Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 17, 2024, 10:12 p.m.	Aug. 17, 2024, 10:27 p.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`962f3de7b7ee4a08179142efffa50372`
SHA256	`15310086db4e19ecf15468ac16241539cfd1378eb762b7f640b213ce066eef7f`
CRC32	`3BCCE9AB`
ssdeep	`49152:+yCkU1MWOu1V1/x0edzVPa/QfIpwhBAOx7IMkV:+yCkUidIDXNapwAOx7a`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

leon.exe "C:\Users\test22\AppData\Local\Temp\leon.exe"
2568
- svoutse.exe "C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
  2836
  - 6e0e2db711.exe "C:\Users\test22\AppData\Local\Temp\1000001001\6e0e2db711.exe"
    3032
  - dd0dbe53a9.exe "C:\Users\test22\AppData\Local\Temp\1000002001\dd0dbe53a9.exe"
    2088
  - 61b112e7ef.exe "C:\Users\test22\1000003002\61b112e7ef.exe"
    192
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.67.202.34	Active	Moloch
185.215.113.100	Active	Moloch
185.215.113.16	Active	Moloch
31.41.244.10	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 31.41.244.10:80 -> 192.168.56.101:49165	2400001	ET DROP Spamhaus DROP Listed Traffic Inbound group 2	Misc Attack
TCP 185.215.113.16:80 -> 192.168.56.101:49170	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49168 -> 31.41.244.10:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49170 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 31.41.244.10:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 185.215.113.16:80 -> 192.168.56.101:49166	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.101:49166	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49166	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49170	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.101:49170	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49170	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 31.41.244.10:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 185.215.113.100:80 -> 192.168.56.101:49173	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49173 -> 185.215.113.100:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 185.215.113.100:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.100:80 -> 192.168.56.101:49173	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 185.215.113.100:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.100:80 -> 192.168.56.101:49173	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 185.215.113.100:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 185.215.113.100:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49170 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.100:80 -> 192.168.56.101:49173	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.100:80 -> 192.168.56.101:49173	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49170	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49170	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 185.215.113.100:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49173 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 185.215.113.100:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49173 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 185.215.113.100:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49173 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 185.215.113.100:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49173 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 185.215.113.100:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameA Aug. 17, 2024, 10:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 10:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 17, 2024, 10:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 10:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 17, 2024, 10:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 17, 2024, 10:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 17, 2024, 10:12 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 83 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:14 p.m.			0	0

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 17, 2024, 10:12 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	yulglecm
section	difuzlzn
section	.taggant

One or more processes crashed (50 out of 258 events)

