Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 14, 2023, 7:55 a.m.	Dec. 14, 2023, 8:02 a.m.

Size	6.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`84326112ddead59fca719ef1d7d87685`
SHA256	`d073a0f9998570952bbd15f517aeb1246a0bec0b131efae97e6ac0d9604bc7b5`
CRC32	`3E5DE826`
ssdeep	`98304:LSii6sWKv6DfKjbNu7ZaI8RsSPgV4cswPuxXnLETiyh5LLvW+P7bQc5eKT:W6RKCjSbNY8RXgXsJLeLjN7bBF`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature ftp_command - ftp command UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format OS_Processor_Check_Zero - OS Processor Check

PC_Cleaner.exe "C:\Users\test22\AppData\Local\Temp\PC_Cleaner.exe"
2080
- PC_Cleaner.tmp "C:\Users\test22\AppData\Local\Temp\is-U68DC.tmp\PC_Cleaner.tmp" /SL5="$30028,5947172,780800,C:\Users\test22\AppData\Local\Temp\PC_Cleaner.exe"
  2156
  - PCCNotifications.exe "C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe"
    2632
  - PCCleaner.exe "C:\Program Files (x86)\PC Cleaner\PCCleaner.exe"
    2668
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
notifications.avqtools.com	A 116.203.251.147	116.203.251.147
techsupport.avqtools.com	A 116.203.251.147	116.203.251.147
webtools.avanquest.com	A 37.59.71.200	37.59.71.200
stats.avqtools.com
www.pchelpsoft.com	A 104.26.0.116 A 172.67.73.195 A 104.26.1.116	104.26.0.116

IP Address	Status	Action
104.26.0.116	Active	Moloch
116.203.251.147	Active	Moloch
164.124.101.2	Active	Moloch
37.59.71.200	Active	Moloch
194.36.191.196	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 37.59.71.200:443 -> 192.168.56.103:49183	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 37.59.71.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 37.59.71.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 37.59.71.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 37.59.71.200:443 -> 192.168.56.103:49187	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 104.26.0.116:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49186 -> 37.59.71.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49177 -> 116.203.251.147:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49178 -> 116.203.251.147:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49182 -> 116.203.251.147:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49189 -> 116.203.251.147:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49179 104.26.0.116:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=pchelpsoft.com	60:5b:eb:bb:e1:3c:95:d3:f0:df:8f:64:21:e8:77:41:1a:42:74:53

Queries for the computername (19 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 14, 2023, 7:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 7:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 7:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 7:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 8 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 8 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 8 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 8 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 8:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 8:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 8:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 8:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 8:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 8:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 8:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 8:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 8:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 8:01 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 14, 2023, 7:55 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 14, 2023, 8 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

One or more processes crashed (6 events)

