Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 16, 2022, 10:38 p.m.	Jan. 16, 2022, 10:47 p.m.

Size	635.9KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`bc8905c3958b8b5f581a9045d58c9966`
SHA256	`360f2daa601a407296f2a123346526c790bc1a03f974bad4379e0c534056182e`
CRC32	`C185AFC0`
ssdeep	`12288:RoDmR0LSmXI1XOiQ3V11xOMGdzEVO60ZuNreSNcXf5R5y:Roa028I1XDUzh8DENCSNcXXQ`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

111.exe "C:\Users\test22\AppData\Local\Temp\111.exe"
2316

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.163.204.212	Active	Moloch
185.163.204.22	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameA Jan. 16, 2022, 10:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 16, 2022, 10:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 16, 2022, 10:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 16, 2022, 10:39 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (33 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:38 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:39 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:39 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:39 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:39 p.m.			0	0
IsDebuggerPresent Jan. 16, 2022, 10:39 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 16, 2022, 10:39 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

One or more processes crashed (50 out of 223 events)

Time & API	Arguments	Status
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 8b 10 eb 01 13 64 8f 00 eb 04 a1 a5 7b f2 83 c4 exception.symbol: 111+0xac066 exception.instruction: mov edx, dword ptr [eax] exception.module: 111.exe exception.exception_code: 0xc0000005 exception.offset: 704614 exception.address: 0x103c066 registers.esp: 3342124 registers.edi: 0 registers.eax: 0 registers.ebp: 3342144 registers.edx: 17022976 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 8b 00 eb 03 c1 86 cf 64 8f 00 eb 02 3e 64 83 c4 exception.symbol: 111+0xac9a1 exception.instruction: mov eax, dword ptr [eax] exception.module: 111.exe exception.exception_code: 0xc0000005 exception.offset: 706977 exception.address: 0x103c9a1 registers.esp: 3342092 registers.edi: 0 registers.eax: 0 registers.ebp: 3342144 registers.edx: 4294901775 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: exception.instruction_r: cd 01 40 40 eb 02 be 66 85 c0 eb 03 ba 58 05 74 exception.symbol: 111+0xc324e exception.instruction: int 1 exception.module: 111.exe exception.exception_code: 0xc0000005 exception.offset: 799310 exception.address: 0x105324e registers.esp: 3342084 registers.edi: 17117638 registers.eax: 0 registers.ebp: 4292046984 registers.edx: 0 registers.ebx: 17024512 registers.esi: 17024512 registers.ecx: 17117865	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: exception.instruction_r: 8b 11 eb 03 83 9e ee e9 bb 02 00 00 eb 01 3a 8b exception.symbol: 111+0xae7ae exception.instruction: mov edx, dword ptr [ecx] exception.module: 111.exe exception.exception_code: 0xc0000005 exception.offset: 714670 exception.address: 0x103e7ae registers.esp: 3342092 registers.edi: 17109266 registers.eax: 0 registers.ebp: 4292052294 registers.edx: 17033433 registers.ebx: 3670016 registers.esi: 17024512 registers.ecx: 0	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: exception.instruction_r: f7 f2 eb 03 35 a4 7e 90 eb 01 c0 e9 62 01 00 00 exception.symbol: 111+0xaea8d exception.instruction: div edx exception.module: 111.exe exception.exception_code: 0xc0000094 exception.offset: 715405 exception.address: 0x103ea8d registers.esp: 3342092 registers.edi: 4128768 registers.eax: 175746546 registers.ebp: 4292052294 registers.edx: 0 registers.ebx: 3670016 registers.esi: 4128972 registers.ecx: 0	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xae76e @ 0x103e76e exception.instruction_r: 0f 0b eb 03 a2 99 87 0f 0b eb 05 ff ff a0 06 19 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x3f45ba registers.esp: 3341756 registers.edi: 3687216 registers.eax: 0 registers.ebp: 3342072 registers.edx: 17032574 registers.ebx: 4128972 registers.esi: 4292108826 registers.ecx: 235	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x772f6ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x772f6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x73f3482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x772c0143 111+0xae76e @ 0x103e76e exception.instruction_r: f7 f0 eb 03 25 9c 8f eb 04 32 bc 46 04 eb 02 15 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x3f474b