Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 25, 2024, 6:42 p.m.	Aug. 25, 2024, 6:59 p.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d3348d383a614ddf7405f189fcf10a4b`
SHA256	`74578b222794e3342c4f7d4ee59d0191e7bdd6a2329eabf6e034e285393ddadb`
CRC32	`4C976099`
ssdeep	`49152:wqasW2hgzWDV2rJkkaWbiad4tC9kvWoXKWW2C:wzsWJzWDV2tCAd0YkNX7o`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

runus.exe "C:\Users\test22\AppData\Local\Temp\runus.exe"
2548

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.215.113.100	Active	Moloch
31.41.244.11	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.100:80 -> 192.168.56.101:49166	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49166 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 185.215.113.100:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.100:80 -> 192.168.56.101:49166	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.100:80 -> 192.168.56.101:49166	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49162 -> 185.215.113.100:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.101:49162 -> 185.215.113.100:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.100:80 -> 192.168.56.101:49162	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49162 -> 185.215.113.100:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.100:80 -> 192.168.56.101:49162	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49162 -> 185.215.113.100:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.101:49162 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49162 -> 185.215.113.100:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.100:80 -> 192.168.56.101:49162	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.100:80 -> 192.168.56.101:49162	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 185.215.113.100:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.100:80 -> 192.168.56.101:49166	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 185.215.113.100:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 31.41.244.11:80 -> 192.168.56.101:49169	2400001	ET DROP Spamhaus DROP Listed Traffic Inbound group 2	Misc Attack
TCP 192.168.56.101:49169 -> 31.41.244.11:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 31.41.244.11:80 -> 192.168.56.101:49169	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 31.41.244.11:80 -> 192.168.56.101:49169	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 31.41.244.11:80 -> 192.168.56.101:49169	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 185.215.113.100:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49166 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 185.215.113.100:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Aug. 25, 2024, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 25, 2024, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 25, 2024, 6:42 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 90 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:43 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:44 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:44 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:44 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:44 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:44 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:44 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:44 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:44 p.m.			0	0

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 25, 2024, 6:42 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (7 events)

section	\x00
section	.rsrc
section	.idata
section
section	xnccregs
section	tftqeker
section	.taggant

One or more processes crashed (50 out of 125 events)

Time & API	Arguments	Status
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: runus+0x4ef0b9 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 5173433 exception.address: 0x78f0b9 registers.esp: 1441468 registers.edi: 0 registers.eax: 1 registers.ebp: 1441484 registers.edx: 9670656 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb e9 19 00 00 00 81 c6 2a b5 fb 5e 81 c6 d1 a9 exception.symbol: runus+0x242397 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 2368407 exception.address: 0x4e2397 registers.esp: 1441432 registers.edi: 1968898280 registers.eax: 32189 registers.ebp: 3995140116 registers.edx: 5119443 registers.ebx: 1675870535 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 1c 24 83 ec 04 89 3c 24 e9 00 00 exception.symbol: runus+0x242700 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 2369280 exception.address: 0x4e2700 registers.esp: 1441436 registers.edi: 1968898280 registers.eax: 32189 registers.ebp: 3995140116 registers.edx: 5151632 registers.ebx: 1675870535 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 52 51 68 b4 9d 08 00 59 89 4c 