Time & API	Arguments	Status
__exception__ Dec. 14, 2023, 8 a.m.	stacktrace: TMethodImplementationIntercept+0x1708f9 dbkFCallWrapperAddr-0x1858e3 pccnotifications+0x1cdcc5 @ 0x5cdcc5 TMethodImplementationIntercept+0x178425 dbkFCallWrapperAddr-0x17ddb7 pccnotifications+0x1d57f1 @ 0x5d57f1 TMethodImplementationIntercept+0x17867d dbkFCallWrapperAddr-0x17db5f pccnotifications+0x1d5a49 @ 0x5d5a49 TMethodImplementationIntercept+0x178018 dbkFCallWrapperAddr-0x17e1c4 pccnotifications+0x1d53e4 @ 0x5d53e4 TMethodImplementationIntercept+0x178267 dbkFCallWrapperAddr-0x17df75 pccnotifications+0x1d5633 @ 0x5d5633 TMethodImplementationIntercept+0x1787e1 dbkFCallWrapperAddr-0x17d9fb pccnotifications+0x1d5bad @ 0x5d5bad TMethodImplementationIntercept+0x17ca01 dbkFCallWrapperAddr-0x1797db pccnotifications+0x1d9dcd @ 0x5d9dcd TMethodImplementationIntercept+0x2ae47f dbkFCallWrapperAddr-0x47d5d pccnotifications+0x30b84b @ 0x70b84b TMethodImplementationIntercept+0x4a808 dbkFCallWrapperAddr-0x2ab9d4 pccnotifications+0xa7bd4 @ 0x4a7bd4 __dbk_fcall_wrapper-0x5d6e pccnotifications+0x9566 @ 0x409566 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 75495028 registers.edi: 0 registers.eax: 75495028 registers.ebp: 75495108 registers.edx: 0 registers.ebx: 36402304 registers.esi: 0 registers.ecx: 7	1
__exception__ Dec. 14, 2023, 8 a.m.	stacktrace: TMethodImplementationIntercept+0x1708f9 dbkFCallWrapperAddr-0x1858e3 pccnotifications+0x1cdcc5 @ 0x5cdcc5 TMethodImplementationIntercept+0x178425 dbkFCallWrapperAddr-0x17ddb7 pccnotifications+0x1d57f1 @ 0x5d57f1 TMethodImplementationIntercept+0x17867d dbkFCallWrapperAddr-0x17db5f pccnotifications+0x1d5a49 @ 0x5d5a49 TMethodImplementationIntercept+0x178018 dbkFCallWrapperAddr-0x17e1c4 pccnotifications+0x1d53e4 @ 0x5d53e4 TMethodImplementationIntercept+0x178267 dbkFCallWrapperAddr-0x17df75 pccnotifications+0x1d5633 @ 0x5d5633 TMethodImplementationIntercept+0x1787e1 dbkFCallWrapperAddr-0x17d9fb pccnotifications+0x1d5bad @ 0x5d5bad TMethodImplementationIntercept+0x17ca01 dbkFCallWrapperAddr-0x1797db pccnotifications+0x1d9dcd @ 0x5d9dcd TMethodImplementationIntercept+0x2ae782 dbkFCallWrapperAddr-0x47a5a pccnotifications+0x30bb4e @ 0x70bb4e TMethodImplementationIntercept+0x4a808 dbkFCallWrapperAddr-0x2ab9d4 pccnotifications+0xa7bd4 @ 0x4a7bd4 __dbk_fcall_wrapper-0x5d6e pccnotifications+0x9566 @ 0x409566 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 75495028 registers.edi: 0 registers.eax: 75495028 registers.ebp: 75495108 registers.edx: 0 registers.ebx: 36402304 registers.esi: 0 registers.ecx: 7	1
__exception__ Dec. 14, 2023, 8 a.m.	stacktrace: TMethodImplementationIntercept+0x1708f9 dbkFCallWrapperAddr-0x1858e3 pccnotifications+0x1cdcc5 @ 0x5cdcc5 TMethodImplementationIntercept+0x178425 dbkFCallWrapperAddr-0x17ddb7 pccnotifications+0x1d57f1 @ 0x5d57f1 TMethodImplementationIntercept+0x17867d dbkFCallWrapperAddr-0x17db5f pccnotifications+0x1d5a49 @ 0x5d5a49 TMethodImplementationIntercept+0x178018 dbkFCallWrapperAddr-0x17e1c4 pccnotifications+0x1d53e4 @ 0x5d53e4 