Time & API	Arguments	Status
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: leon+0x3120b9 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 3219641 exception.address: 0x12e20b9 registers.esp: 4652584 registers.edi: 0 registers.eax: 1 registers.ebp: 4652600 registers.edx: 21487616 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 51 89 14 24 50 b8 50 fe 0a 62 89 44 24 04 58 exception.symbol: leon+0x6d227 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 447015 exception.address: 0x103d227 registers.esp: 4652552 registers.edi: 240873 registers.eax: 30284 registers.ebp: 4007047188 registers.edx: 0 registers.ebx: 414384191 registers.esi: 3 registers.ecx: 17029784	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb e9 b3 f7 ff ff 33 2c 24 31 2c 24 33 2c 24 e9 exception.symbol: leon+0x6e8f9 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 452857 exception.address: 0x103e8f9 registers.esp: 4652548 registers.edi: 240873 registers.eax: 17031136 registers.ebp: 4007047188 registers.edx: 0 registers.ebx: 2060145951 registers.esi: 3 registers.ecx: 1460278093	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 29 c9 ff 34 01 8b 1c 24 51 89 14 24 89 e2 83 exception.symbol: leon+0x6e1ef exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 451055 exception.address: 0x103e1ef registers.esp: 4652552 registers.edi: 240873 registers.eax: 17061399 registers.ebp: 4007047188 registers.edx: 0 registers.ebx: 2060145951 registers.esi: 3 registers.ecx: 1460278093	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 51 50 e9 d3 fd ff ff 89 e2 81 c2 04 00 00 00 exception.symbol: leon+0x6e5df exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 452063 exception.address: 0x103e5df registers.esp: 4652552 registers.edi: 240873 registers.eax: 17061399 registers.ebp: 4007047188 registers.edx: 0 registers.ebx: 1259 registers.esi: 3 registers.ecx: 4294939548	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 53 e9 b2 f7 ff ff b8 c6 95 f2 13 29 c7 58 68 exception.symbol: leon+0x1e7dfb exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 1998331 exception.address: 0x11b7dfb registers.esp: 4652548 registers.edi: 18576160 registers.eax: 25551 registers.ebp: 4007047188 registers.edx: 2130566132 registers.ebx: 43975327 registers.esi: 18559884 registers.ecx: 671	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 3c 24 e9 f2 03 00 00 89 exception.symbol: leon+0x1e7903 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 1997059 exception.address: 0x11b7903 registers.esp: 4652552 registers.edi: 18601711 registers.eax: 25551 registers.ebp: 4007047188 registers.edx: 2130566132 registers.ebx: 43975327 registers.esi: 18559884 registers.ecx: 671	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 aa f7 ff ff 8b 04 24 83 c4 04 33 exception.symbol: leon+0x1e7ddb exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 1998299 exception.address: 0x11b7ddb registers.esp: 4652552 registers.edi: 18601711 registers.eax: 25551 registers.ebp: 4007047188 registers.edx: 2130566132 registers.ebx: 43975327 registers.esi: 4294944604 registers.ecx: 670697	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 51 e9 8f 00 00 00 89 04 24 b8 b1 e4 ff 76 01 exception.symbol: leon+0x1e9cd1 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2006225 exception.address: 0x11b9cd1 registers.esp: 4652548 registers.edi: 18601711 registers.eax: 18584803 registers.ebp: 4007047188 registers.edx: 1405087254 registers.ebx: 43975327 registers.esi: 4294944604 registers.ecx: 819063340	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 55 68 98 95 fb 5e 5d 55 e9 0f 00 00 00 4b 81 exception.symbol: leon+0x1e9948 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2005320 exception.address: 0x11b9948 registers.esp: 4652552 registers.edi: 18601711 registers.eax: 18611307 registers.ebp: 4007047188 registers.edx: 1405087254 registers.ebx: 43975327 registers.esi: 4294944604 registers.ecx: 819063340	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb e9 33 01 00 00 89 0c 24 b9 00 bb ff 7d bd e1 exception.symbol: leon+0x1e9be0 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2005984 exception.address: 0x11b9be0 registers.esp: 4652552 registers.edi: 18601711 registers.eax: 18611307 registers.ebp: 4007047188 registers.edx: 1405087254 registers.ebx: 4294943884 registers.esi: 4294944604 registers.ecx: 1549541099	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 56 be 36 ee 7f 5e 81 c3 14 c1 16 77 01 f3 81 exception.symbol: leon+0x1ee5a9 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2024873 exception.address: 0x11be5a9 registers.esp: 4652548 registers.edi: 0 registers.eax: 30848 registers.ebp: 4007047188 registers.edx: 3230260929 registers.ebx: 18605369 registers.esi: 1988670905 registers.ecx: 14288	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 29 f6 ff 34 1e ff 34 24 ff 34 24 5f 51 89 e1 exception.symbol: leon+0x1ee5c4 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2024900 exception.address: 0x11be5c4 registers.esp: 4652552 registers.edi: 0 registers.eax: 30848 registers.ebp: 4007047188 registers.edx: 3230260929 registers.ebx: 18636217 registers.esi: 1988670905 registers.ecx: 14288	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 c3 02 00 00 8b 0c 24 83 exception.symbol: leon+0x1eead7 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2026199 exception.address: 0x11bead7 registers.esp: 4652552 registers.edi: 1259 registers.eax: 30848 registers.ebp: 4007047188 registers.edx: 3230260929 registers.ebx: 18636217 registers.esi: 4294939176 registers.ecx: 14288	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 51 89 3c 24 54 5f 50 e9 exception.symbol: leon+0x1f6279 exception.instruction: in eax, dx exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2056825 exception.address: 0x11c6279 registers.esp: 4652544 registers.edi: 5320206 registers.eax: 1447909480 registers.ebp: 4007047188 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 18622344 registers.ecx: 20	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: leon+0x1f343c exception.address: 0x11c343c exception.module: leon.exe exception.exception_code: 0xc000001d exception.offset: 2044988 registers.esp: 4652544 registers.edi: 5320206 registers.eax: 1 registers.ebp: 4007047188 registers.edx: 22104 registers.ebx: 0 registers.esi: 18622344 registers.ecx: 20	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 19 2c 2d 12 01 exception.symbol: leon+0x1f59d2 exception.instruction: in eax, dx exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2054610 exception.address: 0x11c59d2 registers.esp: 4652544 registers.edi: 5320206 registers.eax: 1447909480 registers.ebp: 4007047188 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 18622344 registers.ecx: 10	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb e9 be 04 00 00 81 ee af 67 ff 77 e9 1f 02 00 exception.symbol: leon+0x1fb739 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2078521 exception.address: 0x11cb739 registers.esp: 4652548 registers.edi: 5320206 registers.eax: 30040 registers.ebp: 4007047188 registers.edx: 2130566132 registers.ebx: 18657778 registers.esi: 10 registers.ecx: 2116157440	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 68 bc bf f0 08 89 14 24 89 04 24 89 0c 24 51 exception.symbol: leon+0x1fbded exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2080237 exception.address: 0x11cbded registers.esp: 4652552 registers.edi: 1222541664 registers.eax: 30040 registers.ebp: 4007047188 registers.edx: 4294940400 registers.ebx: 18687818 registers.esi: 10 registers.ecx: 2116157440	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 57 e8 03 00 00 00 20 5f c3 5f exception.symbol: leon+0x1fc075 exception.instruction: int 1 exception.module: leon.exe exception.exception_code: 0xc0000005 exception.offset: 2080885 exception.address: 0x11cc075 registers.esp: 4652512 registers.edi: 0 registers.eax: 4652512 registers.ebp: 4007047188 registers.edx: 18661410 registers.ebx: 18661671 registers.esi: 18661410 registers.ecx: 4294929226	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 51 b9 ee 19 db 4f c1 e9 07 81 e9 9d c8 b1 88 exception.symbol: leon+0x20ad0a exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2141450 exception.address: 0x11dad0a registers.esp: 4652548 registers.edi: 18721563 registers.eax: 26150 registers.ebp: 4007047188 registers.edx: 6 registers.ebx: 12061753 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 29 c0 ff 34 07 ff 34 24 5a 50 e9 37 04 00 00 exception.symbol: leon+0x20abfc exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2141180 exception.address: 0x11dabfc registers.esp: 4652552 registers.edi: 18747713 registers.eax: 26150 registers.ebp: 4007047188 registers.edx: 6 registers.ebx: 12061753 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 68 1e e1 e0 2f 89 1c 24 89 14 24 c7 04 24 3f exception.symbol: leon+0x20ac33 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2141235 exception.address: 0x11dac33 registers.esp: 4652552 registers.edi: 18747713 registers.eax: 4294943664 registers.ebp: 4007047188 registers.edx: 607453008 registers.ebx: 12061753 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 52 89 e2 50 b8 dc c4 d7 35 e9 4f 00 00 00 bd exception.symbol: leon+0x20d2f3 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2151155 exception.address: 0x11dd2f3 registers.esp: 4652548 registers.edi: 18747713 registers.eax: 31870 registers.ebp: 4007047188 registers.edx: 607453008 registers.ebx: 1763798295 registers.esi: 18729909 registers.ecx: 1403793664	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 31 d2 e9 cb 00 00 00 5a 42 81 ea e7 1f fc e1 exception.symbol: leon+0x20d32f exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2151215 exception.address: 0x11dd32f registers.esp: 4652552 registers.edi: 18747713 registers.eax: 31870 registers.ebp: 4007047188 registers.edx: 607453008 registers.ebx: 1763798295 registers.esi: 18761779 registers.ecx: 1403793664	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb e9 3b 05 00 00 89 f9 e9 49 00 00 00 89 e1 e9 exception.symbol: leon+0x20d0cc exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2150604 exception.address: 0x11dd0cc registers.esp: 4652552 registers.edi: 18747713 registers.eax: 31870 registers.ebp: 4007047188 registers.edx: 4294938128 registers.ebx: 663785 