Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 15, 2024, 7:56 a.m.	Feb. 15, 2024, 7:59 a.m.

Size	11.4MB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`e758e07113016aca55d9eda2b0ffeebe`
SHA256	`2597322a49a6252445ca4c8d713320b238113b3b8fd8a2d6fc1088a5934cee0e`
CRC32	`DCFA2D62`
ssdeep	`196608:JWx2zpdra2YbT8yN+8Mne5nd7g25FjZC8OH7RbFd/Or+GvJbU9RDf/kuFLOyomFI:JYCrdiNTF5nZ9C8Ud29JuF`
PDB Path	E:\cpp\git7\dll\WndResizerApp.pdb
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature IsDLL - (no description) Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,CIrNTzBaPkppGNf
2548
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,CZnIUAAeJ
2632
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,FxJWXdx
2724
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,GbmgwMEzKpXc
2820
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,HipXGmygXapBRYfa
2912
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,IYfRriwGvbgbXBXReH
3004
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,LKSMdMaTT
1152
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,NpZatICsK
2068
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,SOdCGqnNtDWyDo
2256
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,UAyCqwHRBMHCdHlVz
2496
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,ZfDMgndWxjR
2668
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,iBZHcoeoarRd
2804
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,jERKotJBwfw
2948
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,nkYPRlgSTnlUkuDTW
2636
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,rtVNQhSpgienExR
1356
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,start
2364
- powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath
  1644
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,uMRRtkuQVecTfq
2672
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,ukniOqaVKgeX
2780
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,yVmJFl
3024
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\resources.dll,
3008

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
195.133.88.98	Active	Moloch
62.173.146.41	Active	Moloch
91.201.67.85	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (21 events)

Time & API	Arguments	Status	Return
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name:		0
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 15, 2024, 7:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 15, 2024, 7:57 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (20 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 15, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Feb. 15, 2024, 7:57 a.m.			0	0

Command line console output was observed (8 events)

Time & API	Arguments	Status	Return
WriteConsoleW Feb. 15, 2024, 7:57 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Feb. 15, 2024, 7:57 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Feb. 15, 2024, 7:57 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Feb. 15, 2024, 7:57 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Feb. 15, 2024, 7:57 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath console_handle: 0x00000053	1	1
WriteConsoleW Feb. 15, 2024, 7:57 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW Feb. 15, 2024, 7:57 a.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Feb. 15, 2024, 7:57 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 149 events)