TMethodImplementationIntercept+0x178267 dbkFCallWrapperAddr-0x17df75 pccnotifications+0x1d5633 @ 0x5d5633 TMethodImplementationIntercept+0x1787e1 dbkFCallWrapperAddr-0x17d9fb pccnotifications+0x1d5bad @ 0x5d5bad TMethodImplementationIntercept+0x17ca01 dbkFCallWrapperAddr-0x1797db pccnotifications+0x1d9dcd @ 0x5d9dcd TMethodImplementationIntercept+0x2aea9a dbkFCallWrapperAddr-0x47742 pccnotifications+0x30be66 @ 0x70be66 TMethodImplementationIntercept+0x4a808 dbkFCallWrapperAddr-0x2ab9d4 pccnotifications+0xa7bd4 @ 0x4a7bd4 __dbk_fcall_wrapper-0x5d6e pccnotifications+0x9566 @ 0x409566 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 75495028 registers.edi: 0 registers.eax: 75495028 registers.ebp: 75495108 registers.edx: 0 registers.ebx: 36402304 registers.esi: 0 registers.ecx: 7	1
__exception__ Dec. 14, 2023, 8 a.m.	stacktrace: TMethodImplementationIntercept+0x1708f9 dbkFCallWrapperAddr-0x1858e3 pccnotifications+0x1cdcc5 @ 0x5cdcc5 TMethodImplementationIntercept+0x178425 dbkFCallWrapperAddr-0x17ddb7 pccnotifications+0x1d57f1 @ 0x5d57f1 TMethodImplementationIntercept+0x17867d dbkFCallWrapperAddr-0x17db5f pccnotifications+0x1d5a49 @ 0x5d5a49 TMethodImplementationIntercept+0x178018 dbkFCallWrapperAddr-0x17e1c4 pccnotifications+0x1d53e4 @ 0x5d53e4 TMethodImplementationIntercept+0x178267 dbkFCallWrapperAddr-0x17df75 pccnotifications+0x1d5633 @ 0x5d5633 TMethodImplementationIntercept+0x1787e1 dbkFCallWrapperAddr-0x17d9fb pccnotifications+0x1d5bad @ 0x5d5bad TMethodImplementationIntercept+0x17ca01 dbkFCallWrapperAddr-0x1797db pccnotifications+0x1d9dcd @ 0x5d9dcd TMethodImplementationIntercept+0x17df9e dbkFCallWrapperAddr-0x17823e pccnotifications+0x1db36a @ 0x5db36a TMethodImplementationIntercept+0x2af083 dbkFCallWrapperAddr-0x47159 pccnotifications+0x30c44f @ 0x70c44f TMethodImplementationIntercept+0x4a808 dbkFCallWrapperAddr-0x2ab9d4 pccnotifications+0xa7bd4 @ 0x4a7bd4 __dbk_fcall_wrapper-0x5d6e pccnotifications+0x9566 @ 0x409566 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 75494576 registers.edi: 0 registers.eax: 75494576 registers.ebp: 75494656 registers.edx: 0 registers.ebx: 36402456 registers.esi: 0 registers.ecx: 7	1
__exception__ Dec. 14, 2023, 8 a.m.	stacktrace: TMethodImplementationIntercept+0x22a0d1 dbkFCallWrapperAddr-0x362093 pccleaner+0x28a515 @ 0x68a515 TMethodImplementationIntercept+0x231bfd dbkFCallWrapperAddr-0x35a567 pccleaner+0x292041 @ 0x692041 TMethodImplementationIntercept+0x231e55 dbkFCallWrapperAddr-0x35a30f pccleaner+0x292299 @ 0x692299 TMethodImplementationIntercept+0x2317f0 dbkFCallWrapperAddr-0x35a974 pccleaner+0x291c34 @ 0x691c34 TMethodImplementationIntercept+0x231a3f dbkFCallWrapperAddr-0x35a725 pccleaner+0x291e83 @ 0x691e83 TMethodImplementationIntercept+0x23258b dbkFCallWrapperAddr-0x359bd9 pccleaner+0x2929cf @ 0x6929cf TMethodImplementationIntercept+0x23ce95 dbkFCallWrapperAddr-0x34f2cf pccleaner+0x29d2d9 @ 0x69d2d9 TMethodImplementationIntercept+0x4c9222 dbkFCallWrapperAddr-0xc2f42 pccleaner+0x529666 @ 0x929666 TMethodImplementationIntercept+0x4ca35a