registers.esp: 3339964 registers.edi: 0 registers.eax: 0 registers.ebp: 3339980 registers.edx: 17032574 registers.ebx: 4146908 registers.esi: 0 registers.ecx: 3340632	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xae76e @ 0x103e76e exception.instruction_r: cc eb 05 f7 99 43 f9 64 33 c9 75 cc 8b 83 98 00 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x3fb453 registers.esp: 3341752 registers.edi: 3713204 registers.eax: 0 registers.ebp: 3342072 registers.edx: 17032574 registers.ebx: 4128972 registers.esi: 3341752 registers.ecx: 32	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xb685a @ 0x104685a 111+0xc3bde @ 0x1053bde 111+0xae76e @ 0x103e76e exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x4001000a exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 3341636 registers.edi: 3714384 registers.eax: 3341636 registers.ebp: 3341716 registers.edx: 0 registers.ebx: 4128972 registers.esi: 4175063 registers.ecx: 4	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xae76e @ 0x103e76e exception.instruction_r: cd 01 40 40 eb 03 39 44 1a 85 c0 eb 04 64 f1 28 exception.instruction: int 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x3fd304 registers.esp: 3341756 registers.edi: 3725700 registers.eax: 0 registers.ebp: 3342072 registers.edx: 4183011 registers.ebx: 4128972 registers.esi: 4292108826 registers.ecx: 17032574	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 0x3fd327 111+0xae76e @ 0x103e76e exception.instruction_r: 0f 3f 07 0b c7 45 fc ff ff ff ff 33 c0 33 d2 39 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x3fd48e registers.esp: 3341732 registers.edi: 3726312 registers.eax: 1 registers.ebp: 3341744 registers.edx: 17032574 registers.ebx: 4128972 registers.esi: 4292108826 registers.ecx: 2020557398	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xae76e @ 0x103e76e exception.instruction_r: 8b 00 90 90 f8 eb 05 c6 bb 8c d5 2c 73 44 eb 03 exception.instruction: mov eax, dword ptr [eax] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x3fd355 registers.esp: 3341756 registers.edi: 3726312 registers.eax: 0 registers.ebp: 3342072 registers.edx: 2 registers.ebx: 4128972 registers.esi: 4292108826 registers.ecx: 2130563072	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xae76e @ 0x103e76e exception.instruction_r: 90 f8 eb 05 c6 bb 8c d5 2c 73 44 eb 03 c4 ac ec exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x3fd358 registers.esp: 3341756 registers.edi: 3726312 registers.eax: 0 registers.ebp: 3342072 registers.edx: 2 registers.ebx: 4128972 registers.esi: 4292108826 registers.ecx: 2130563072	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: exception.instruction_r: 8b 11 eb 03 2a 9a ef 90 eb 02 9a dd e9 94 04 00 exception.symbol: 111+0xb1264 exception.instruction: mov edx, dword ptr [ecx] exception.module: 111.exe exception.exception_code: 0xc0000005 exception.offset: 725604 exception.address: 0x1041264 registers.esp: 3342092 registers.edi: 3734440 registers.eax: 92 registers.ebp: 4292058338 registers.edx: 17041146 registers.ebx: 3670016 registers.esi: 4128972 registers.ecx: 0	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xb0a91 @ 0x1040a91 exception.instruction_r: 0f 0b eb 02 a2 90 e9 1a f6 ff ff eb 01 bc 5f eb exception.symbol: 111+0xb12f9 exception.instruction: ud2 exception.module: 111.exe exception.exception_code: 0xc000001d exception.offset: 725753 exception.address: 0x10412f9 registers.esp: 3341980 registers.edi: 3734440 registers.eax: 3477361110 registers.ebp: 3342072 registers.edx: 17041563 registers.ebx: 4128972 registers.esi: 16318464 registers.ecx: 0	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: exception.instruction_r: f7 f9 eb 01 67 e9 23 02 00 00 eb 02 39 68 8b 83 exception.symbol: 111+0xb076f exception.instruction: idiv ecx exception.module: 111.exe exception.exception_code: 0xc0000094 exception.offset: 722799 exception.address: 0x104076f registers.esp: 3342092 registers.edi: 4008662 registers.eax: 4008662 registers.ebp: 4292058338 registers.edx: 2130566132 registers.ebx: 3670016 registers.esi: 4128972 registers.ecx: 0	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: 8b c2 eb 05 dd 4f ac 24 ed 55 8b ec 60 f9 72 05 exception.instruction: mov eax, edx exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x4031fc registers.esp: 3341744 registers.edi: 4028838 registers.eax: 0 registers.ebp: 3341768 registers.edx: 17032574 registers.ebx: 4128972 registers.esi: 4206453 registers.ecx: 10	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: f7 f0 eb 02 ca 55 eb 03 d9 8f 5e cc eb 04 1d 54 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x403130 registers.esp: 3341744 registers.edi: 4028838 registers.eax: 0 registers.ebp: 3341768 registers.edx: 17032574 registers.ebx: 4128972 registers.esi: 4206453 registers.ecx: 10	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: cc eb 04 1d 54 c8 d0 5e 5b 8b e5 5d c3 eb 01 e0 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x40313b registers.esp: 3341744 registers.edi: 4028838 registers.eax: 0 registers.ebp: 3341768 registers.edx: 17032574 registers.ebx: 4128972 registers.esi: 4206453 registers.ecx: 10	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: 8b c2 eb 05 dd 4f ac 24 ed 55 8b ec 60 f9 72 05 exception.instruction: mov eax, edx exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x4031fc registers.esp: 3341744 registers.edi: 4028838 registers.eax: 0 registers.ebp: 3341768 registers.edx: 17032574 registers.ebx: 4128972 registers.esi: 4206453 registers.ecx: 10	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: cc eb 04 1d 54 c8 d0 5e 5b 8b e5 5d c3 eb 01 e0 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x40313b registers.esp: 3341744 registers.edi: 4028838 registers.eax: 0 registers.ebp: 3341768 registers.edx: 17032574 registers.ebx: 4128972 registers.esi: 4206453 registers.ecx: 10	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: f7 f0 eb 02 ca 55 eb 03 d9 8f 5e cc eb 04 1d 54 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x403130 registers.esp: 3341744 registers.edi: 4028838 registers.eax: 0 registers.ebp: 3341768 registers.edx: 17032574 registers.ebx: 4128972 registers.esi: 4206453 registers.ecx: 10	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: cc eb 04 1d 54 c8 d0 5e 5b 8b e5 5d c3 eb 01 e0 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x40313b registers.esp: 3341744 registers.edi: 4028838 registers.eax: 0 registers.ebp: 3341768 registers.edx: 17032574 registers.ebx: 4128972 registers.esi: 4206453 registers.ecx: 10	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 0x40300b 111+0xb1daa @ 0x1041daa exception.instruction_r: 0f 3f 07 0b c7 45 fc ff ff ff ff 33 c0 33 d2 39 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x403172 registers.esp: 3341732 registers.edi: 4029642 registers.eax: 1 registers.ebp: 3341744 registers.edx: 17032574 registers.ebx: 4128972 registers.esi: 4292108826 registers.ecx: 2020557398	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xb1daa @ 0x1041daa exception.instruction_r: 8b 00 90 90 f8 eb 05 c6 bb 8c d5 2c 73 44 eb 03 exception.instruction: mov eax, dword ptr [eax] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x403039 registers.esp: 3341756 registers.edi: 4029642 registers.eax: 0 registers.ebp: 3342072 registers.edx: 2 registers.ebx: 4128972 registers.esi: 4292108826 registers.ecx: 2130563072	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xb1daa @ 0x1041daa exception.instruction_r: 90 f8 eb 05 c6 bb 8c d5 2c 73 44 eb 03 c4 ac ec exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x40303c registers.esp: 3341756 registers.edi: 4029642 registers.eax: 0 registers.ebp: 3342072 registers.edx: 2 registers.ebx: 4128972 registers.esi: 4292108826 registers.ecx: 2130563072	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xb1daa @ 0x1041daa exception.instruction_r: cd 01 40 40 eb 03 39 44 1a 85 c0 eb 04 64 f1 28 exception.instruction: int 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x402fe8 registers.esp: 3341756 registers.edi: 4030782 registers.eax: 0 registers.ebp: 3342072 registers.edx: 4206791 registers.ebx: 4128972 registers.esi: 4292108826 registers.ecx: 17032574	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xb1daa @ 0x1041daa exception.instruction_r: 0f 0b eb 03 a2 99 87 0f 0b eb 05 ff ff a0 06 19 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x403472 registers.esp: 3341756 registers.edi: 4039890 registers.eax: 0 registers.ebp: 3342072 registers.edx: 17032574 registers.ebx: 4128972 registers.esi: 4292108826 registers.ecx: 235	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x772f6ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x772f6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x73f3482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x772c0143 111+0xb1daa @ 0x1041daa exception.instruction_r: f7 f0 eb 03 25 9c 8f eb 04 32 bc 46 04 eb 02 15 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x403603 registers.esp: 3339964 registers.edi: 0 