Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 3, 2024, 9:02 a.m.	Sept. 3, 2024, 9:09 a.m.

Size	3.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`609fea742d34dc1d53f0eeb4873b1a0a`
SHA256	`e2e15826b69778e381f25ac8f2b109a377b23f7cf79b5f482e81f4d28c30f95e`
CRC32	`33AA320E`
ssdeep	`98304:wSiW4opH4opH4op4U9tNz9RGa/xlbLP/h4:ZDBDBD1t3Hbb+`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format OS_Processor_Check_Zero - OS Processor Check

CheatEngine75.exe "C:\Users\test22\AppData\Local\Temp\CheatEngine75.exe"
2560
- CheatEngine75.tmp "C:\Users\test22\AppData\Local\Temp\is-H4SDH.tmp\CheatEngine75.tmp" /SL5="$80178,2335682,780800,C:\Users\test22\AppData\Local\Temp\CheatEngine75.exe"
  2664
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
d2oq4dwfbh6gxl.cloudfront.net	A 18.154.207.228 A 18.154.207.82 A 18.154.207.177 A 18.154.207.47	18.172.183.199

IP Address	Status	Action
164.124.101.2	Active	Moloch
18.154.207.228	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49167 -> 18.154.207.228:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 18.154.207.228:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49167 18.154.207.228:443	C=US, O=Amazon, CN=Amazon RSA 2048 M01	CN=*.cloudfront.net	28:d3:87:79:3c:e8:8b:3c:d9:10:45:e5:f7:64:7a:6d:44:4e:5a:62
TLS 1.2 192.168.56.101:49168 18.154.207.228:443	C=US, O=Amazon, CN=Amazon RSA 2048 M01	CN=*.cloudfront.net	28:d3:87:79:3c:e8:8b:3c:d9:10:45:e5:f7:64:7a:6d:44:4e:5a:62

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 3, 2024, 9:02 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 3, 2024, 9:02 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header				suspicious_request	POST https://d2oq4dwfbh6gxl.cloudfront.net/o
suspicious_features	POST method with no referer header				suspicious_request	POST https://d2oq4dwfbh6gxl.cloudfront.net/zbd

Performs some HTTP requests (3 events)

request	POST https://d2oq4dwfbh6gxl.cloudfront.net/o
request	POST https://d2oq4dwfbh6gxl.cloudfront.net/zbd
request	GET https://d2oq4dwfbh6gxl.cloudfront.net/f/AVG_AV/images/1509/BR.png

Sends data using the HTTP POST Method (2 events)

request	POST https://d2oq4dwfbh6gxl.cloudfront.net/o
request	POST https://d2oq4dwfbh6gxl.cloudfront.net/zbd

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 745472 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72dd2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72dd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02290000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 8:56 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 3, 2024, 9:02 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13315821568 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Checks for known Chinese AV sofware registry keys (1 event)

regkey

.*360Safe

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\is-6TLQH.tmp\zbShieldUtils.dll
file	C:\Users\test22\AppData\Local\Temp\is-6TLQH.tmp\botva2.dll

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\is-6TLQH.tmp\botva2.dll
file	C:\Users\test22\AppData\Local\Temp\is-H4SDH.tmp\CheatEngine75.tmp
file	C:\Users\test22\AppData\Local\Temp\is-6TLQH.tmp\zbShieldUtils.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x00000508 process_name: mobsync.exe process_identifier: 2284	1	1
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x00000508 process_name: pw.exe process_identifier: 2328	1	1
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x00000508 process_name: CheatEngine75.exe process_identifier: 2560	1	1
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x00000508 process_name: CheatEngine75.tmp process_identifier: 2664	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 3, 2024, 9:02 a.m.	flags: 15 family: 0		111	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (20 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x00000510 process_name: CheatEngine75.tmp process_identifier: 2664		0	0
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x000002dc process_name: CheatEngine75.tmp process_identifier: 2664		0	0
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x00000514 process_name: CheatEngine75.tmp process_identifier: 2664		0	0
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x000002e0 process_name: CheatEngine75.tmp process_identifier: 2664		0	0
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x00000518 process_name: CheatEngine75.tmp process_identifier: 2664		0	0
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x0000051c process_name: CheatEngine75.tmp process_identifier: 2664		0	0
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x00000528 process_name: CheatEngine75.tmp process_identifier: 2664		0	0
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x0000052c process_name: CheatEngine75.tmp process_identifier: 2664		0	0
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x0000054c process_name: CheatEngine75.tmp process_identifier: 2664		0	0
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x00000548 process_name: CheatEngine75.tmp process_identifier: 2664		0	0
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x00000538 process_name: CheatEngine75.tmp process_identifier: 2664		0	0
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x00000550 process_name: CheatEngine75.tmp process_identifier: 2664		0	0
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x00000554 process_name: CheatEngine75.tmp process_identifier: 2664		0	0
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x00000558 process_name: CheatEngine75.tmp process_identifier: 2664		0	0
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x00000564 process_name: CheatEngine75.tmp process_identifier: 2664		0	0
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x00000568 process_name: CheatEngine75.tmp process_identifier: 2664		0	0
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x0000055c process_name: CheatEngine75.tmp process_identifier: 2664		0	0
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x00000560 process_name: CheatEngine75.tmp process_identifier: 2664		0	0
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x0000056c process_name: CheatEngine75.tmp process_identifier: 2664		0	0
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x00000570 process_name: CheatEngine75.tmp process_identifier: 2664		0	0