dbkFCallWrapperAddr-0xc1e0a pccleaner+0x52a79e @ 0x92a79e TMethodImplementationIntercept+0x4ca7ef dbkFCallWrapperAddr-0xc1975 pccleaner+0x52ac33 @ 0x92ac33 TMethodImplementationIntercept+0x1601cf dbkFCallWrapperAddr-0x42bf95 pccleaner+0x1c0613 @ 0x5c0613 TMethodImplementationIntercept+0xad2b9 dbkFCallWrapperAddr-0x4deeab pccleaner+0x10d6fd @ 0x50d6fd TMethodImplementationIntercept+0xb1cd2 dbkFCallWrapperAddr-0x4da492 pccleaner+0x112116 @ 0x512116 TMethodImplementationIntercept+0x160c8e dbkFCallWrapperAddr-0x42b4d6 pccleaner+0x1c10d2 @ 0x5c10d2 TMethodImplementationIntercept+0xacef3 dbkFCallWrapperAddr-0x4df271 pccleaner+0x10d337 @ 0x50d337 TMethodImplementationIntercept+0xb109a dbkFCallWrapperAddr-0x4db0ca pccleaner+0x1114de @ 0x5114de TMethodImplementationIntercept+0xb11a9 dbkFCallWrapperAddr-0x4dafbb pccleaner+0x1115ed @ 0x5115ed TMethodImplementationIntercept+0xb3d43 dbkFCallWrapperAddr-0x4d8421 pccleaner+0x114187 @ 0x514187 TMethodImplementationIntercept+0xb1cd2 dbkFCallWrapperAddr-0x4da492 pccleaner+0x112116 @ 0x512116 TMethodImplementationIntercept+0x160c8e dbkFCallWrapperAddr-0x42b4d6 pccleaner+0x1c10d2 @ 0x5c10d2 TMethodImplementationIntercept+0xacef3 dbkFCallWrapperAddr-0x4df271 pccleaner+0x10d337 @ 0x50d337 TMethodImplementationIntercept+0xaba07 dbkFCallWrapperAddr-0x4e075d pccleaner+0x10be4b @ 0x50be4b TMethodImplementationIntercept+0x564d93 dbkFCallWrapperAddr-0x273d1 pccleaner+0x5c51d7 @ 0x9c51d7 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1635228 registers.edi: 142 registers.eax: 1635228 registers.ebp: 1635308 registers.edx: 0 registers.ebx: 41226448 registers.esi: 85303912 registers.ecx: 7	1
__exception__ Dec. 14, 2023, 8 a.m.	stacktrace: TMethodImplementationIntercept+0x547cae dbkFCallWrapperAddr-0x444b6 pccleaner+0x5a80f2 @ 0x9a80f2 TMethodImplementationIntercept+0x547cae dbkFCallWrapperAddr-0x444b6 pccleaner+0x5a80f2 @ 0x9a80f2 TMethodImplementationIntercept+0x547ac5 dbkFCallWrapperAddr-0x4469f pccleaner+0x5a7f09 @ 0x9a7f09 TMethodImplementationIntercept+0x550f73 dbkFCallWrapperAddr-0x3b1f1 pccleaner+0x5b13b7 @ 0x9b13b7 TMethodImplementationIntercept+0x4cac04 dbkFCallWrapperAddr-0xc1560 pccleaner+0x52b048 @ 0x92b048 TMethodImplementationIntercept+0xad2b9 dbkFCallWrapperAddr-0x4deeab pccleaner+0x10d6fd @ 0x50d6fd TMethodImplementationIntercept+0xb1cd2 dbkFCallWrapperAddr-0x4da492 pccleaner+0x112116 @ 0x512116 TMethodImplementationIntercept+0x160c8e dbkFCallWrapperAddr-0x42b4d6 pccleaner+0x1c10d2 @ 0x5c10d2 TMethodImplementationIntercept+0xb12ef dbkFCallWrapperAddr-0x4dae75 pccleaner+0x111733 @ 0x511733 TMethodImplementationIntercept+0x4e32e dbkFCallWrapperAddr-0x53de36 pccleaner+0xae772 @ 0x4ae772 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a TMethodImplementationIntercept+0x169e1c dbkFCallWrapperAddr-0x422348 pccleaner+0x1ca260 @ 0x5ca260 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1636476 registers.edi: 42449004 registers.eax: 1636476 registers.ebp: 1636556 registers.edx: 0 registers.ebx: 10125554 registers.esi: 10125228 registers.ecx: 7	1