registers.eax: 0 registers.ebp: 3339980 registers.edx: 17032574 registers.ebx: 4208020 registers.esi: 0 registers.ecx: 3340632	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xb1daa @ 0x1041daa exception.instruction_r: cd 68 eb 01 76 66 3d 86 f3 eb 02 1b 87 74 3c eb exception.instruction: int 0x68 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x403ba4 registers.esp: 3341756 registers.edi: 4043702 registers.eax: 17152 registers.ebp: 3342072 registers.edx: 17032574 registers.ebx: 4128972 registers.esi: 4292108826 registers.ecx: 176	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: cc eb 04 1d 54 c8 d0 5e 5b 8b e5 5d c3 eb 01 e0 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x403cf3 registers.esp: 3341744 registers.edi: 4044250 registers.eax: 0 registers.ebp: 3341768 registers.edx: 17032574 registers.ebx: 4128972 registers.esi: 4209453 registers.ecx: 10	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: 8b c2 eb 05 dd 4f ac 24 ed 55 8b ec 60 83 6c 24 exception.instruction: mov eax, edx exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x403db4 registers.esp: 3341744 registers.edi: 4044250 registers.eax: 0 registers.ebp: 3341768 registers.edx: 17032574 registers.ebx: 4128972 registers.esi: 4209453 registers.ecx: 10	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: f7 f0 eb 02 ca 55 eb 03 d9 8f 5e cc eb 04 1d 54 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x403ce8 registers.esp: 3341744 registers.edi: 4044250 registers.eax: 0 registers.ebp: 3341768 registers.edx: 17032574 registers.ebx: 4128972 registers.esi: 4209453 registers.ecx: 10	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: 8b c2 eb 05 dd 4f ac 24 ed 55 8b ec 60 83 6c 24 exception.instruction: mov eax, edx exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x403db4 registers.esp: 3341744 registers.edi: 4044250 registers.eax: 0 registers.ebp: 3341768 registers.edx: 17032574 registers.ebx: 4128972 registers.esi: 4209453 registers.ecx: 10	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: 0f b7 53 06 eb 05 ff 3a 7a 29 e8 c1 e2 10 eb 02 exception.instruction: movzx edx, word ptr [ebx + 6] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x409856 registers.esp: 3341740 registers.edi: 4128972 registers.eax: 0 registers.ebp: 3341768 registers.edx: 3341760 registers.ebx: 12079256 registers.esi: 4292108826 registers.ecx: 47	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: exception.instruction_r: cc eb 04 15 1d 7c 8c 3c 04 eb 03 3b 8e 51 75 57 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x40a37d registers.esp: 3341752 registers.edi: 4067110 registers.eax: 4 registers.ebp: 1111705675 registers.edx: 17032574 registers.ebx: 4128972 registers.esi: 4292108826 registers.ecx: 191	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: cc eb 05 c5 bb 8a 7f 7f eb 04 81 92 b4 ed eb 02 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x404053 registers.esp: 40369172 registers.edi: 1988735230 registers.eax: 0 registers.ebp: 40369232 registers.edx: 4132144 registers.ebx: 4128972 registers.esi: 40369172 registers.ecx: 0	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 0x40a624 111+0xb1daa @ 0x1041daa exception.instruction_r: f7 f0 eb 04 a2 3f c9 00 eb 1b eb 04 25 47 48 49 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x4014b3 registers.esp: 3341396 registers.edi: 4072870 registers.eax: 0 registers.ebp: 3341756 registers.edx: 0 registers.ebx: 4128972 registers.esi: 4199442 registers.ecx: 4128972	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 0x40a717 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: 0f 0b 0f 0b eb 04 1d 56 1e fc eb 02 87 7d f7 f0 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x40215f registers.esp: 3341376 registers.edi: 4237104 registers.eax: 0 registers.ebp: 3341736 registers.edx: 4202700 registers.ebx: 4128972 registers.esi: 4202700 registers.ecx: 4128972	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 0x40b925 0x40b7d2 0x40b171 0x40a7f4 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: f7 f0 eb 04 a2 3f c9 00 eb 1b eb 04 25 47 48 49 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x4014b3 registers.esp: 3341040 registers.edi: 4073290 registers.eax: 0 registers.ebp: 3341400 registers.edx: 0 registers.ebx: 4128972 registers.esi: 4199442 registers.ecx: 4128972	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 0x40b996 0x40b7d2 0x40b171 0x40a7f4 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: 0f 0b 0f 0b eb 04 1d 56 1e fc eb 02 87 7d f7 f0 