Queries for potentially installed applications (50 out of 85 events)

Time & API	Arguments	Return
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\CheatEngine_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\CheatEngine_is1	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonVPN base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonVPN	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonVPN base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonVPN	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonVPN base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonVPN	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonVPN base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonVPN	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAVVPN base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAVVPN	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAVVPN base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAVVPN	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAVVPN base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAVVPN	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAVVPN base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAVVPN	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-VPN base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-VPN	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-VPN base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-VPN	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-VPN base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-VPN	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-VPN base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-VPN	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonSaferWeb base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonSaferWeb	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonSaferWeb base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonSaferWeb	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonSaferWeb base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonSaferWeb	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonSaferWeb base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonSaferWeb	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaferWeb base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaferWeb	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaferWeb base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaferWeb	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaferWeb base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaferWeb	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaferWeb base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaferWeb	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-DNS base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-DNS	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-DNS base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-DNS	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-DNS base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-DNS	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-DNS base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-DNS	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-EPP base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-EPP	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-EPP base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-EPP	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-EPP base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-EPP	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-EPP base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-EPP	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A} base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A} base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast Antivirus base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast Antivirus	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast Antivirus base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast Antivirus	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast Antivirus base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast Antivirus	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast Antivirus base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast Antivirus	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Antivirus base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Antivirus	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Antivirus base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Antivirus	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Antivirus base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Antivirus	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Antivirus base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Antivirus	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4CB91122-AA85-4431-953C-BEFAEC86DA97}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4CB91122-AA85-4431-953C-BEFAEC86DA97}_is1	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4CB91122-AA85-4431-953C-BEFAEC86DA97}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4CB91122-AA85-4431-953C-BEFAEC86DA97}_is1	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4CB91122-AA85-4431-953C-BEFAEC86DA97}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4CB91122-AA85-4431-953C-BEFAEC86DA97}_is1	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4CB91122-AA85-4431-953C-BEFAEC86DA97}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4CB91122-AA85-4431-953C-BEFAEC86DA97}_is1	2
RegOpenKeyExW Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast	2

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-6TLQH.tmp\AVG_AV.png

Attempts to identify installed AV products by registry key (10 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\AVG\AV\Dir
registry	HKEY_CURRENT_USER\SOFTWARE\AVG\AV\Dir
registry	HKEY_LOCAL_MACHINE\SOFTWARE\AVG\Antivirus\Version
registry	HKEY_CURRENT_USER\SOFTWARE\AVG\Antivirus\Version
registry	HKEY_LOCAL_MACHINE\SOFTWARE\AVAST Software\Avast
registry	HKEY_CURRENT_USER\SOFTWARE\AVAST Software\Avast
registry	HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\WebAdvisor
registry	HKEY_CURRENT_USER\SOFTWARE\McAfee\WebAdvisor
registry	HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SiteAdvisor
registry	HKEY_CURRENT_USER\SOFTWARE\McAfee\SiteAdvisor

Detects VMWare through the presence of a registry key (2 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.
registry	HKEY_CURRENT_USER\SOFTWARE\VMware, Inc.

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Bkav	W32.Common.91512DFB
Lionic	Riskware.Win32.OfferCore.1!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	Artemis!PUP
Cylance	Unsafe
K7AntiVirus	Adware ( 00595a211 )
K7GW	Adware ( 00595a211 )
VirIT	Deceptor.CheatEng.DWG
Symantec	PUA.Gen.2
ESET-NOD32	Win32/OfferCore.C potentially unwanted
McAfee	Artemis!609FEA742D34
Kaspersky	not-a-virus:Downloader.Win32.Bundler.gen
Rising	Adware.OfferCore/IFPS!1.FD26 (CLASSIC)
F-Secure	PotentialRisk.PUA/OfferCore.Gen
DrWeb	Trojan.InstallCore.4077
McAfeeD	ti!E2E15826B697
Trapmine	malicious.moderate.ml.score
Sophos	App/Generic-DC
Ikarus	PUA.OfferCore
Webroot	W32.Hack.Tool
Google	Detected
Avira	PUA/OfferCore.Gen
Gridinsoft	PUP.Win32.OfferCore.dd!c
Microsoft	PUADlManager:Win32/OfferCore
ZoneAlarm	not-a-virus:Downloader.Win32.Bundler.gen
Varist	W32/OfferCore.P.gen!Eldorado
DeepInstinct	MALICIOUS
VBA32	AdwareDlManager.OfferCore
Malwarebytes	Generic.Malware.AI.DDS
Panda	Hacktool/CheatEngine
Tencent	Win32.Trojan.FalseSign.Osmw
Yandex	Trojan.Igent.b2ymNk.7
Fortinet	Riskware/OfferCore
Paloalto	generic.ml
CrowdStrike	win/grayware_confidence_100% (W)

CheatEngine75.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All