Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Feb. 15, 2024, 7:55 a.m.	Feb. 15, 2024, 7:58 a.m.

Size	11.4MB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`6c072be39ed9066026637c0b74e74047`
SHA256	`255d1ae2c491b9373cd4d438f80edd02988f7794708897417b0bb2ca70450e36`
CRC32	`5D3B03E8`
ssdeep	`196608:AWx2zpdra2YbT8yN+8Mne5nd7g25FjZC8OH7RbFd/Or+GvJbU9RDf/kuFLOyomFI:AYCrdiNTF5nZ9C8Ud29JuF`
PDB Path	E:\cpp\git7\dll\WndResizerApp.pdb
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature IsDLL - (no description) Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,CIrNTzBaPkppGNf
1460
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,FxJWXdx
2188
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,CZnIUAAeJ
2100
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,GbmgwMEzKpXc
2280
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,HipXGmygXapBRYfa
2388
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,IYfRriwGvbgbXBXReH
2476
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,LKSMdMaTT
2568
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,NpZatICsK
2664
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,SOdCGqnNtDWyDo
2768
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,UAyCqwHRBMHCdHlVz
2860
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,ZfDMgndWxjR
2972
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,iBZHcoeoarRd
1188
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,jERKotJBwfw
2208
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,nkYPRlgSTnlUkuDTW
2360
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,rtVNQhSpgienExR
2496
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,start
2632
- powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath
  2368
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,uMRRtkuQVecTfq
2712
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,ukniOqaVKgeX
2856
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,yVmJFl
2992
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,
2072

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
195.133.88.98	Active	Moloch
62.173.146.41	Active	Moloch
91.201.67.85	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (25 events)

Time & API	Arguments	Status	Return
GetComputerNameW Feb. 15, 2024, 7:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name:		0
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 15, 2024, 7:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:57 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (20 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 15, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:57 a.m.			0	0

Command line console output was observed (8 events)

Time & API	Arguments	Status	Return
WriteConsoleW Feb. 15, 2024, 7:57 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Feb. 15, 2024, 7:57 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Feb. 15, 2024, 7:57 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Feb. 15, 2024, 7:57 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Feb. 15, 2024, 7:57 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath console_handle: 0x00000053	1	1
WriteConsoleW Feb. 15, 2024, 7:57 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW Feb. 15, 2024, 7:57 a.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Feb. 15, 2024, 7:57 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 127 events)