Time & API	Arguments	Status	Return
CryptGenKey Feb. 15, 2024, 7:56 a.m.	crypto_handle: 0x008af3a0 algorithm_identifier: 0x00000001 () flags: 67108865 key: provider_handle: 0x0223df08	1	1
CryptExportKey Feb. 15, 2024, 7:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008af3a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 15, 2024, 7:56 a.m.	buffer: ¤RSA2Ã±)Ó¹÷¤ÉnÉ`ÆiÖ_[eEâo7ÙmÈÊÜïp¾Ú·s¸©^Ìä}ê¹êAwT-{¾Z(OzQaÇn5ó®]Ê0<2F¥}ï.A1óöã7ùìà?ÏKécý_4=T9ë,ÔBHG¨HéHÓqÁ¼d Úè+IXçÂ[bKiñ®åµ6Üx÷ÊpÚV{fÈîG\|£`Ç¬ü©Ë%ú<X¿QÚõb¡Ær'½Uc~7ÝUÜ#úëÙls?2Þ}Ô¢ê´±uï»J¡úÑ7#çãÞ ÑUfqÜà¯»ñ¶s9ùÒðÜm¸\|<hÏý!âF^ê}Û® »gE {Ëpõb`3[BÏ !d¬vÜÁ±è«ç¤D9±Ì-)Ëõôr+áØ¶èa3RbIr2ý -N= 5Ýn»Ù^¼g¼Bé > áÃ¦û#Ùæ=_õh<=H´ºb)°+ïgKÈ\!6}eùÐÂðZô_=Ì_<ÖÏAªhyDªÈR`L:¹T¶%Ü/¬>é®öïz¨%ë´5¬Ë¤ån¾¿É9¼¬C²)Lõ¹T2=Ðr#Ò-Úyò²õ!;$ë²Uòµ§?¦ÅÈÐàÌ,U5ì¶=X(è§¤p\Oÿèâá0 ÓhÍìL*Þb h@³Ý¼N crypto_handle: 0x008af3a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 15, 2024, 7:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008af3a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 15, 2024, 7:56 a.m.	buffer: ¤RSA1Ã±)Ó¹÷¤ÉnÉ`ÆiÖ_[eEâo7ÙmÈÊÜïp¾Ú·s¸©^Ìä}ê¹êAwT-{¾Z(OzQaÇn5ó®]Ê0<2F¥}ï.A1óöã7ùìà?ÏKécý_4=T9ë,ÔBHG¨HéH crypto_handle: 0x008af3a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x02988468 algorithm_identifier: 0x00000001 () flags: 67108865 key: provider_handle: 0x0223e920	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x02988468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: ¤RSA2ókÍ ?LA®ÿ9ä7ÙóÇo3R8»¡\õgs <ä`8×J½§0üÉµS¦ÉÅï¨¿ ÉØT°KÏñ\$Ø£ÛÕïX8oªúÖ®×3¯bÑüÑÆüï\YûêÀûë§ýÃtÖCXà¸9sj¸ÑÌaI+ø6-«ï÷Ä À£ÅÊøA1½(NDòåJj°ÄèâÂbßþh'JqnÙSþ'ogqÖPÝl ù(èNüBBÀâ@ZÓ§N3ü Ë<¿Ëq´ÌT/@øY<pÇg¿æ4>4ó³ÀÓÂ(Âà;,ØÕ~Ë_ZË :»è¨I°]©h^KÍÖ®D?½6LÂRú©Æ¶9±U4«$Þ^$è{eÈ·2P\bY ÙVUá¦9êßð[`nî½<åFeÎáG© þæ=áAtFV¨ÌÎ_þzúÞR eBòÂWvÞÃ ¿ãÇê&¬5ÁEÆ»F ä-ü_#6ÏOA¡Z Ë>±¨¨ködI½ÝÖ\`øöBH\|Þ)o×bçeÿ(pÁZ,Uè"ÏÎÔx¨ÈÏÒØèÌ¸Év9 6BZá¤x×]ºwÌcÜs-YÓ> Ä=W ý{<à(ãt7úC/§²/%þfüñë>æ¦6«Ed»¾ÓÙ¸J`æ.Ò,5@.1EÚe crypto_handle: 0x02988468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x02988468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: ¤RSA1ókÍ ?LA®ÿ9ä7ÙóÇo3R8»¡\õgs <ä`8×J½§0üÉµS¦ÉÅï¨¿ ÉØT°KÏñ\$Ø£ÛÕïX8oªúÖ®×3¯bÑüÑÆüï\YûêÀûë§ýÃtÖCXà¸9sj¸ crypto_handle: 0x02988468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x029886e8 algorithm_identifier: 0x00006610 () flags: 1 key: f J«Í¡äãÎ;UÇ=rTó âQ=n¿ÑÔÿÿodK provider_handle: 0x0223e9a8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x029886e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f J«Í¡äãÎ;UÇ=rTó âQ=n¿ÑÔÿÿodK crypto_handle: 0x029886e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x029883e8 algorithm_identifier: 0x00006610 () flags: 1 key: f zrmÁBÙpe -ÝÍ?~«4 #Ì©5 provider_handle: 0x0223e9a8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x029883e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f zrmÁBÙpe -ÝÍ?~«4 #Ì©5 crypto_handle: 0x029883e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x02988468 algorithm_identifier: 0x00006610 () flags: 1 key: f ÛìKEØ?j_`Ç9[Ø)´¼ÂH¢³¬v· provider_handle: 0x0223e9a8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x02988468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f ÛìKEØ?j_`Ç9[Ø)´¼ÂH¢³¬v· crypto_handle: 0x02988468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x02988468 algorithm_identifier: 0x00006610 () flags: 1 key: f êÅ^ði¡G3<vxpZz=iâ¿ø³ðwgüëÔ provider_handle: 0x0223e9a8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x02988468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f êÅ^ði¡G3<vxpZz=iâ¿ø³ðwgüëÔ crypto_handle: 0x02988468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x02988468 algorithm_identifier: 0x00006610 () flags: 1 key: f \|ð _øûù%ÀO6âËaÎ£.