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x40215f registers.esp: 3341040 registers.edi: 4073290 registers.eax: 0 registers.ebp: 3341400 registers.edx: 4202700 registers.ebx: 4128972 registers.esi: 4202700 registers.ecx: 4128972	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 0x40b9bc 0x40b422 0x40b1b4 0x40a7f4 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: f7 f0 eb 04 a2 3f c9 00 eb 1b eb 04 25 47 48 49 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x4014b3 registers.esp: 3340736 registers.edi: 3341270 registers.eax: 0 registers.ebp: 3341096 registers.edx: 3340884 registers.ebx: 4128972 registers.esi: 4199442 registers.ecx: 4128972	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 0x40bacf 0x40b422 0x40b1b4 0x40a7f4 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: 0f 0b 0f 0b eb 04 1d 56 1e fc eb 02 87 7d f7 f0 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x40215f registers.esp: 3340736 registers.edi: 3341270 registers.eax: 0 registers.ebp: 3341096 registers.edx: 4202700 registers.ebx: 4128972 registers.esi: 4202700 registers.ecx: 4128972	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 0x40b9bc 0x40b382 0x40b216 0x40a7f4 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: f7 f0 eb 04 a2 3f c9 00 eb 1b eb 04 25 47 48 49 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x4014b3 registers.esp: 3340732 registers.edi: 3341234 registers.eax: 0 registers.ebp: 3341092 registers.edx: 0 registers.ebx: 4128972 registers.esi: 4199442 registers.ecx: 4128972	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 0x40bacf 0x40b382 0x40b216 0x40a7f4 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: 0f 0b 0f 0b eb 04 1d 56 1e fc eb 02 87 7d f7 f0 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x40215f registers.esp: 3340732 registers.edi: 3341234 registers.eax: 0 registers.ebp: 3341092 registers.edx: 4202700 registers.ebx: 4128972 registers.esi: 4202700 registers.ecx: 4128972	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 0x40bdbc 111+0xb1daa @ 0x1041daa exception.instruction_r: f7 f0 eb 04 a2 3f c9 00 eb 1b eb 04 25 47 48 49 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x4014b3 registers.esp: 3341396 registers.edi: 4078942 registers.eax: 0 registers.ebp: 3341756 registers.edx: 0 registers.ebx: 4128972 registers.esi: 4199442 registers.ecx: 4128972	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 0x40cbaf 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: f7 f0 eb 04 a2 3f c9 00 eb 1b eb 04 25 47 48 49 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x4014b3 registers.esp: 3341312 registers.edi: 4078942 registers.eax: 0 registers.ebp: 3341672 registers.edx: 4242876 registers.ebx: 4128972 registers.esi: 4199442 registers.ecx: 4128972	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 0x40cf45 0x40c47f 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: 0f 0b 0f 0b eb 04 1d 56 1e fc eb 02 87 7d f7 f0 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x40215f registers.esp: 3340904 registers.edi: 4078942 registers.eax: 0 registers.ebp: 3341264 registers.edx: 4202700 registers.ebx: 4128972 registers.esi: 4202700 registers.ecx: 4128972	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: 0x40c5f1 111+0xc3bde @ 0x1053bde 111+0xb1daa @ 0x1041daa exception.instruction_r: 0f 0b 0f 0b eb 04 1d 56 1e fc eb 02 87 7d f7 f0 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x40215f registers.esp: 3341316 registers.edi: 4078942 registers.eax: 0 registers.ebp: 3341676 registers.edx: 4202700 registers.ebx: 4128972 registers.esi: 4202700 registers.ecx: 4128972	1
__exception__ Jan. 16, 2022, 10:38 p.m.	stacktrace: exception.instruction_r: 8b 00 eb 01 18 e9 32 02 00 00 eb 03 10 af 0f 03 exception.symbol: 111+0xb1e50 exception.instruction: mov eax, dword ptr [eax] exception.module: 111.exe exception.exception_code: 0xc0000005 exception.offset: 728656 exception.address: 0x1041e50 registers.esp: 3342092 registers.edi: 4008670 registers.eax: 0 registers.ebp: 4292062044 registers.edx: 4107886 registers.ebx: 3670016 registers.esi: 4128972 registers.ecx: 10	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.163.204.22/h_johng_1
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.163.204.212/
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.163.204.212//l/f/V2wjY34BZ2GIX1a3CfZQ/9793afce9b044420562016021dfd1363c16e137d
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.163.204.212//l/f/V2wjY34BZ2GIX1a3CfZQ/41ea5daae73201e6bf87b354770f4ec90d43950f