registers.esi: 18761779 registers.ecx: 1403793664	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb e9 fe 00 00 00 bd 7b cf 7e 37 81 ed e3 83 fe exception.symbol: leon+0x2117c8 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2168776 exception.address: 0x11e17c8 registers.esp: 4652544 registers.edi: 18778884 registers.eax: 30292 registers.ebp: 4007047188 registers.edx: 4294938128 registers.ebx: 975452702 registers.esi: 18761779 registers.ecx: 4294938128	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 68 13 13 5e 00 89 14 24 e9 de 02 00 00 58 55 exception.symbol: leon+0x211c22 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2169890 exception.address: 0x11e1c22 registers.esp: 4652544 registers.edi: 18751392 registers.eax: 30292 registers.ebp: 4007047188 registers.edx: 4294938128 registers.ebx: 975452702 registers.esi: 0 registers.ecx: 3909414019	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb e9 06 f8 ff ff 09 c1 8b 04 24 83 c4 04 87 d9 exception.symbol: leon+0x216204 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2187780 exception.address: 0x11e6204 registers.esp: 4652544 registers.edi: 18793486 registers.eax: 27463 registers.ebp: 4007047188 registers.edx: 2130566132 registers.ebx: 975452702 registers.esi: 0 registers.ecx: 2116157440	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb e9 68 fb ff ff c1 ef 07 e9 57 01 00 00 8b 34 exception.symbol: leon+0x215f1a exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2187034 exception.address: 0x11e5f1a registers.esp: 4652544 registers.edi: 18768894 registers.eax: 27463 registers.ebp: 4007047188 registers.edx: 84201 registers.ebx: 975452702 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 52 e9 00 00 00 00 53 68 03 be ff 7f 5b 53 81 exception.symbol: leon+0x2344a6 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2311334 exception.address: 0x12044a6 registers.esp: 4652508 registers.edi: 4007047188 registers.eax: 32475 registers.ebp: 4007047188 registers.edx: 2130566132 registers.ebx: 2148925497 registers.esi: 18889681 registers.ecx: 2149453945	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb e9 3f 01 00 00 f7 d5 81 ed a8 48 05 0b 89 e8 exception.symbol: leon+0x2342e0 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2310880 exception.address: 0x12042e0 registers.esp: 4652512 registers.edi: 4007047188 registers.eax: 32475 registers.ebp: 4007047188 registers.edx: 2130566132 registers.ebx: 2148925497 registers.esi: 18922156 registers.ecx: 2149453945	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 55 51 e9 2d f8 ff ff 81 c2 d1 8f 53 7c 29 d6 exception.symbol: leon+0x23454c exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2311500 exception.address: 0x120454c registers.esp: 4652512 registers.edi: 236303720 registers.eax: 32475 registers.ebp: 4007047188 registers.edx: 2130566132 registers.ebx: 4294937676 registers.esi: 18922156 registers.ecx: 2149453945	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 52 e9 17 00 00 00 83 c4 04 87 04 24 8b 24 24 exception.symbol: leon+0x234c0a exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2313226 exception.address: 0x1204c0a registers.esp: 4652508 registers.edi: 236303720 registers.eax: 31924 registers.ebp: 4007047188 registers.edx: 2130566132 registers.ebx: 18892981 registers.esi: 18922156 registers.ecx: 1060616465	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb e9 59 07 00 00 51 e9 28 00 00 00 89 14 24 51 exception.symbol: leon+0x234c22 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2313250 exception.address: 0x1204c22 registers.esp: 4652512 registers.edi: 1442867808 registers.eax: 0 registers.ebp: 4007047188 registers.edx: 2130566132 registers.ebx: 18895821 registers.esi: 18922156 registers.ecx: 1060616465	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 81 c1 73 16 dd 5f 50 89 14 24 e9 c7 00 00 00 exception.symbol: leon+0x235fc9 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2318281 exception.address: 0x1205fc9 registers.esp: 4652508 registers.edi: 1961667722 registers.eax: 32711 registers.ebp: 4007047188 registers.edx: 0 registers.ebx: 1961667722 registers.esi: 18895851 registers.ecx: 18897140	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 68 16 7f 10 31 89 0c 24 b9 3a fe f6 2f e9 d0 exception.symbol: leon+0x235bcb exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2317259 exception.address: 0x1205bcb registers.esp: 4652512 registers.edi: 1961667722 registers.eax: 32711 registers.ebp: 4007047188 registers.edx: 0 registers.ebx: 1961667722 registers.esi: 18895851 registers.ecx: 18929851	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb e9 7e fc ff ff 89 04 24 89 e0 05 04 00 00 00 exception.symbol: leon+0x235ee4 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2318052 exception.address: 0x1205ee4 registers.esp: 4652512 registers.edi: 1961667722 registers.eax: 0 registers.ebp: 4007047188 registers.edx: 3904063336 registers.ebx: 1961667722 registers.esi: 18895851 registers.ecx: 18899891	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb e9 4c 00 00 00 81 c1 bd 15 d7 7f 83 c1 ff 81 exception.symbol: leon+0x236c21 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2321441 exception.address: 0x1206c21 registers.esp: 4652512 registers.edi: 1961667722 registers.eax: 31982 registers.ebp: 4007047188 registers.edx: 3951126112 registers.ebx: 1961667722 registers.esi: 4294938076 registers.ecx: 18932306	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 68 7b cb b6 15 89 1c 24 89 3c 24 bf 1d 76 39 exception.symbol: leon+0x23b57c exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2340220 exception.address: 0x120b57c registers.esp: 4652512 registers.edi: 18952509 registers.eax: 4294938208 registers.ebp: 4007047188 registers.edx: 18919203 registers.ebx: 17030497 registers.esi: 4294938076 registers.ecx: 93673	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 c3 ee f7 3d ff 04 24 f7 1c 24 e9 exception.symbol: leon+0x23fc94 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2358420 exception.address: 0x120fc94 registers.esp: 4652512 registers.edi: 4025975081 registers.eax: 28583 registers.ebp: 4007047188 registers.edx: 1902225489 registers.ebx: 268436083 registers.esi: 18966033 registers.ecx: 1921160947	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 e0 af f7 7f e9 bc 00 00 00 87 34 exception.symbol: leon+0x240076 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2359414 exception.address: 0x1210076 registers.esp: 4652512 registers.edi: 3939837675 registers.eax: 28583 registers.ebp: 4007047188 registers.edx: 1902225489 registers.ebx: 0 registers.esi: 18940401 registers.ecx: 1921160947	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 ec 00 00 00 81 c1 d0 40 exception.symbol: leon+0x24166a exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2365034 exception.address: 0x121166a registers.esp: 4652508 registers.edi: 0 registers.eax: 25746 registers.ebp: 4007047188 registers.edx: 18941614 registers.ebx: 18943765 registers.esi: 18957387 registers.ecx: 0	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 31 c0 ff 34 18 8b 0c 24 55 89 e5 81 c5 04 00 exception.symbol: leon+0x240fa8 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2363304 exception.address: 0x1210fa8 registers.esp: 4652512 registers.edi: 0 registers.eax: 25746 registers.ebp: 4007047188 registers.edx: 18941614 registers.ebx: 18969511 registers.esi: 18957387 registers.ecx: 0	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb e9 ac fd ff ff 89 14 24 83 ec 04 89 0c 24 b9 exception.symbol: leon+0x2417e8 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2365416 exception.address: 0x12117e8 registers.esp: 4652512 registers.edi: 0 registers.eax: 4294944300 registers.ebp: 4007047188 registers.edx: 18941614 registers.ebx: 18969511 registers.esi: 18957387 registers.ecx: 157417	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb e9 86 01 00 00 81 c5 04 00 00 00 e9 0f 09 00 exception.symbol: leon+0x241e56 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2367062 exception.address: 0x1211e56 registers.esp: 4652512 registers.edi: 0 registers.eax: 26912 registers.ebp: 4007047188 registers.edx: 18941614 registers.ebx: 422464690 registers.esi: 18957387 registers.ecx: 18974571	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb b8 92 f6 ff 7b e9 13 03 00 00 52 89 2c 24 bd exception.symbol: leon+0x242283 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2368131 exception.address: 0x1212283 registers.esp: 4652512 registers.edi: 0 registers.eax: 26912 registers.ebp: 4007047188 registers.edx: 5630288 registers.ebx: 4294943404 registers.esi: 18957387 registers.ecx: 18974571	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 53 e9 60 ff ff ff 5b c1 ea 03 51 e9 ed 00 00 exception.symbol: leon+0x247cf0 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2391280 exception.address: 0x1217cf0 registers.esp: 4652508 registers.edi: 0 registers.eax: 18971625 registers.ebp: 4007047188 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 18952157 registers.ecx: 2116157440	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 68 bb 64 7b 67 89 34 24 50 89 14 24 ba 81 c6 exception.symbol: leon+0x248727 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2393895 exception.address: 0x1218727 registers.esp: 4652512 registers.edi: 0 registers.eax: 18974738 registers.ebp: 4007047188 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 18952157 registers.ecx: 9431381	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: fb 53 89 14 24 c7 04 24 df a1 e3 3b ff 04 24 e9 exception.symbol: leon+0x248de7 exception.instruction: sti exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2395623 exception.address: 0x1218de7 registers.esp: 4652512 registers.edi: 0 registers.eax: 2179107154 registers.ebp: 4007047188 registers.edx: 1195731897 registers.ebx: 0 registers.esi: 18952157 registers.ecx: 18977895	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (13 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://31.41.244.10/Dem7kTu/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/well/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/steam/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/num/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.100/e2b1563c6670f193.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/vcruntime140.dll