24 04 e9 74 01 exception.symbol: runus+0x242246 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 2368070 exception.address: 0x4e2246 registers.esp: 1441436 registers.edi: 1968898280 registers.eax: 4294937632 registers.ebp: 3995140116 registers.edx: 5151632 registers.ebx: 1675870535 registers.esi: 6678866 registers.ecx: 1969094656	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 52 e9 2e 03 00 00 8b 2c 24 81 c4 04 00 00 00 exception.symbol: runus+0x242dba exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 2371002 exception.address: 0x4e2dba registers.esp: 1441432 registers.edi: 1968898280 registers.eax: 30912 registers.ebp: 3995140116 registers.edx: 5151632 registers.ebx: 69122304 registers.esi: 6678866 registers.ecx: 5122340	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 52 89 e2 81 c2 04 00 00 00 81 ea 04 00 00 00 exception.symbol: runus+0x242bf2 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 2370546 exception.address: 0x4e2bf2 registers.esp: 1441436 registers.edi: 236777 registers.eax: 30912 registers.ebp: 3995140116 registers.edx: 4294939120 registers.ebx: 69122304 registers.esi: 6678866 registers.ecx: 5153252	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb e9 71 04 00 00 57 89 e7 50 b8 30 72 76 4d 2d exception.symbol: runus+0x3c2f17 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 3944215 exception.address: 0x662f17 registers.esp: 1441432 registers.edi: 5157930 registers.eax: 24977 registers.ebp: 3995140116 registers.edx: 6696067 registers.ebx: 47055566 registers.esi: 6678730 registers.ecx: 718	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 3c 24 e9 41 02 00 00 83 exception.symbol: runus+0x3c2ee4 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 3944164 exception.address: 0x662ee4 registers.esp: 1441436 registers.edi: 5157930 registers.eax: 316649 registers.ebp: 3995140116 registers.edx: 6698448 registers.ebx: 47055566 registers.esi: 0 registers.ecx: 718	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb e9 7b fe ff ff ff 34 24 ff 34 24 8b 14 24 81 exception.symbol: runus+0x3c50d2 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 3952850 exception.address: 0x6650d2 registers.esp: 1441432 registers.edi: 5157930 registers.eax: 25551 registers.ebp: 3995140116 registers.edx: 6698448 registers.ebx: 443364036 registers.esi: 0 registers.ecx: 6703818	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 53 c7 04 24 9a 04 bf 42 c1 24 24 06 c1 24 24 exception.symbol: runus+0x3c53f9 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 3953657 exception.address: 0x6653f9 registers.esp: 1441436 registers.edi: 5157930 registers.eax: 25551 registers.ebp: 3995140116 registers.edx: 1549541099 registers.ebx: 443364036 registers.esi: 0 registers.ecx: 6706661	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 6e 35 e0 67 c1 2c 24 02 52 ba 01 exception.symbol: runus+0x3c9d64 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 3972452 exception.address: 0x669d64 registers.esp: 1441436 registers.edi: 6757021 registers.eax: 32663 registers.ebp: 3995140116 registers.edx: 0 registers.ebx: 6706687 registers.esi: 0 registers.ecx: 14288	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 53 e9 64 02 00 00 ff 74 24 04 5f 8f 04 24 5c exception.symbol: runus+0x3c9ec5 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 3972805 exception.address: 0x669ec5 registers.esp: 1441436 registers.edi: 6727221 registers.eax: 32663 registers.ebp: 3995140116 registers.edx: 0 registers.ebx: 6706687 registers.esi: 1259 registers.ecx: 14288	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 52 e9 d3 10 00 00 89 e3 exception.symbol: runus+0x3ce4a3 exception.instruction: in eax, dx exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 3990691 exception.address: 0x66e4a3 registers.esp: 1441428 registers.edi: 14036375 registers.eax: 1447909480 registers.ebp: 3995140116 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 6741963 registers.ecx: 20	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: runus+0x3cf134 exception.address: 0x66f134 exception.module: runus.exe exception.exception_code: 0xc000001d exception.offset: 3993908 registers.esp: 1441428 registers.edi: 14036375 registers.eax: 1 registers.ebp: 3995140116 registers.edx: 22104 registers.ebx: 0 registers.esi: 6741963 registers.ecx: 20	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 1d 37 2d 12 01 exception.symbol: runus+0x3ce0f3 exception.instruction: in eax, dx exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 3989747 exception.address: 0x66e0f3 registers.esp: 1441428 registers.edi: 14036375 registers.eax: 1447909480 registers.ebp: 3995140116 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 6741963 registers.ecx: 10	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 55 e8 03 00 00 00 20 5d c3 5d exception.symbol: runus+0x3d6960 