Performs some HTTP requests (4 events)

request	GET http://185.163.204.22/h_johng_1
request	POST http://185.163.204.212/
request	GET http://185.163.204.212//l/f/V2wjY34BZ2GIX1a3CfZQ/9793afce9b044420562016021dfd1363c16e137d
request	GET http://185.163.204.212//l/f/V2wjY34BZ2GIX1a3CfZQ/41ea5daae73201e6bf87b354770f4ec90d43950f

Sends data using the HTTP POST Method (1 event)

request

POST http://185.163.204.212/

Allocates read-write-execute memory (usually to unpack itself) (11 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 16, 2022, 10:38 p.m.	process_identifier: 2316 region_size: 442368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 16, 2022, 10:38 p.m.	process_identifier: 2316 region_size: 299008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2022, 10:38 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7734f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2022, 10:38 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x772c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2022, 10:38 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 442368 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2022, 10:38 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 442368 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2022, 10:38 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 106496 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ffd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2022, 10:38 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 106496 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ffd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2022, 10:38 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01017000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2022, 10:38 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01017000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2022, 10:38 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ffd000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW Jan. 16, 2022, 10:38 p.m.	number_of_free_clusters: 2496211 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceW Jan. 16, 2022, 10:39 p.m.	number_of_free_clusters: 2496211 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