Performs some HTTP requests (13 events)

request	POST http://31.41.244.10/Dem7kTu/index.php
request	GET http://185.215.113.16/well/random.exe
request	GET http://185.215.113.16/steam/random.exe
request	GET http://185.215.113.16/num/random.exe
request	GET http://185.215.113.100/
request	POST http://185.215.113.100/e2b1563c6670f193.php
request	GET http://185.215.113.100/0d60be0de163924d/sqlite3.dll
request	GET http://185.215.113.100/0d60be0de163924d/freebl3.dll
request	GET http://185.215.113.100/0d60be0de163924d/mozglue.dll
request	GET http://185.215.113.100/0d60be0de163924d/msvcp140.dll
request	GET http://185.215.113.100/0d60be0de163924d/nss3.dll
request	GET http://185.215.113.100/0d60be0de163924d/softokn3.dll
request	GET http://185.215.113.100/0d60be0de163924d/vcruntime140.dll

Sends data using the HTTP POST Method (2 events)

request	POST http://31.41.244.10/Dem7kTu/index.php
request	POST http://185.215.113.100/e2b1563c6670f193.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 91 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00de0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00df0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73402000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01381000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2836 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2836 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2836 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (50 out of 4437 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\fldfpgipfncgndfolcbkdeeknbbbnhcc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\te\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\am\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\fr\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\uk\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\fr\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliob\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\nb\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\zh_CN\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\es_419\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Current Tabs\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\topbar_floating_button_close.png\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es_419\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\manifest.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\lo\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\03019df3fd85a69a8ebd1facc6da9ba73e469774fe77f579fc5a08b8328c1d6b.sth\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\cs\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\ar\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\fr_CA\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\52\manifest.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\ka\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT

Creates executable files on the filesystem (9 events)

file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\Users\test22\1000003002\61b112e7ef.exe
file	C:\ProgramData\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\1000002001\dd0dbe53a9.exe
file	C:\Users\test22\AppData\Local\Temp\1000001001\6e0e2db711.exe
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe
file	C:\Users\test22\AppData\Local\Temp\1000001001\6e0e2db711.exe
file	C:\Users\test22\AppData\Local\Temp\1000002001\dd0dbe53a9.exe
file	C:\Users\test22\1000003002\61b112e7ef.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe
file	C:\Users\test22\AppData\Local\Temp\1000001001\6e0e2db711.exe
file	C:\Users\test22\AppData\Local\Temp\1000002001\dd0dbe53a9.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 17, 2024, 10:12 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe	1	1
ShellExecuteExW Aug. 17, 2024, 10:12 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000001001\6e0e2db711.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000001001\6e0e2db711.exe	1	1
ShellExecuteExW Aug. 17, 2024, 10:12 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000002001\dd0dbe53a9.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000002001\dd0dbe53a9.exe	1	1
ShellExecuteExW Aug. 17, 2024, 10:12 p.m.	show_type: 0 filepath_r: C:\Users\test22\1000003002\61b112e7ef.exe parameters: filepath: C:\Users\test22\1000003002\61b112e7ef.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (33 events)

Time & API	Arguments	Status	Return
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: smss.exe process_identifier: 224	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: csrss.exe process_identifier: 304	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: wininit.exe process_identifier: 352	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: csrss.exe process_identifier: 360	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: services.exe process_identifier: 444	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: lsm.exe process_identifier: 468	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: svchost.exe process_identifier: 572	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: svchost.exe process_identifier: 724	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: svchost.exe process_identifier: 784	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: svchost.exe process_identifier: 832	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: audiodg.exe process_identifier: 900	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: svchost.exe process_identifier: 992	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: svchost.exe process_identifier: 292	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: spoolsv.exe process_identifier: 324	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: svchost.exe process_identifier: 1048	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: srvany.exe process_identifier: 1284	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: KMService.exe process_identifier: 1436	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: conhost.exe process_identifier: 1448	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: taskhost.exe process_identifier: 1600	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: sppsvc.exe process_identifier: 1820	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: svchost.exe process_identifier: 1896	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: dwm.exe process_identifier: 1260	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: explorer.exe process_identifier: 1452	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: pw.exe process_identifier: 988	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: SearchIndexer.exe process_identifier: 1160	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: SearchProtocolHost.exe process_identifier: 936	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: SearchFilterHost.exe process_identifier: 2000	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: mobsync.exe process_identifier: 2284	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: pw.exe process_identifier: 2328	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: taskhost.exe process_identifier: 2380	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: svoutse.exe process_identifier: 2836	1	1
Process32NextW Aug. 17, 2024, 10:12 p.m.	snapshot_handle: 0x000002ac process_name: 61b112e7ef.exe process_identifier: 192	1	1