exception.instruction: int 1 exception.module: runus.exe exception.exception_code: 0xc0000005 exception.offset: 4024672 exception.address: 0x676960 registers.esp: 1441396 registers.edi: 0 registers.eax: 1441396 registers.ebp: 3995140116 registers.edx: 0 registers.ebx: 6777498 registers.esi: 183502030 registers.ecx: 4294930682	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 56 e9 5d 04 00 00 ff 34 24 58 83 c4 04 89 fb exception.symbol: runus+0x3d6dc4 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4025796 exception.address: 0x676dc4 registers.esp: 1441436 registers.edi: 6808180 registers.eax: 29996 registers.ebp: 3995140116 registers.edx: 2130566132 registers.ebx: 50461296 registers.esi: 10721 registers.ecx: 2133341952	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 51 57 c7 04 24 7e f7 dd 7d 8b 0c 24 e9 41 ff exception.symbol: runus+0x3d767c exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4028028 exception.address: 0x67767c registers.esp: 1441436 registers.edi: 6780904 registers.eax: 29996 registers.ebp: 3995140116 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 6379 registers.ecx: 2133341952	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 29 c9 ff 34 0f 68 83 68 00 02 e9 39 fb ff ff exception.symbol: runus+0x3e71aa exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4092330 exception.address: 0x6871aa registers.esp: 1441436 registers.edi: 6874770 registers.eax: 31432 registers.ebp: 3995140116 registers.edx: 6 registers.ebx: 50461518 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 50 89 14 24 e9 62 00 00 00 59 55 89 1c 24 e9 exception.symbol: runus+0x3e7423 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4092963 exception.address: 0x687423 registers.esp: 1441436 registers.edi: 6874770 registers.eax: 1179202795 registers.ebp: 3995140116 registers.edx: 6 registers.ebx: 50461518 registers.esi: 1968968720 registers.ecx: 4294938388	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 05 76 fe ef 0f e9 bf ff ff ff 89 14 24 ba 77 exception.symbol: runus+0x3e87d0 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4098000 exception.address: 0x6887d0 registers.esp: 1441432 registers.edi: 6874770 registers.eax: 6848018 registers.ebp: 3995140116 registers.edx: 6 registers.ebx: 1409581514 registers.esi: 1968968720 registers.ecx: 4294938388	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 57 e9 82 fd ff ff 81 eb 3e a9 0f 77 5e e9 8f exception.symbol: runus+0x3e872d exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4097837 exception.address: 0x68872d registers.esp: 1441436 registers.edi: 6874770 registers.eax: 6879211 registers.ebp: 3995140116 registers.edx: 6 registers.ebx: 1409581514 registers.esi: 1968968720 registers.ecx: 4294938388	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb b9 74 81 5e 6f c1 e1 03 c1 e9 01 87 f1 f7 d6 exception.symbol: runus+0x3e818c exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4096396 exception.address: 0x68818c registers.esp: 1441436 registers.edi: 6874770 registers.eax: 6879211 registers.ebp: 3995140116 registers.edx: 4450641 registers.ebx: 1409581514 registers.esi: 1968968720 registers.ecx: 4294939112	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 1c 24 83 ec 04 e9 20 fd exception.symbol: runus+0x3eac95 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4107413 exception.address: 0x68ac95 registers.esp: 1441436 registers.edi: 6874770 registers.eax: 6887970 registers.ebp: 3995140116 registers.edx: 4450641 registers.ebx: 454633 registers.esi: 4294939672 registers.ecx: 1623470252	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 52 e9 38 00 00 00 5a 68 a4 c0 96 f9 5b 01 eb exception.symbol: runus+0x3f2f24 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4140836 exception.address: 0x692f24 registers.esp: 1441428 registers.edi: 6874770 registers.eax: 28247 registers.ebp: 3995140116 registers.edx: 4294942200 registers.ebx: 14827 registers.esi: 6919205 registers.ecx: 2133327872	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 52 e9 c4 01 00 00 01 d5 81 ed 30 cd 57 4c 8b exception.symbol: runus+0x3feca9 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4189353 exception.address: 0x69eca9 registers.esp: 1441424 registers.edi: 56308 registers.eax: 27551 registers.ebp: 3995140116 registers.edx: 2130566132 registers.ebx: 6928262 registers.esi: 3915209023 registers.ecx: 6940268	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 53 c7 04 24 13 9d 61 7c 89 0c 24 e9 4c f9 ff exception.symbol: runus+0x3fefd4 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4190164 exception.address: 0x69efd4 registers.esp: 1441428 registers.edi: 56308 registers.eax: 27551 registers.ebp: 3995140116 registers.edx: 2130566132 registers.ebx: 6928262 registers.esi: 3915209023 registers.ecx: 6967819	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 