ÃÿJtCB¶ provider_handle: 0x0223e9a8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x02988468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f \|ð _øûù%ÀO6âËaÎ£.ÃÿJtCB¶ crypto_handle: 0x02988468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x02987f28 algorithm_identifier: 0x00006610 () flags: 1 key: f ÂCÈËsóù£ÞÖ¡Â9÷h³ÕâHÄ¯ provider_handle: 0x0223eb40	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x02987f28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f ÂCÈËsóù£ÞÖ¡Â9÷h³ÕâHÄ¯ crypto_handle: 0x02987f28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x029883e8 algorithm_identifier: 0x00000001 () flags: 67108865 key: provider_handle: 0x0223e920	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x029883e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: ¤RSA2Ý%ÙéùJ}^YW(3±9»ÊªÖ¯¸è¹çÀÚ$ÜK!>ÃR Øt!Vªêú¹¯ÔÅÎEl#ûÔ"ëÍ]HLX¾¥iÀUcú£Ë8ó¿ö4yyÊ{IìóÏÁaÒmàÙÏaâ'ÈÏ;óù#4ú«8è[§M^üümbÝWÐ]%¦S0ÁV/ìWHGé#ØZÊgR§3j}ÍêÆ¡Grò1H²Å%îoéi¿®¹Ú!È¢~¿ 9"·pD<ðcNúîÚi¯¨ïñaùÖ ,érv22ðs]&¦8åMÑ×ÚSw@eáàNTc´V Ïè´D-Ñ1üEßÆILýÓôõ x0 #oÑï2ÍSÏ^GÝiÑ®þ ÊÝµzB¬\|ÛzËÕHáîó½àbÆvë®@õÅûýÃSxïÓí0 4jÑxÚ«Ç«9e]#mÜ,y°úÂÙê7¹ÝócHÌôÒå:I5ÕØV5µÄ±íÑ¼>óIKãà àn#»1<®_§«[»î'R¶aÛ7±¡úÄyRÄyíÜ9S9 ÛQp(L0OWÑp5á\|âµÞÙbÖµÑåÌ)Å´IÝß&DGN¼k£òÚ/Þp`ôÐã¢Ç£"ÿaÓÙ0F0äB¤eþªIÄÈYáf5Esªã õ"Î crypto_handle: 0x029883e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x029883e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: ¤RSA1Ý%ÙéùJ}^YW(3±9»ÊªÖ¯¸è¹çÀÚ$ÜK!>ÃR Øt!Vªêú¹¯ÔÅÎEl#ûÔ"ëÍ]HLX¾¥iÀUcú£Ë8ó¿ö4yyÊ{IìóÏÁaÒmàÙ crypto_handle: 0x029883e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x029886e8 algorithm_identifier: 0x00006610 () flags: 1 key: f ò¡¾R)0f¿ÑÏ&ÑD+Á¯ºô"\âöw provider_handle: 0x0223e9a8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x029886e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f ò¡¾R)0f¿ÑÏ&ÑD+Á¯ºô"\âöw crypto_handle: 0x029886e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x02988468 algorithm_identifier: 0x00006610 () flags: 1 key: f 7§ãÃXcÛÆùå»#bzF-íÇ¿îIÕÙ¦ë provider_handle: 0x0223e9a8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x02988468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f 7§ãÃXcÛÆùå»#bzF-íÇ¿îIÕÙ¦ë crypto_handle: 0x02988468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x02988468 algorithm_identifier: 0x00006610 () flags: 1 key: f kÚ/æyë&X}d¾Ê?¨uNÁ·£¤Òü<-l provider_handle: 0x0223e9a8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x02988468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f kÚ/æyë&X}d¾Ê?¨uNÁ·£¤Òü<-l crypto_handle: 0x02988468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x02988468 algorithm_identifier: 0x00006610 () flags: 1 key: f ¨«ÌQçs]o¢wåÃ3Éâ@´¯]l`Ú( 2 provider_handle: 0x0223e9a8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x02988468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f ¨«ÌQçs]o¢wåÃ3Éâ@´¯]l`Ú( 2 crypto_handle: 0x02988468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x02988468 algorithm_identifier: 0x00006610 () flags: 1 key: f ý)ïÌbzL+.NKÁû[Mdyò~$÷ú+$ûb provider_handle: 0x0223e9a8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x02988468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: f ý)ïÌbzL+.NKÁû[Mdyò~$÷ú+$ûb crypto_handle: 0x02988468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Feb. 15, 2024, 7:57 a.m.	crypto_handle: 0x02988468 algorithm_identifier: 0x00006610 () flags: 1 key: f -1ìªÈÇâÑÑ×R"J?w¸@Ds§ýc provider_handle: 0x0223e9a8	1	1
CryptExportKey Feb. 15, 2024, 7:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x02988468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (4 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DigitalProductId
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DigitalProductId
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallDate

This executable has a PDB path (1 event)

pdb_path

E:\cpp\git7\dll\WndResizerApp.pdb

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\NoModify

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 15, 2024, 7:56 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (3 events)

resource name	PNG
resource name	STYLE_XML
resource name	None

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 371 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73531000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73be1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72224000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72262000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73271000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73531000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73be1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72224000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72262000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73531000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73be1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72224000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72262000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73531000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73be1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72224000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72262000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73531000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73be1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72224000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72262000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 15, 2024, 7:56 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73271000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 582 seconds, actually delayed analysis time by 582 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Feb. 15, 2024, 7:56 a.m.	total_number_of_free_bytes: 13309550592 free_bytes_available: 0 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Steals private information from local Internet browsers (20 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\bg\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\manifest.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\icon_16.png
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\de\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG.old
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\000003.log
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\en_GB\messages.json
file	C:\Users\test22\AppData\Roaming\Opera\wand.dat
file	C:\Users\test22\AppData\Local\Programs\Opera\
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
registry	HKEY_CURRENT_USER\Software\Opera Software

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath
cmdline	"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath

Executes one or more WMI queries (3 events)

wmi	SELECT * FROM Win32_NetworkAdapter
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_ComputerSystem

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Feb. 15, 2024, 7:57 a.m.	show_type: 0 filepath_r: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe parameters: Add-MpPreference -ExclusionPath filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 events)

Time & API	Arguments	Status	Return
Process32NextW Feb. 15, 2024, 7:57 a.m.	snapshot_handle: 0x000005c0 process_name: WmiPrvSE.exe process_identifier: 2940	1	1
Process32NextW Feb. 15, 2024, 7:57 a.m.	snapshot_handle: 0x000005c0 process_name: svchost.exe process_identifier: 1780	1	1
Process32NextW Feb. 15, 2024, 7:57 a.m.	snapshot_handle: 0x000005c0 process_name: powershell.exe process_identifier: 1644	1	1
Process32NextW Feb. 15, 2024, 7:57 a.m.	snapshot_handle: 0x000005c0 process_name: ǙH process_identifier: 3080192		0

File has been identified by 8 AntiVirus engines on VirusTotal as malicious (8 events)