Time & API	Arguments	Status	Return
CryptGenKey Feb. 15, 2024, 7:55 a.m.	crypto_handle: 0x0228d948 algorithm_identifier: 0x00000001 () flags: 67108865 key: provider_handle: 0x0249b990	1	1
CryptExportKey Feb. 15, 2024, 7:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0228d948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 15, 2024, 7:55 a.m.	buffer: ¤RSA2×%¨ Q<ÿÐÙNE»d¢ùÈú[æ´®=ÒbÖØ¾ê©ÑÇJãHR ÖQÒÄÉ¡ìÜNQ/û¦ÿxq¥RÞ/Iþ:é=P¼?ev7Á¿VÄ :Wháêæ§Âî:eÍÛ§ÿ %°è-ûúi{é9þÀQ±üB Üòeâ=bûÈ´Ûþm9Ò±}ZÚRL¶{%ßTf"ó®¤ÿUµîøb¶±:wUÓ !Ìî¢ýø Ó6àLÍY¤E3¥Ì já±*¦dÜöÄî}(`êµ2þç)R7uþ.µûà-Î²ily òBùév x$4ïYD Àoðca+Tløèð³áÖ\6î§i(7¢ý,³ý¨Ü²ÁÏ¾ÜxLã&ni)}¢JóºJ{ãÞ?ªè ,ü·ÊdÎ¥ ÀT}1}è)§?7ËàÓí«ø`[QPHÇV¹V¶\|[wÝë3n´»¨¤C]V¬UÑA5Vnï'ÙlX5±>®ÊEêþI®Ó dD¡àÙµ;÷é^×é !OlÛ¿QæÂ $JJÃÊ¾²¥¨½·}e²û¨ü%êÿW§ÿ¹P k <2I¼I&¹í:O5ÍçÐhgá×¸¹,iFwY¦R7ÑÓcQ2½<ûðÃ\|ÓhCqqþQsÇ__ï crypto_handle: 0x0228d948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 15, 2024, 7:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0228d948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 15, 2024, 7:55 a.m.	buffer: ¤RSA1×%¨ Q<ÿÐÙNE»d¢ùÈú[æ´®=ÒbÖØ¾ê©ÑÇJãHR ÖQÒÄÉ¡ìÜNQ/û¦ÿxq¥RÞ/Iþ:é=P¼?ev7Á¿VÄ :Wháêæ§Âî:eÍÛ§ÿ %°è- crypto_handle: 0x0228d948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x0228df08 algorithm_identifier: 0x00000001 () flags: 67108865 key: provider_handle: 0x022928b8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0228df08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: ¤RSA2'wíìÑ ;õÁïÎj6U-jâÆ?äo=CÌ½3ôîÑpÁé·Û x®ÃèäêüxLÌÜadöÈÐ#s¨´g\|Èº Ô©·z1QrP0µÌÎ-N3Ûæ êÊoàPS¶¶ºÄ¹³¿ïAêõ`Ó!Ð¬!kî, +(ùêm²¥»Pð-zÀ¨#eBôª1o1r¸UÿaøgäIWÞ<'NÐÔÙPóÝ.éÎ]qxÈrY6±Ñg?Uã:$às}fs©Ékó©Æá@Þq/:2@f´Ö1B/i÷·@nÎbÕ>ÖOüÜ\£6pX]~qhB2¼ZJ´NR9¯*_M}dåÌ¦µÕE¡Ã¥Á<ôøLx²1CKêï5¤rzè§¼fN¥`ôà¾µJ/^12l)îìÔY}=ôÓò)Ã&ðraú°ÄnyZÒÊT/EÿÛd<ð¤¥T¡!jf I®kÕmÇ3®²Þ_89PMÑX±GOó\K}Rgì1x¿h¡É7á,zX°ÓÜ¦`9/)/ÛÝEbP%Ì©iXÅøÈÒÂ«ØeÉú³÷¸dÀAþ£ÍK0°«²XzòÂ(nùÓUÙÍÔ#Ç@Þ^$ÏÊiË:z? crypto_handle: 0x0228df08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0228df08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: ¤RSA1'wíìÑ ;õÁïÎj6U-jâÆ?äo=CÌ½3ôîÑpÁé·Û x®ÃèäêüxLÌÜadöÈÐ#s¨´g\|Èº Ô©·z1QrP0µÌÎ-N3Ûæ êÊoàPS¶¶ºÄ¹³¿ crypto_handle: 0x0228df08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x0228e448 algorithm_identifier: 0x00006610 () flags: 1 key: f Q¦j \|»t*¿Îò~K¶Ø¥`ÑÑv¡DÂtãß provider_handle: 0x02292940	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0228e448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f Q¦j \|»t*¿Îò~K¶Ø¥`ÑÑv¡DÂtãß crypto_handle: 0x0228e448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x0228dc88 algorithm_identifier: 0x00006610 () flags: 1 key: f ¹ãZrÄ©@ápAÊgÒZ¦QTe¼÷Xð provider_handle: 0x02292940	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0228dc88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f ¹ãZrÄ©@ápAÊgÒZ¦QTe¼÷Xð crypto_handle: 0x0228dc88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x0228df08 algorithm_identifier: 0x00006610 () flags: 1 key: f ¶íØµ9åMtØb8¨a}ýwKudÏ®ðøð«W provider_handle: 0x02292940	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0228df08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f ¶íØµ9åMtØb8¨a}ýwKudÏ®ðøð«W crypto_handle: 0x0228df08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x0228df08 algorithm_identifier: 0x00006610 () flags: 1 key: f äEU&I3yà±ðo` ø(Z ð]G* provider_handle: 0x02292940	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0228df08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f äEU&I3yà±ðo` ø(Z ð]G* crypto_handle: 0x0228df08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x0228df08 algorithm_identifier: 0x00006610 () flags: 1 key: f ºaäês»¦¨ÙIYró)<7#àèAöñØ provider_handle: 0x02292940	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0228df08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f ºaäês»¦¨ÙIYró)<7#àèAöñØ crypto_handle: 0x0228df08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x0228df08 algorithm_identifier: 0x00006610 () flags: 1 key: f ßk©!