An executable file was downloaded by the processes svoutse.exe, 61b112e7ef.exe (10 events)

Time & API	Arguments	Status	Return
InternetReadFile Aug. 17, 2024, 10:12 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¢ÀfàÎ¯ À@ `x¯SÀÈ(&à@® H.textÔ `.rsrcÈÀ@@.relocà@B°¯HÀý¢Ir9£´ûb$9~t$r>í.Åù¸ð¿wq !çCÎinIçi¢öøªD¡<éj»TêÚ3½_û´/ÇÀãGü¸³à³ðdº J7÷=u(&ÁìÖåfO-¤ãô6èBóhb4^8nûGIî <' 4gRJåû¤"îN ãß1{Örk3è"ËîÒamY Æcu\v ÛÏ¬à @V .Õ^¦u·Õ+ÃëÕûk5[ ¢m3þýZöt-iñ-ôBº§Ê&¾W <<?FS¢>Lá:^µ¤wcaù4C.Ô± Z¤RX_S4!z"Vm;¨Äè@ÝÜ¼)¢k¬Ó~Ë6Õdù¯Np½¼µ\|Ã öÑÔ]·©ý7_öj¨1Àz§zêvF&©G¤Ö6ÇTæ>J[2'À%ôºî{Úñ@=Ñqàplc4éë&mphrúp+YäaK3"¼èó£]¯g/@Õ])ßÄÄ9{p{ÏìÄÐqzüwóàlUÁØKFDOZ#l`ÞµN}!<ï$3¢úG\|ïq ÜWMø!cxÂò;ßëñã ®g#¿§ÿy®¢ÈÛ#8Ç$:9ôý,ìSØo8j:ÉRséoª®^gÿ¤ÊB6ÞÎ·ÇcÅäH]ÀÆÎÆìÏvè^£j Ðã´Ü6Ê÷Wë\Õþy¾CF¯Ü_bL¿ TbÞÍ²¼©c¬õ¥»©ímÝ³¹æ¹}ç¦°ÜÞ¹é¾³¡®øô{ÏöÐ¿¤ãÞ÷³©Ñve ós5sG ¢1Îº:0ÞãFÊZ©VÇMÛ·\7K1G®Ñ2ðâ4µ¢¢çwµ281ÆSHþP¡Ü!áý!»]->èbÄ +ª-ÉÀRf÷¤!¡3$ºòZK-{Ñ-ßåé4#pÌq¨õ¼£ÀqëÜJß¡5·ÑË cíÓtªWÖþ¸{F_½èóU²,¦D_ Ä¶ aáÊLcB «X,þ×¨Á`±/çÕ0@qm{:=kØ\ ©tØÁ#~©óµ¸B¢ñEÂD};H§Õ¨©ü®<!þ·ûó}c4 ã0 lH)'2ù{Õ:´{a8ö®Õ ·0ÃÝlÍÞ}v`¹ H pQ.§ÚÇzù2½u;S^<+9Í]¶ûP8jWN´áçÎ`î!ÿK'´ýpS 4vfªª#.Ô¼Jß#ãÜNèùÅ{i_Ã¸Ú¢Ó:£m%MQaÈêð 1èã[© ¡=DÐó(¸äíÁ_JW ¹F6WÛX¬=p2»øê]ü¤NÞe©ò4$oàÑ¼ÁTFE\Ø¦9Ðx}ÁNeÚï×ýpÎæ_FìÁìMÇb2L8 eõJh-¿è²¿ý\|U¯¥ÀH7{4ÝS¨ <Å¶Ñ$¦Âóy×-áë!2>béêæÃþÆþ«oäißd&ÿÛ· I Cy»KR§Î$[ìÚ¬8×û£©×5¹Ñ1[nkX"µlåï2¶q0¬²MÒræÑ0ÖõÁ{5Fi¼ó]öSÏS2lÀ¹`b±áÈ§qafïG×Þ÷ß}«]Ú¿ºÀÂ7×ÅãÛáÀ>l4hÇ ö+4Oì´!²xFS$í?¿aöc ó¤ÝCLW£ïàËë#0}aìV;¿¦à+{hâÄ)]°gjó<ªÐ¼Kcp%âxZûT}õó'¾/[{¨É°d¾¯XÜÞ6O¥¾rÝû¢Z´<¬5_xìÚý¢)¥[º!äÚ§oPxÓk±ú¢ÙÏº2Ã¿[â>c"NPy¤Äx¯Cê-F°c8²û ÆÌ#º"=äB\ÛXÃÆ?ø~ïhÑ¦ã¯¦þøyî#s0ùõ>1 GO11e¶¯Bº%â}ÊR£ºíÈãV%ó´=ÍÙT3ñLyG£Ð]ÌÖHÆD&ÊT!ñÀ½((ý`¤ k×£¹XòÙ$¢> ÇNOkqÈççhã»¿ot9jëÅelå¥hzôd?-¾N\|Þýßþî¯òPÈÂ,#+X±;mZØ\ò¶~4äGÿ<ÈeÒA(®Ò³l¢z.OáS$3á+;¸ÂµÏÐD³HýÿçÞÌAÙ·eMA7ñbc~ÔáÁÿ$çqïÂû¶D(Ú àu7ãÄÔåînÛXTv¤µíá\+ÉU:T7öëéÎSs+}¹óbæ§û£?Äi$/QÓçÔ3ÿvh,2¾xdÖBÌX³»E·Â£ À¯;6Ä?+[×w±r0Ö«] ²;òØÚùuUJPB8ß>Èuä="@÷ævàû15'rJJ O=%³ûË¼6ÙEe&ó÷ÏFùFËÄÝîØ¤ôDÎíföái<Q[+qµRí$û¡#X~eÎÛä(?<¶J¯snÓxüß!Èïß@ê¼FÙßÃÍJ(þkýÉMÛÚµorÐïð/y2îÁº$[ÄxÖÅ'H û_uQF%Ìõp`>L-Sï%³%dùÃÈ3ï3®¿uZÁäO´}öZÌvn²',ÙT(0Ñqa¢Ks´1e°q¥[ 3¢T»>sgbÞYT\|8!g´î¡GM¥ÎÐÉê:i¡wÞ®n¯2zCÁ.ûÞ¥`ø+ø·åÔ®ìSÕêÝ2ê` ëX·E¿$µ®l%iñÃÁåÑkêL«M)îmÂWO:d>>Fø½ºÆ"}ãe¦§`U)Pi+ Zù±]õvC1·óf Ñ"o"ÂT7}ô,DÚV\|fê¡íN;ÏÅæk=ºIA®²6DÙ°ÝU×¶Rxâ÷¼`õÐÿÎq©¼]°bç±'û4®AºãtíoLÏÔ`¨¹à-úÿ:j% PÐ_·HÑØN0Ê(¸ ôÓåÖ¶nDW@LqWªÒNòH·>%6 îXR1>P dê¶3òÜSòFF3^Ê¼&¯®^aZK]/ÃV?ÅYWNÆ¥·],êDÕ©Öê hu=p¢v\|Z4R½ÏqSÙà¯°£@b2ÙNÀN:þØ5âÅÏtp-J¿øØù®½ï¸°ôÄJÏc³[ {1'õÏ9¢ÑÑ¯&U®üJÎ)£®¤»â½ðÙÖ"à#¥`§zwSx¢C) ëªé}6Û3ê42§N³Y\ÑyõõßÇ@iï>u'¯fu¥? UknÚ¡µß[õ¹qfÅ¯¬ø»mî ¬ÝTHÓçTTß 1éÜÁð¶ä7)wbõd»µ¥t'bG93½âd?9¼³3ädIgÉÒ9¦u$¡säà¹ûÚ¶Á÷,®",â/Å'uóõ^d¤»5'Ãôç{ÉOQboG6LdzS\|Úë®®Uon ò.²º0o¿@ ö& ÙxM/gN>¦1Ù xn¹üF@ÏAX·¨ã@Ù1N¹'¿>5áÂÑ8¡×Õ´ÊzDð(_[ªçÀ.P¦Åçÿi 1v¨=<I9ÍJ/ OAÚN(tu÷Ø5Zî-ÉMsD³²×HC¨hâRÊ3×³@GÄºÅ8,~æ4àIîÛu0Ðño4=±¡®ÁEøqÒ>ÛÉqºû©áÒÔë¥Tq}Áü *lõùxÐ3@$>)Ô$>Îæõ¯\|hýñË8-þx$\Í/-¸%¹Ñ-\|³?ÎÂÜí¥"gÊ8öð~¾ê bíÏÖÎç'´:~Òihrð§r¨Yªw(In-å+îrî°ê#X$âGÈÐ»n,¬8.n 6$ª²×GoÙLlàeÌ\|ÀmI+?.â9cËü xåã&nAígU"> ÿ-¤ÚIr r×Õ^8ãö´QH½¾&TÀ6I´È`Û{¹F'cÎ±ë _^¤8ÆÇÈ÷-.