Performs some HTTP requests (1 event)

request

GET https://www.pchelpsoft.com/images/build-phone-banners/phone_activation.png

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 745472 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 2156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 8 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 8 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 8:01 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06de0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Dec. 14, 2023, 7:56 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 9904349184 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Steals private information from local Internet browsers (5 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\
file	C:\Users\test22\AppData\Local\Chromium\User Data\

Creates executable files on the filesystem (4 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Cleaner\PC Cleaner on the Web.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Cleaner\Uninstall PC Cleaner.lnk
file	C:\Users\test22\Desktop\PC Cleaner.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Cleaner\PC Cleaner.lnk

Creates a shortcut to an executable file (4 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Cleaner\PC Cleaner on the Web.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Cleaner\Uninstall PC Cleaner.lnk
file	C:\Users\test22\Desktop\PC Cleaner.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Cleaner\PC Cleaner.lnk

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-U68DC.tmp\PC_Cleaner.tmp

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 14, 2023, 8 a.m.	flags: 15 family: 0		111	0

Queries for potentially installed applications (50 out of 67 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW Dec. 14, 2023, 7:55 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner_is1		2
RegOpenKeyExW Dec. 14, 2023, 7:55 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner_is1		2
RegOpenKeyExW Dec. 14, 2023, 7:55 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner_is1		2
RegOpenKeyExW Dec. 14, 2023, 7:55 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner_is1		2
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner_is1		2
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner_is1		2
RegOpenKeyExW Dec. 14, 2023, 7:56 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner_is1		2
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020109 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\		2
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ base_handle: 0x80000002 key_handle: 0x000001b0 options: 0 access: 0x00020109 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ base_handle: 0x80000002 key_handle: 0x000001b4 options: 0 access: 0x00020109 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020109 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner_is1 base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner_is1	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1	0
RegOpenKeyExW Dec. 14, 2023, 8 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ base_handle: 0x80000002 key_handle: 0x000001dc options: 0 access: 0x00000110 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\	1	0

Communicates with host for which no DNS query was performed (1 event)

host

194.36.191.196

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-U68DC.tmp\PC_Cleaner.tmp

Collects information about installed applications (50 out of 51 events)

Time & API	Arguments	Status
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: PC Cleaner v8.0.0.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner_is1\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000001dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x00000260 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 19.00 (x64) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x00000280 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HashTab 6.0.0.34 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HashTab\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Firefox (x64 en-US) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.1 (x64 en-US)\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000002c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Maintenance Service regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 KOR Language Pack regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 x64 Minimum Runtime - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000002d8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office 64-bit Components 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0000-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000002d8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared 64-bit MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0409-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000002d8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0116-0409-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000002d8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000002d8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 한국어 언어 팩 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042\DisplayName	1
RegQueryValueExW Dec. 14, 2023, 8 a.m.	key_handle: 0x000002d8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Python 2.7.18 (64-bit) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6}\DisplayName	1

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

Malwarebytes	PUP.Optional.PCCleaner
Sangfor	Trojan.Win32.Avanquest.Vzl7
CrowdStrike	win/grayware_confidence_100% (W)
ESET-NOD32	a variant of Win32/Avanquest.C potentially unwanted
Rising	PUA.Avanquest!8.1070F (CLOUD)
DrWeb	Program.Unwanted.4792
Ikarus	PUA.Avanquest
GData	Win32.Application.PCHelpSoft.A
Gridinsoft	PUP.PCCleaner.dd!c
DeepInstinct	MALICIOUS
Fortinet	Riskware/Avanquest

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

PC_Cleaner.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All