îÖ£A8ÌAZ{~Á½5iVm provider_handle: 0x02292940	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0228df08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f ßk©!îÖ£A8ÌAZ{~Á½5iVm crypto_handle: 0x0228df08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x0228dc88 algorithm_identifier: 0x00000001 () flags: 67108865 key: provider_handle: 0x022928b8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0228dc88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: ¤RSA2QÿPýíoÍ79ë4Å0 <{ís;P¶õs"æ´ À¡6ÔR¯DÆþìÖPmÒ@¥²Ò]#ªéDçæÔ\$)urwÇÊ«,bxbÅ/²f@"¾a\|ËÛ4ÌP.ÖµÝâF¦,âqã6÷©Ñ¾{"â-ÆÌ öýnþZùäºÕD` ÷qÑe¾Ðæ é"ù4Ù2ùcù\ûÿ¤ã Ùñ£±tòpÔôp2Ð¦ó`Ñ"#ÄX÷ëmLÏ¢ÁcþæÊkK´L8¯k?¸èP/âQV0Ñ)FÊíXì$» ´J^×Ä¦baöÉ.]@Ðg>U¦ë²j%!¨XÂñ0ïãÏí:¯x>Ý¶äZ7C£ÛJZÿJI 9rM ÚnuÔp¿:öp=&W7 ¬ã© \?ê°x 0 È;Ó×ú8F~ê-°¸XtSÆAóÕI±¸ÛñcÔUë¼+DAø\gA»ÓKuÏ~¶ö0ÊjÆà-¶ÂÊ®ÙÞK\ô[òöôêì]³úFLMµÖò§M8°¾¯nPVåö·l¨êÈ'Ø$«}Aëù¦¡òÍÜpÃÒ}G°gýÜî s¥á²áC©oH+ªûûê´ýpÞjlÕIel²¨?ÌôÃ~¼ crypto_handle: 0x0228dc88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0228dc88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: ¤RSA1QÿPýíoÍ79ë4Å0 <{ís;P¶õs"æ´ À¡6ÔR¯DÆþìÖPmÒ@¥²Ò]#ªéDçæÔ\$)urwÇÊ«,bxbÅ/²f@"¾a\|ËÛ4ÌP.ÖµÝâF¦,âqã6÷©Ñ¾ crypto_handle: 0x0228dc88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x0228e448 algorithm_identifier: 0x00006610 () flags: 1 key: f BçÅ>ÛÀVi UFU\|ÖwO+üc¿_E,æ?è provider_handle: 0x02292940	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0228e448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f BçÅ>ÛÀVi UFU\|ÖwO+üc¿_E,æ?è crypto_handle: 0x0228e448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x0228df08 algorithm_identifier: 0x00006610 () flags: 1 key: f ê<¾QöUoð@ô¿$[RáÄÊvö5Tg¬ provider_handle: 0x02292940	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0228df08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f ê<¾QöUoð@ô¿$[RáÄÊvö5Tg¬ crypto_handle: 0x0228df08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x0228df08 algorithm_identifier: 0x00006610 () flags: 1 key: f ËÅ¦°9në.9¹\GE'S3ómJñ" provider_handle: 0x02292940	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0228df08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f ËÅ¦°9në.9¹\GE'S3ómJñ" crypto_handle: 0x0228df08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x0228df08 algorithm_identifier: 0x00006610 () flags: 1 key: f ah¢ô«½£Ì« 3E"K}7IØÿ-Fsº¹[0Û7¯Ý provider_handle: 0x02292940	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0228df08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f ah¢ô«½£Ì« 3E"K}7IØÿ-Fsº¹[0Û7¯Ý crypto_handle: 0x0228df08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x0228df08 algorithm_identifier: 0x00006610 () flags: 1 key: f 5íÏ y¿{âì¶ô´ÕÊù ¹ö§÷Èq50AfÚ provider_handle: 0x02292940	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0228df08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f 5íÏ y¿{âì¶ô´ÕÊù ¹ö§÷Èq50AfÚ crypto_handle: 0x0228df08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x0228df08 algorithm_identifier: 0x00006610 () flags: 1 key: f 14N³ç^¨ÜWvÁtÚ1Å¹3ó·ÖOñ[Ë]SEïë provider_handle: 0x02292940	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0228df08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (4 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DigitalProductId
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DigitalProductId
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallDate

This executable has a PDB path (1 event)

pdb_path

E:\cpp\git7\dll\WndResizerApp.pdb

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla FireFox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\NoModify

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 15, 2024, 7:56 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (3 events)

resource name	PNG
resource name	STYLE_XML
resource name	None

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 329 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74300000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74161000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74121000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74300000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74161000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74121000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74300000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74161000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74121000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74300000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74161000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74121000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74300000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74161000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74121000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2476 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2476 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74300000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2476 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74161000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2476 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74121000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2476 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2476 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74361000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74300000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74161000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74121000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74361000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:55 a.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742f0000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 550 seconds, actually delayed analysis time by 550 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (5 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Feb. 15, 2024, 7:56 a.m.	number_of_free_clusters: 2422660 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 15, 2024, 7:56 a.m.	number_of_free_clusters: 2422660 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 15, 2024, 7:56 a.m.	number_of_free_clusters: 2422660 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 15, 2024, 7:56 a.m.	number_of_free_clusters: 2422660 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW Feb. 15, 2024, 7:56 a.m.	total_number_of_free_bytes: 9923203072 free_bytes_available: 0 root_path: C:\ total_number_of_bytes: 34252779520	1	1

Steals private information from local Internet browsers (27 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.old
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG.old
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000100
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\000005.ldb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\the-real-index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\MANIFEST-000001
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\000003.log
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOCK
file	C:\Users\test22\AppData\Roaming\Opera\wand.dat
file	C:\Users\test22\AppData\Local\Programs\Opera\
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
registry	HKEY_CURRENT_USER\Software\Opera Software

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath
cmdline	"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath

Executes one or more WMI queries (3 events)

wmi	SELECT * FROM Win32_NetworkAdapter
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_ComputerSystem

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Feb. 15, 2024, 7:57 a.m.	show_type: 0 filepath_r: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe parameters: Add-MpPreference -ExclusionPath filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (9 events)

Time & API	Arguments	Status	Return
Process32NextW Feb. 15, 2024, 7:57 a.m.	snapshot_handle: 0x0000060c process_name: pw.exe process_identifier: 760	1	1
Process32NextW Feb. 15, 2024, 7:57 a.m.	snapshot_handle: 0x0000060c process_name: SearchProtocolHost.exe process_identifier: 632	1	1
Process32NextW Feb. 15, 2024, 7:57 a.m.	snapshot_handle: 0x0000060c process_name: SearchFilterHost.exe process_identifier: 1804	1	1
Process32NextW Feb. 15, 2024, 7:57 a.m.	snapshot_handle: 0x0000060c process_name: rundll32.exe process_identifier: 2460	1	1
Process32NextW Feb. 15, 2024, 7:57 a.m.	snapshot_handle: 0x0000060c process_name: svchost.exe process_identifier: 2468	1	1
Process32NextW Feb. 15, 2024, 7:57 a.m.	snapshot_handle: 0x0000060c process_name: mscorsvw.exe process_identifier: 2392	1	1
Process32NextW Feb. 15, 2024, 7:57 a.m.	snapshot_handle: 0x0000060c process_name: mscorsvw.exe process_identifier: 2716	1	1
Process32NextW Feb. 15, 2024, 7:57 a.m.	snapshot_handle: 0x0000060c process_name: conhost.exe process_identifier: 3032	1	1
Process32NextW Feb. 15, 2024, 7:57 a.m.	snapshot_handle: 0x0000060c process_name: ﾠ!ʠ process_identifier: 2162688		0