¡ request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 17, 2024, 10:12 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELØ ÀfàÎ' @@ `x'S@È(&`@& H.textÔ `.rsrcÈ@ @@.reloc`@B°'HÀQÃn#ÔùgPY xMÚíò!Hwxk`åû¨Ý¯æ{Âcã+, ýßÆ2ÑóÂäï©èç ôæî{¨qc$Ä6Ü[ô®¯ ½¥eüÎZø¶Ó «z5ïFH1^É!v 4«Áñ;G Fü+öò±(¥û¿pú½òih¢ØèÉÄIP]%á®jÊÚ-nÜ( Dññ'È:~ÅÞ£_môþæLÉgã\|P¨lú/´è/4ôÇ£ùbe8ÓÄ0 \¼Èf£ÂdYê¢^â¿½o;#ÝÃJò3ÂýÜ)6à¢¦WH}Àí "åKq¯¨öo½dòc!¬ç.LË0Âeà<ÐóCRõ$f¤M¾)OA{pÒïTdX¢ÌARÛ¼Pÿs°ScløÄÌZ#Ì$÷¿ÔUO¾kH\|)yoY'ø$ ¤.ÑÛ !Ä,~ûûÐWsºnøÚQ4Zu©ûïãÄT÷ÊÅqª£ìøvÔwáµ¶ÿØ<Åâ¢]K[µ9«®©EÂc9¼n2ùìë¶'Íþã¢f4É;}+õû{ëÑbIY¿Ñ G"ò )µwó²ßü?ðå=ÜbêER5Üí<¥Q°´×gSÜ×$¥E²SHy/«$K ý"$¼¢óÄÚ©ü¾¼ñj:Ï²DòsäJ~¸Å½ßâ®m>IÀà¢kÀóìêùî@ÆlR\kr¾SÈàqs%KÈÈ· ¬ø Ø=£bWY4þN¼+q&vU«¿%¿o`[°Ï© m¶%Zpî°gñõ"C¤q° ìÓÐÙîàVi[BÓ§éäÛÉ»úªQDØ-ÀXhØB[fÇü2Ôþe§t[¨²vk¸º$r\|GZ7ËØ/¢[´ 0ü¶I\|! ñØ«9§´µ88?»ýÃ.ôXëµ¨LNib@Vè§E[` LÔãY` ¡T@ÚxêùÝ²£Ò ¸Frse¡<^îoÎì<ëá3[DÐCßõ·Â<j #¼Ïd°^¢å ë¤Mz©'û~jCºRV ÁËkqÙèKV¥¥ØÞÃsV?"(ÜGJ ]·ûp¸åø{Ï"Rxßl^oú ù·uñEtZPyÜ×OV >éØLÑ,l´È<ïúÃ]mÉÞÖ.Ï¥zlD¥DÞzJ³æÓÕàîüÝ ×ÃWß¸åb÷olVgHÎ` ]S¶Æ;BO¿4_'C¡Ò¶áæB8 \VaÕ×Õ-iètË»§k;æðænºñ²êËêßd¥ÅÎ¦Ø,u]êhêü§ÕÉI®T¯ídéVñéûµq1`ó\0ÄYÆlð1$B!Q AÁsÌznßqüøÇ÷n´Z¥Æ\|6ûÔÜ8ÜÍyc^3ºF\^·ÑÅ÷vÌaÐÆSº=ÿÅæÑÖå¿nÇËiëð¨¥¸`¼Ð»iÿè9 <$Å§õ ×ÝÅü·PÎß8 Ð8ºiÚki©fh8Åjig£¡`Ø(nN®~´v)äÝªÁuæËg/uÓWãOç Ì(Êºj?lu.áAAÙëÍ+¿p>H%£Iç±à{ª._ª¯B;¡tÚ¾í?zsB¶àc©z#=1òçÖ3ØR ¯ÛpelZËú¼«Ó×Øµ¸-Û\|ÛÏÈÑTÿc¯]ð¢gkW¬½Ð«áäSLä<±¬Á®æ©qRåø¢°§K9]ÜÕÅúMrx?yUc¹!èÇëZÁáB"ÈæÊ2t¯¤®ÎÌ¤?Y©hÐS9aÞ¯½èTÈ7q6/Ë®p¨=±_P~ÂÜÊ ðYtVd@¶ ë°_?>¥N<8Ý½ KdF.° òd¤@d¹·¯ü $ÚÑQ }}#æËB\|²'t´ 3àeiþíù^k T+Õ®/ûUI6 ¼»X Üi]²¯%ÌPzGóA9ùÿ"+»yÈ(§ObàÖÅj_"6&.X<·ïCØßmÌ¢XöÏ2Løï« ß¯ð¶ós¤T^¶¤Wýý`÷ìxiè÷FF%)ÊÅ¸½Ja~¡E})â¿þ:hÂ°ÞÎi¦hF¥BªH¬Ö`Hâ¿Á<¨A`fáf%w ¼Ù#82CJ÷9ó5ù<øXÐä+mvÂp.ár¼ÈÓ`¸â¨.y>wåÒìÑ ËzÌ²kNó0"bGúú ó!)D¿= KÑÝÝÑYZGmè(´É¨Ç¬¾éC¯Ñ!{5>®lJù&àôI¿®V:ÐÐ¾6±ÂÊÀ\|èb_ñ6Bop\nP /Õ´ÂóRÊdæÈm8;èÒF¶~T°ä]M³õ(Ñð2HùÜ¯Ox¦ `S7¬ÌË}Ûé.ÊR¬Wñ:Y\|³)±1ãWøD{\|bx´ôH¢SÍüàÒa.k3Ç@rf} CjkK¦©±x½-åeæ$ }^- ãä)¡åBiA7¬Óÿ:ÎY(&]' +ò7¦ùÎðùë p¶k]¤¸¸>\|Ce &}µ8öP;!¦üøEe»Ðr»+½wÖ¡´B°#W¡Ó©gHH¬DÔ lzh ¡i]Æ«~q\¢Æ$æ$ú±nL,àÿ\|SbPñIãôýT<Zèn[òR¥³°ÛIûÿriéÍô¾)hd\|P°#eW ä]¿ÄÀ¬Ã½®g?ÎøhS>ºÒEDÖI¥¿!Fÿð)ü<ñçÎÜo>¹ùâÔ[ãF©,»¨M¢~[í<BBÜQ8à(Í^ ÃOo9=ä¨ÝÕ 1m1-èrÓ¡èvTÝ1@,¾Y[¬¸ÝÍ¦.mØ¶8Ò²Û.»6E±É}V§Ê%·ä´m"i~ç¤· )ýqþ;âAÂv£[µößãYvù÷u¾ÕÞê.%.´êðü'È¹PA®uQKéé×ÍöÇP \|?K£#NÈeÉÙxPPÏ5Q¬4w£±)â]WÖ? ÆXhû?ÒbZy×ñ çôWBZ´=xaÁ±Ømùxðºx±ªBr97Å}\ %µìúg+n}ÀsD®mNðª¸tDo-ù"60Îªe=mK}7sEÉN>Ïµ hO¿ÎØg×Ò3Ë5-[3+ÓÅyÒ éxêÞþuäêéÉò2ÅÃcì\|Ý%UòUÁ¡3µ¦Zµ;ga#÷Þjú%¿øe^CÑµE=x´ÏI«8_÷Ûo®¨:õ_U7ý:újVLø#')-à=¨wáÑÄçÛÎÊØ¡üzV®(d«+Ûlà°èµÑÛÆç²¬0.×äò± uÚÙÀr9VuMÝóäx¸UP² áBº÷&>¯@Üã´ñ6ê÷ N+ú¿É\÷ÿº4Y#1d¥xpÙq ÝõÃ:K"{n'L¦o!ß£càáÀ$#R?í´$Í]oKe~B! éèÝàìS#úÈ¾2ó3JÐÑÉ«ø/Ã9÷hÙíRC`\ýÇ f`?¡VQ~`ïæpºbaO´OZ¯ >î_¢&CÓ;áò®¬õcûW{õå.ÇîW 4¡º&ébÔØ»îÝ×wFøú4]´d84MøDHñÀº£ê/44ªëGA »EÔg j¸EM9d¾:}®iWÚ½_÷M%ÞÆj÷@Æm0OFDÛ_¡Ü>»"ïbuôÞçà¨ "\|iËY*ñÞõMDµã¸!°¢°`4NyAª£ië<CMqÁÃÌógiÅí"õÝdD¥Ý!Ìëiæ ¦¯lqðø¡SsU.õnË¨pÑÚ°J0 ,R¿lä`YRn¶he ¾-§è%änKÃ0V&(îõê®W-¾ÕYÆÕÞÀË¿× ghÒe§"HdÁÇ0°ÊFÀónÇ;x½ÿ.ucÞÝµÚÐ³j.Ò³ í¶ü°~9ÅÑW}lªÀMêz4]ÎÜ?