Skyhigh	BehavesLike.Win32.Dropper.wc
VirIT	Trojan.Win32.DanaBot.DXA
ESET-NOD32	a variant of Win32/GenKryptik.GTWG
McAfee	Artemis!E758E0711301
Kaspersky	UDS:Trojan-Banker.Win32.Danabot
Rising	Trojan.Kryptik!8.8 (CLOUD)
Kingsoft	Win32.HeurC.KVM008.a
Microsoft	Trojan:Win32/Wacatac.B!ml

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0097d800', u'virtual_address': u'0x00001000', u'entropy': 7.742600573834696, u'name': u'.text', u'virtual_size': u'0x0097d68a'}

entropy

7.74260057383

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00166400', u'virtual_address': u'0x009dc000', u'entropy': 7.564019726941489, u'name': u'.rsrc', u'virtual_size': u'0x00166230'}

entropy

7.56401972694

description

A section with a high entropy has been found

entropy

0.957825115959

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Feb. 15, 2024, 7:56 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Feb. 15, 2024, 7:57 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Queries for potentially installed applications (50 out of 11371 events)

Time & API	Arguments	Status
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Feb. 15, 2024, 7:56 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_ComputerSystem

Communicates with host for which no DNS query was performed (3 events)

host	195.133.88.98
host	62.173.146.41
host	91.201.67.85

Attempts to identify installed AV products by installation directory (3 events)

file	C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
file	C:\Program Files\AVAST Software\Browser\Application\AvastBrowser.exe
file	C:\Users\test22\AppData\Local\AVAST Software\Browser\Application\AvastBrowser.exe

Checks the CPU name from registry, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Attempts to disable browser security warnings (3 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonZoneCrossing
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect

Harvests credentials from local FTP client softwares (50 out of 73 events)

file	C:\ProgramData\FlashFXP\4\History.dat
file	C:\Users\test22\AppData\Local\FlashFXP\4\Quick.dat
file	C:\Users\test22\AppData\Roaming\FlashFXP\4\Quick.dat
file	C:\Users\test22\AppData\Roaming\FlashFXP\4\History.dat
file	C:\Users\test22\AppData\Roaming\FlashFXP\3\Sites.dat
file	C:\ProgramData\FlashFXP\4\Quick.dat
file	C:\Users\test22\AppData\Local\FlashFXP\4\History.dat
file	C:\Users\test22\AppData\Local\FlashFXP\3\Sites.dat
file	C:\Users\test22\AppData\Roaming\FlashFXP\3\Quick.dat
file	C:\ProgramData\FlashFXP\3\Sites.dat
file	C:\ProgramData\FlashFXP\3\History.dat
file	C:\ProgramData\FlashFXP\4\Sites.dat
file	C:\Users\test22\AppData\Roaming\FlashFXP\4\Sites.dat
file	C:\Users\test22\AppData\Local\FlashFXP\3\Quick.dat
file	C:\Users\test22\AppData\Local\FlashFXP\3\History.dat
file	C:\Users\test22\AppData\Roaming\FlashFXP\3\History.dat
file	C:\Users\test22\AppData\Local\FlashFXP\4\Sites.dat
file	C:\ProgramData\FlashFXP\3\Quick.dat
file	C:\ProgramData\VanDyke\Config\Sessions\
file	C:\Users\test22\AppData\Local\VanDyke\Config\Sessions\
file	C:\Users\test22\AppData\Roaming\VanDyke\Config\Sessions\
file	C:\Users\test22\AppData\Local\FTP Explorer\profiles.xml
file	C:\ProgramData\FTP Explorer\profiles.xml
file	C:\Users\test22\AppData\Roaming\FTP Explorer\profiles.xml
file	C:\ProgramData\SmartFTP\Favorites.dat
file	C:\Users\test22\AppData\Roaming\SmartFTP\History.dat
file	C:\Users\test22\AppData\Local\SmartFTP\History.dat
file	C:\ProgramData\SmartFTP\Client 2.0\Favorites\Favorites.dat
file	C:\ProgramData\SmartFTP\History.dat
file	C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\Favorites.dat
file	C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\
file	C:\Users\test22\AppData\Roaming\SmartFTP\Favorites.dat
file	C:\Users\test22\AppData\Local\SmartFTP\Favorites.dat
file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\
file	C:\ProgramData\SmartFTP\Client 2.0\Favorites\
file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Favorites.dat
file	C:\Users\test22\AppData\Roaming\TurboFTP\addrbk.dat
file	C:\Users\test22\AppData\Roaming\FTPRush\RushSite.xml
file	C:\Users\test22\wcx_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Far\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\SOFTWARE\Far2\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Far\SavedDialogHistory\FTPHost
registry	HKEY_CURRENT_USER\Software\Far2\SavedDialogHistory\FTPHost
registry	HKEY_LOCAL_MACHINE\Software\Ghisler\Windows Commander
registry	HKEY_CURRENT_USER\Software\Ghisler\Windows Commander
registry	HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry	HKEY_LOCAL_MACHINE\Software\Ghisler\Total Commander
registry	HKEY_CURRENT_USER\Software\BPFTP\Bullet Proof FTP\Main