File has been identified by 6 AntiVirus engines on VirusTotal as malicious (6 events)

Skyhigh	BehavesLike.Win32.Dropper.wc
ESET-NOD32	a variant of Win32/GenKryptik.GTWG
McAfee	Artemis!6C072BE39ED9
Kaspersky	UDS:Trojan-Banker.Win32.Danabot
Trapmine	suspicious.low.ml.score
Microsoft	Program:Win32/Wacapew.C!ml

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0097d800', u'virtual_address': u'0x00001000', u'entropy': 7.742600573834696, u'name': u'.text', u'virtual_size': u'0x0097d68a'}

entropy

7.74260057383

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00166400', u'virtual_address': u'0x009dc000', u'entropy': 7.564019726941489, u'name': u'.rsrc', u'virtual_size': u'0x00166230'}

entropy

7.56401972694

description

A section with a high entropy has been found

entropy

0.957825115959

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Feb. 15, 2024, 7:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Feb. 15, 2024, 7:57 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Queries for potentially installed applications (50 out of 15429 events)

Time & API	Arguments	Status
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Feb. 15, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_ComputerSystem

Communicates with host for which no DNS query was performed (3 events)

host	195.133.88.98
host	62.173.146.41
host	91.201.67.85

Attempts to identify installed AV products by installation directory (3 events)

file	C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
file	C:\Program Files\AVAST Software\Browser\Application\AvastBrowser.exe
file	C:\Users\test22\AppData\Local\AVAST Software\Browser\Application\AvastBrowser.exe

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Attempts to disable browser security warnings (2 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExW Feb. 15, 2024, 7:57 a.m.	key_handle: 0x00000624 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Harvests credentials from local FTP client softwares (50 out of 73 events)

file	C:\ProgramData\FlashFXP\4\History.dat
file	C:\Users\test22\AppData\Local\FlashFXP\4\Quick.dat
file	C:\Users\test22\AppData\Roaming\FlashFXP\4\Quick.dat
file	C:\Users\test22\AppData\Roaming\FlashFXP\4\History.dat
file	C:\Users\test22\AppData\Roaming\FlashFXP\3\Sites.dat
file	C:\ProgramData\FlashFXP\4\Quick.dat
file	C:\Users\test22\AppData\Local\FlashFXP\4\History.dat
file	C:\Users\test22\AppData\Roaming\FlashFXP\3\History.dat
file	C:\Users\test22\AppData\Roaming\FlashFXP\3\Quick.dat
file	C:\ProgramData\FlashFXP\3\Sites.dat
file	C:\ProgramData\FlashFXP\3\History.dat
file	C:\ProgramData\FlashFXP\4\Sites.dat
file	C:\Users\test22\AppData\Roaming\FlashFXP\4\Sites.dat
file	C:\Users\test22\AppData\Local\FlashFXP\3\Quick.dat
file	C:\Users\test22\AppData\Local\FlashFXP\3\History.dat
file	C:\Users\test22\AppData\Local\FlashFXP\3\Sites.dat
file	C:\Users\test22\AppData\Local\FlashFXP\4\Sites.dat
file	C:\ProgramData\FlashFXP\3\Quick.dat
file	C:\ProgramData\VanDyke\Config\Sessions\
file	C:\Users\test22\AppData\Local\VanDyke\Config\Sessions\
file	C:\Users\test22\AppData\Roaming\VanDyke\Config\Sessions\
file	C:\Users\test22\AppData\Local\FTP Explorer\profiles.xml
file	C:\ProgramData\FTP Explorer\profiles.xml
file	C:\Users\test22\AppData\Roaming\FTP Explorer\profiles.xml
file	C:\ProgramData\SmartFTP\Favorites.dat
file	C:\Users\test22\AppData\Roaming\SmartFTP\History.dat
file	C:\Users\test22\AppData\Local\SmartFTP\History.dat
file	C:\ProgramData\SmartFTP\Client 2.0\Favorites\Favorites.dat
file	C:\ProgramData\SmartFTP\History.dat
file	C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\Favorites.dat
file	C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\
file	C:\Users\test22\AppData\Roaming\SmartFTP\Favorites.dat
file	C:\Users\test22\AppData\Local\SmartFTP\Favorites.dat
file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\
file	C:\ProgramData\SmartFTP\Client 2.0\Favorites\
file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Favorites.dat
file	C:\Users\test22\AppData\Roaming\TurboFTP\addrbk.dat
file	C:\Users\test22\AppData\Roaming\FTPRush\RushSite.xml
file	C:\Users\test22\wcx_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Far\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\SOFTWARE\Far2\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Far\SavedDialogHistory\FTPHost
registry	HKEY_CURRENT_USER\Software\Far2\SavedDialogHistory\FTPHost
registry	HKEY_LOCAL_MACHINE\Software\Ghisler\Windows Commander
registry	HKEY_CURRENT_USER\Software\Ghisler\Windows Commander
registry	HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry	HKEY_LOCAL_MACHINE\Software\Ghisler\Total Commander
registry	HKEY_CURRENT_USER\Software\BPFTP\Bullet Proof FTP\Main