ÙZC]Fµ_ Zo'\| request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 17, 2024, 10:12 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL¡Â´fà ÈB"dà@0$@Ð©<à#\|$àô.textJÆÈ à.rdataæÎàÐÌ@@.data+!°@À.relocDà#F¨@By¹ApÈAÙÈAUìQEEü}tMüÆUüÂUüEèEëàEå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìEèExMÿUMMMëä]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQSjh0hÀAÈjÿ$ÐbEüPøtÀüÉÀøX}üt,ÀhÀæEüPèNsSÉÉü[hhÀAÈMüQÿdÏb[å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQÇEüjj@h0hÐjÿØÐbPÿÐbEü}üujÿìÏbèRÿÿÿå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì(EÜPÿtÏbMðMØ}ØsjÿìÏbå]ÃÌÌÌÌÌÌÌÌUì¡@ÍbPèâaPè,sÄÀu! ÎbQè9aPèsÄÀujÿìÏb]ÃÌÌUììjjj¡ÐÈbPÿ,ÐbEôj MôQÿÐÏbEøUôRjÿpÐb}ø}jÿìÏbå]ÃÌÌÌÌÌUììHj@jE¸PèrÇE¸@M¸QÿÑbøujhUÄREÀPèÁjhRPèÁEøUüëÇEøÇEü}üwr }øWsjÿìÏbå]ÃÌÌUììÇEøÿhjÿÀÐbPÿXÐbEôEüPhjMQURÿ¬ÏbÀuEøPMôQjjUREüPÿÏbMüQÿ(ÐbEôå]ÃÌÌÌÌUìì\hèjüÿÿPÿäàAÄh4MBhäMBhè\ÿÿÿÄPüÿÿQÿlÐbüÿÿRÿÏbøÊhbBüÿÿPÿlÐbhÿ Büÿÿèh¬NBàûÿÿQðÉbRìûÿÿPüÿÿèÎÈèÇPüÿÿè«àûÿÿèìûÿÿèõhBøûÿÿè%jÈûÿÿQèrÄP¼ûÿÿR¡¤ÌbPÔûÿÿQøûÿÿèdÈèÍPøûÿÿèA¼ûÿÿèÔûÿÿèÈûÿÿèjøûÿÿèCPüÿÿRÿ0ÏbüÿÿPüÿÿQìÌøûÿÿRèæèÄÀtMüÿÿPüÿÿQìÌüÿÿRè»ìÌEPèÊ¤ûÿÿQè7Ä ¤ûÿÿèíøûÿÿè²PÿÏbøûÿÿèüÿÿèjjüÿÿRÿäàAÄøûÿÿè¦üÿÿèMèå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQMüMüÁ\|ènMüÁHècMüÁ<èXMüÁ0èMMüèåå]ÃÌUìQMüEPMüè MÁ0QMüÁ0è»UÂ<RMüÁ<è©EÀHPMüÁHèMüUBTATMüUBXAXMüUB\A\MüUB`A`MüUBdAdMüUBhAhMüUBlAlMüUBpApMüUBtAtMüUBxAxMÁ\|QMüÁ\|è Eüå]ÂÌÌÌÌUìQMüMüÁ$èNMüÁèCMüÁè8Müè0å]ÃÌÌÌÌÌÌÌÌÌÌÌÌUìQMüEPMüèMÁQMüÁèUÂRMüÁèEÀ$PMüÁ$èwEüå]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUììthBMèèêhBMôèÝEüÿÿ½üÿÿt½üÿÿtW½üÿÿéÇjhþÿÿQèqÄP\þÿÿRMèèoPMèèæ\þÿÿè;hþÿÿè0éjPþÿÿPèÍpÄPDþÿÿQMèèPMèè¡DþÿÿèöPþÿÿèëë@j(8þÿÿRèpÄP,þÿÿPMèèèPMèè_,þÿÿè´8þÿÿè©}0hbBüýÿÿQURþÿÿPhdOBþÿÿQUèR þÿÿPMôèÈèÈè{ÈèPMôèëüýÿÿè@þÿÿè5þÿÿè þÿÿèéM$QÀýÿÿRh´PBÌýÿÿPMQØýÿÿRhPBäýÿÿPMèQðýÿÿRMôèùÈèÈèëÈètÈèÝPMôèTÀýÿÿè©ÌýÿÿèØýÿÿèäýÿÿèðýÿÿè} þÿÿPMôè>PÿÑbEä}äÿu5MôèVMèèNMèFMè>M$è6M4è®ûÿÿéh\QBÌþÿÿQÿÐbÀthRBÌþÿÿRÿÐbÀué}hBþÿÿè(}0æE$PlýÿÿQhüSBxýÿÿRÌþÿÿPýÿÿQhTSBýÿÿREPýÿÿQh¬RB¨ýÿÿREèP´ýÿÿQþÿÿè Èè)ÈèÈèÈèÈè ÈèvPþÿÿèêlýÿÿè?xýÿÿè4ýÿÿè)ýÿÿèýÿÿè¨ýÿÿè´ýÿÿèýé¦ÌþÿÿR0ýÿÿPhLUB<ýÿÿQURHýÿÿPh¤TBTýÿÿQUèR`ýÿÿPþÿÿèÑÈèZÈèÃÈèLÈèEPþÿÿè)0ýÿÿè~<ýÿÿèsHýÿÿèhTýÿÿè]`ýÿÿèRìÌþÿÿRèáèlÄÀ«h BþÿÿèahVBüüÿÿPMQýÿÿRhôUBýÿÿP ðÉbQ ýÿÿRþÿÿèÈèÈè÷Èè request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 17, 2024, 10:12 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 17, 2024, 10:12 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 17, 2024, 10:12 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 17, 2024, 10:12 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 17, 2024, 10:12 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 17, 2024, 10:12 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 17, 2024, 10:12 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002dc00', u'virtual_address': u'0x00001000', u'entropy': 7.979699103732625, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.97969910373