Creates executable files on the filesystem (50 out of 59 events)

file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\AccessibleMarshal.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\msvcp140.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\nssckbi.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\ldif60.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\mozMapi32_InUse.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\lgpllibs.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\prldap60.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\ucrtbase.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\vcruntime140.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\qipcap.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\MapiProxy.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\libEGL.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\IA2Marshal.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\mozMapi32.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\nss3.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\AccessibleHandler.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\ldap60.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\freebl3.dll
file	C:\Users\test22\AppData\LocalLow\sqlite3.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\nssdbm3.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\softokn3.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-namedpipe-l1-1-0.dll

Drops an executable to the user AppData folder (50 out of 57 events)

file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\breakpadinjector.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\prldap60.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\nss3.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\softokn3.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\vcruntime140.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\MapiProxy.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\IA2Marshal.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\msvcp140.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\AccessibleHandler.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\qipcap.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sqlite3.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\freebl3.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\ucrtbase.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\libEGL.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\nssckbi.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\nssdbm3.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\lgpllibs.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\ldap60.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-rtlsupport-l1-1-0.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW Jan. 16, 2022, 10:38 p.m.	snapshot_handle: 0x0000012c process_name: mobsync.exe process_identifier: 1584	1	1
Process32NextW Jan. 16, 2022, 10:38 p.m.	snapshot_handle: 0x0000012c process_name: pw.exe process_identifier: 900	1	1
Process32NextW Jan. 16, 2022, 10:38 p.m.	snapshot_handle: 0x0000012c process_name: conhost.exe process_identifier: 2256	1	1
Process32NextW Jan. 16, 2022, 10:38 p.m.	snapshot_handle: 0x0000012c process_name: 111.exe process_identifier: 2316	1	1
Process32NextW Jan. 16, 2022, 10:38 p.m.	snapshot_handle: 0x0000012c process_name: pw.exe process_identifier: 2336	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 16, 2022, 10:38 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00440000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0001bccc', u'virtual_address': u'0x00090000', u'entropy': 7.547083182067553, u'name': u'.rsrc', u'virtual_size': u'0x0001bccc'}

entropy

7.54708318207

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00017d0e', u'virtual_address': u'0x000ac000', u'entropy': 7.996869002898708, u'name': u'', u'virtual_size': u'0x00018000'}

entropy

7.9968690029

description

A section with a high entropy has been found

entropy

0.99758410796

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

111.exe

Queries for potentially installed applications (50 out of 52 events)

Time & API	Arguments	Status
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW Jan. 16, 2022, 10:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Communicates with host for which no DNS query was performed (2 events)

host	185.163.204.212
host	185.163.204.22

Checks for the presence of known devices from debuggers and forensic tools (2 events)

file	\??\SICE
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (2 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowExW Jan. 16, 2022, 10:38 p.m.	class_name: OLLYDBG child_after_hwnd: 0x00000000 parent_hwnd: 0x00000000 window_name: OllyDBg	1	262188	0
FindWindowW Jan. 16, 2022, 10:38 p.m.	class_name: WinDbgFrameClass window_name:		0	0

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA Jan. 16, 2022, 10:39 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (6 events)

file	C:\Users\test22\Documents\Outlook 파일\Outlook.pst
file	C:\Users\test22\AppData\Roaming\Thunderbird\Profiles\hzkyl8yo.default
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Password2
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary\POP3 User

Detects VirtualBox through the presence of a device (1 event)

file	\??\VBoxGuest

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win32.Malicious.4!c
Elastic	malicious (high confidence)
FireEye	Generic.mg.bc8905c3958b8b5f
Cylance	Unsafe
Cybereason	malicious.792eff
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	Win32:Malware-gen
Rising	Malware.Heuristic!ET#98% (RDMK:cmRtazptNDj6Wv4bQ6Ae6CoaajYM)
Sophos	Generic ML PUA (PUA)
Ikarus	Trojan.Win32.Obsidium
Cynet	Malicious (score: 100)
VBA32	BScope.Trojan.Packed
Malwarebytes	Malware.Heuristic.1003
SentinelOne	Static AI - Malicious PE
BitDefenderTheta	Gen:NN.ZexaF.34160.Nq3@a8F2l3fi
AVG	Win32:Malware-gen
CrowdStrike	win/malicious_confidence_60% (D)

111.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All