Harvests information related to installed instant messenger clients (9 events)

file	C:\Users\test22\AppData\Roaming\Digsby\Digsby.dat
file	C:\Users\test22\AppData\Roaming\MySpace\IM\users.txt
file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml
file	C:\ProgramData\.purple\accounts.xml
file	C:\Users\test22\AppData\Local\Trillian\users\global\accounts.ini
file	C:\ProgramData\Trillian\users\global\accounts.ini
file	C:\Users\test22\AppData\Roaming\Trillian\users\global\accounts.ini
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
registry	HKEY_CURRENT_USER\Software\Paltalk

Collects information about installed applications (50 out of 268 events)

Time & API	Arguments	Status
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:55 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1

Harvests credentials from local email clients (25 events)

file	C:\ProgramData\SmartFTP\Favorites.dat
file	C:\Users\test22\AppData\Roaming\SmartFTP\History.dat
file	C:\Users\test22\AppData\Local\SmartFTP\History.dat
file	C:\ProgramData\SmartFTP\Client 2.0\Favorites\Favorites.dat
file	C:\ProgramData\SmartFTP\History.dat
file	C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\Favorites.dat
file	C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\
file	C:\Users\test22\AppData\Roaming\SmartFTP\Favorites.dat
file	C:\Users\test22\AppData\Local\SmartFTP\Favorites.dat
file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\
file	C:\ProgramData\SmartFTP\Client 2.0\Favorites\
file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Favorites.dat
file	C:\Users\test22\AppData\Local\Microsoft\Windows Live Mail\
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e\HTTP Password
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager\Import
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Poco Systems Inc\PocoMail 4
registry	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird 78.4.0\extensions
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Scribe\Protocols\mailto\shell
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\POP3 Password2
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A2F66E87A7CA1FBA923BD6BE809298B088A47E68\Blob

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (2 events)

Time & API	Arguments	Status	Return	Repeated
CryptHashData Feb. 15, 2024, 7:55 a.m.	buffer: Intel64 Family 6 Model 158 Stepping 10Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz7601.17514.amd64fre.win7sp1_rtm.101119-18507b7c15f9-747a-455f-9ba5-f521dde4252d7C6024AD196912319000{3d3783a0-703a-11de-8c7a-806e6f6e6963}TEST22-PC782796E530A92C4D576FE697D2527AA5 hash_handle: 0x0228d948 flags: 0	1	1	0
CryptHashData Feb. 15, 2024, 7:55 a.m.	buffer: Intel64 Family 6 Model 158 Stepping 10Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz7601.17514.amd64fre.win7sp1_rtm.101119-18507b7c15f9-747a-455f-9ba5-f521dde4252d7C6024AD196912319000{3d3783a0-703a-11de-8c7a-806e6f6e6963}TEST22-PC782796E530A92C4D576FE697D2527AA5 hash_handle: 0x0228d948 flags: 0	1	1	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

62.173.146.41:443

resources.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All