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0019ac00', u'virtual_address': u'0x00312000', u'entropy': 7.953601939832694, u'name': u'yulglecm', u'virtual_size': u'0x0019b000'}

entropy

7.95360193983

description

A section with a high entropy has been found

entropy

0.994011976048

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Queries for potentially installed applications (40 events)

Time & API	Arguments	Status	Return
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x000002b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1	0
RegOpenKeyExA Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall		2

Communicates with host for which no DNS query was performed (4 events)

host	172.67.202.34
host	185.215.113.100
host	185.215.113.16
host	31.41.244.10

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 442 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 17, 2024, 10:12 p.m.	class_name: OLLYDBG window_name:		0	0

A process attempted to delay the analysis task. (2 events)

description	svoutse.exe tried to sleep 1437 seconds, actually delayed analysis time by 1437 seconds
description	explorer.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\6e0e2db711.exe				reg_value	C:\Users\test22\AppData\Local\Temp\1000001001\6e0e2db711.exe
file	C:\Windows\Tasks\svoutse.job

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000002b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (1 event)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 51 89 3c 24 54 5f 50 e9 exception.symbol: leon+0x1f6279 exception.instruction: in eax, dx exception.module: leon.exe exception.exception_code: 0xc0000096 exception.offset: 2056825 exception.address: 0x11c6279 registers.esp: 4652544 registers.edi: 5320206 registers.eax: 1447909480 registers.ebp: 4007047188 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 18622344 registers.ecx: 20	1	0	0

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Gen:Variant.Kryptik.260
Cylance	Unsafe
VIPRE	Gen:Variant.Kryptik.260
BitDefender	Gen:Variant.Kryptik.260
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
McAfee	Themida-FWSE!962F3DE7B7EE
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Gen:Variant.Kryptik.260
Emsisoft	Gen:Variant.Kryptik.260 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!962F3DE7B7EE
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.962f3de7b7ee4a08
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/Crypt.TPM.Gen
MAX	malware (ai score=81)
Gridinsoft	Trojan.Heur!.038120A1
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Kryptik.260
Varist	W32/Agent.JDU.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R645974
BitDefenderTheta	Gen:NN.ZexaF.36812.ZDWaaWC@eFoi
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Amadey
Zoner	Probably Heur.ExeHeaderL
Fortinet	W32/Themida.HZB!tr
CrowdStrike	win/malicious_confidence_90% (D)

leon.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All