 p.m.	service_start_name: start_type: 3 password: display_name: Search Module UpdateD filepath: C:\Program Files\Common Files\Goobzo\GBUpdate\smw.sys service_name: SMUpdd filepath_r: C:\Program Files\Common Files\Goobzo\GBUpdate\smw.sys desired_access: 983551 service_handle: 0x0000000000246710 error_control: 1 service_type: 1 service_manager_handle: 0x00000000002466e0	1	2385680	0
CreateServiceW April 21, 2023, 5:58 p.m.	service_start_name: start_type: 2 password: display_name: Search Module Update filepath: C:\Program Files\Common Files\Goobzo\GBUpdate\smu.exe \service service_name: SMUpd filepath_r: C:\Program Files\Common Files\Goobzo\GBUpdate\smu.exe /service desired_access: 983551 service_handle: 0x0000000000246710 error_control: 1 service_type: 16 service_manager_handle: 0x00000000002466e0	1	2385680	0

Collects information about installed applications (43 events)

Time & API	Arguments	Status
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 19.00 (x64) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HashTab 6.0.0.34 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HashTab\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Firefox (x64 en-US) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.1 (x64 en-US)\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Maintenance Service regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 7 Update 51 (64-bit) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F86417051FF}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 KOR Language Pack regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 x64 Minimum Runtime - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Office 64-bit Components 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002A-0000-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared 64-bit MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002A-0409-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared 64-bit MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002A-0412-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 ??? ?? ? regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Python 2.7.18 (64-bit) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 x64 Additional Runtime - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:58 p.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 21, 2023, 5:58 p.m.	stacktrace: Free+0x8aac accdownload+0x22eac @ 0x72cb2eac Get-0x144e1 accdownload+0x110f @ 0x72c9110f Utility101+0x1a Utility102-0xa6 accdownload+0x1987a @ 0x72ca987a smwd5306+0x1ff6 @ 0x401ff6 smwd5306+0x13a8 @ 0x4013a8 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a c7 45 exception.instruction: in eax, dx exception.exception_code: 0xc0000096 exception.symbol: Free+0xaa88 accdownload+0x24e88 exception.address: 0x72cb4e88 registers.esp: 1632792 registers.edi: 1925775360 registers.eax: 1447909480 registers.ebp: 1632848 registers.edx: 22104 registers.ebx: 0 registers.esi: 1633008 registers.ecx: 10	1	0	0

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Lionic	Riskware.NSIS.Agent.1!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Tedy.6253
FireEye	Generic.mg.dc26d49b647e2666
CAT-QuickHeal	PUA.Goobzoltd.Gen
ALYac	Gen:Variant.Tedy.6253
Malwarebytes	PUP.Optional.Goobzo
VIPRE	Gen:Variant.Tedy.6253
Sangfor	PUA.Win32.Sign.a
CrowdStrike	win/grayware_confidence_90% (W)
K7GW	Unwanted-Program ( 00587aed1 )
K7AntiVirus	Unwanted-Program ( 00587aed1 )
Arcabit	PUP.Adware.Goobzo
VirIT	PUP.Win32.Goobzo.E
Cyren	W64/Goobzo.A
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/SBWatchman.D potentially unwanted
Cynet	Malicious (score: 99)
APEX	Malicious
ClamAV	Win.Adware.Graftor-3729
Kaspersky	not-a-virus:UDS:AdWare.Win32.WatchMan.gen
BitDefender	Gen:Variant.Tedy.6253
NANO-Antivirus	Riskware.Win32.Shopper.dwtebt
Avast	Win32:ShopperPro-G [Adw]
Tencent	Win32.Trojan.FalseSign.Twhl
Sophos	Goobzo (PUA)
F-Secure	PotentialRisk.PUA/SearchModule.Gen
DrWeb	Adware.Searcher.2795
Zillya	Adware.Shopper.Win32.425
McAfee-GW-Edition	PUP-XCE-NZ
Emsisoft	Application.AdLoad (A)
Webroot	Pua.Goobzo
Avira	PUA/SearchModule.Gen
Antiy-AVL	Trojan[Downloader]/NSIS.Agent.ri
Gridinsoft	Adware.Crossrider.vl!c
Xcitium	Application.Win32.ShopperPro.A@5t8nd1
Microsoft	BrowserModifier:Win32/Smudplu
ZoneAlarm	not-a-virus:UDS:AdWare.Win32.WatchMan.gen
GData	Win32.Application.GoobZo.A
Google	Detected
AhnLab-V3	Win-PUP/CrossRider.X1378
McAfee	Artemis!DC26D49B647E
MAX	malware (ai score=100)
VBA32	AdWare.Shopper
Cylance	unsafe
Panda	Adware/Goobzo
Rising	PUF.Presenoker!8.F608 (TFE:5:QM5AQyszXAS)
Yandex	Riskware.Agent!/M5GL1lxOxM
Ikarus	PUA.MSIL.SBWatchman
Fortinet	Riskware/Moat.78B422EC

smwd5306.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All