Harvests information related to installed instant messenger clients (9 events)

file	C:\Users\test22\AppData\Roaming\Digsby\Digsby.dat
file	C:\Users\test22\AppData\Roaming\MySpace\IM\users.txt
file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml
file	C:\ProgramData\.purple\accounts.xml
file	C:\Users\test22\AppData\Local\Trillian\users\global\accounts.ini
file	C:\ProgramData\Trillian\users\global\accounts.ini
file	C:\Users\test22\AppData\Roaming\Trillian\users\global\accounts.ini
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
registry	HKEY_CURRENT_USER\Software\Paltalk

Collects information about installed applications (50 out of 174 events)

Time & API	Arguments	Status
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Feb. 15, 2024, 7:56 a.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1

Harvests credentials from local email clients (23 events)

file	C:\ProgramData\SmartFTP\Favorites.dat
file	C:\Users\test22\AppData\Roaming\SmartFTP\History.dat
file	C:\Users\test22\AppData\Local\SmartFTP\History.dat
file	C:\ProgramData\SmartFTP\Client 2.0\Favorites\Favorites.dat
file	C:\ProgramData\SmartFTP\History.dat
file	C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\Favorites.dat
file	C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\
file	C:\Users\test22\AppData\Roaming\SmartFTP\Favorites.dat
file	C:\Users\test22\AppData\Local\SmartFTP\Favorites.dat
file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\
file	C:\ProgramData\SmartFTP\Client 2.0\Favorites\
file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Favorites.dat
file	C:\Users\test22\AppData\Local\Microsoft\Windows Live Mail\
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager\Import
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Poco Systems Inc\PocoMail 4
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Scribe\Protocols\mailto\shell
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B8A38B78036CCEEF8AC47E93E4EB3FE4D631E3E4\Blob

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (2 events)

Time & API	Arguments	Status	Return	Repeated
CryptHashData Feb. 15, 2024, 7:56 a.m.	buffer: Intel64 Family 6 Model 158 Stepping 10Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz7601.17514.amd64fre.win7sp1_rtm.101119-18507b7c15f9-747a-455f-9ba5-f521dde4252d7C6024AD196912319000{3d3783a0-703a-11de-8c7a-806e6f6e6963}TEST22-PC782796E530A92C4D576FE697D2527AA5 hash_handle: 0x008af3a0 flags: 0	1	1	0
CryptHashData Feb. 15, 2024, 7:56 a.m.	buffer: Intel64 Family 6 Model 158 Stepping 10Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz7601.17514.amd64fre.win7sp1_rtm.101119-18507b7c15f9-747a-455f-9ba5-f521dde4252d7C6024AD196912319000{3d3783a0-703a-11de-8c7a-806e6f6e6963}TEST22-PC782796E530A92C4D576FE697D2527AA5 hash_handle: 0x008af3a0 flags: 0	1	1	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

62.173.146.41:443

resources.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All