52 50 68 a3 d5 7f 26 58 25 06 cd b6 7f 52 ba exception.symbol: runus+0x3fe9d9 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4188633 exception.address: 0x69e9d9 registers.esp: 1441428 registers.edi: 448685664 registers.eax: 27551 registers.ebp: 3995140116 registers.edx: 2130566132 registers.ebx: 6928262 registers.esi: 0 registers.ecx: 6943563	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb e9 7e 05 00 00 8b 04 24 81 c4 04 00 00 00 55 exception.symbol: runus+0x4154bf exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4281535 exception.address: 0x6b54bf registers.esp: 1441392 registers.edi: 7033257 registers.eax: 25913 registers.ebp: 3995140116 registers.edx: 2130566132 registers.ebx: 30833 registers.esi: 7027591 registers.ecx: 2133327872	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb e9 b8 01 00 00 01 f8 2d 9f 74 fe 7f 5f 5f 81 exception.symbol: runus+0x4151f4 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4280820 exception.address: 0x6b51f4 registers.esp: 1441396 registers.edi: 7059170 registers.eax: 25913 registers.ebp: 3995140116 registers.edx: 2130566132 registers.ebx: 30833 registers.esi: 7027591 registers.ecx: 2133327872	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb e9 84 04 00 00 05 04 00 00 00 2d 04 00 00 00 exception.symbol: runus+0x41520f exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4280847 exception.address: 0x6b520f registers.esp: 1441396 registers.edi: 7059170 registers.eax: 4294944188 registers.ebp: 3995140116 registers.edx: 2130566132 registers.ebx: 30833 registers.esi: 7027591 registers.ecx: 3986923880	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 04 24 68 02 4c 9c 40 89 exception.symbol: runus+0x416073 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4284531 exception.address: 0x6b6073 registers.esp: 1441392 registers.edi: 7059170 registers.eax: 25266 registers.ebp: 3995140116 registers.edx: 2130566132 registers.ebx: 7036451 registers.esi: 7027591 registers.ecx: 1544075686	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb e9 a0 ff ff ff 8b 1c 24 83 c4 04 55 54 5d e9 exception.symbol: runus+0x41611e exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4284702 exception.address: 0x6b611e registers.esp: 1441396 registers.edi: 10299744 registers.eax: 25266 registers.ebp: 3995140116 registers.edx: 2130566132 registers.ebx: 7061717 registers.esi: 7027591 registers.ecx: 4294944732	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 68 be 8d b3 74 89 3c 24 e9 2b 02 00 00 8f 04 exception.symbol: runus+0x41766f exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4290159 exception.address: 0x6b766f registers.esp: 1441392 registers.edi: 1231357151 registers.eax: 29850 registers.ebp: 3995140116 registers.edx: 1084046917 registers.ebx: 7035093 registers.esi: 7039182 registers.ecx: 7040381	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 31 c0 ff 34 08 ff 34 24 e9 16 fd ff ff 57 89 exception.symbol: runus+0x417203 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4289027 exception.address: 0x6b7203 registers.esp: 1441396 registers.edi: 1231357151 registers.eax: 29850 registers.ebp: 3995140116 registers.edx: 1084046917 registers.ebx: 7035093 registers.esi: 7039182 registers.ecx: 7070231	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 57 89 1c 24 50 c7 04 24 2e bc 79 1f e9 d3 02 exception.symbol: runus+0x416fec exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4288492 exception.address: 0x6b6fec registers.esp: 1441396 registers.edi: 1231357151 registers.eax: 4294940336 registers.ebp: 3995140116 registers.edx: 1084046917 registers.ebx: 904502669 registers.esi: 7039182 registers.ecx: 7070231	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 68 53 aa 60 51 89 34 24 e9 b2 ff ff ff 83 c4 exception.symbol: runus+0x419c95 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4299925 exception.address: 0x6b9c95 registers.esp: 1441392 registers.edi: 2806252747 registers.eax: 30663 registers.ebp: 3995140116 registers.edx: 7049503 registers.ebx: 2809106139 registers.esi: 1238396333 registers.ecx: 227179696	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb e9 a2 00 00 00 01 ea 81 c2 1a 41 9d 7f 5d 68 exception.symbol: runus+0x419533 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4298035 exception.address: 0x6b9533 registers.esp: 1441396 registers.edi: 12314961 registers.eax: 30663 registers.ebp: 3995140116 registers.edx: 7052506 registers.ebx: 2809106139 registers.esi: 0 registers.ecx: 227179696	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 81 eb a3 6e 1f 0f 57 bf 54 f8 5f 3a 81 c7 38 exception.symbol: runus+0x41fe66 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4324966 exception.address: 0x6bfe66 registers.esp: 1441392 registers.edi: 12314961 registers.eax: 31778 registers.ebp: 3995140116 registers.edx: 7067653 registers.ebx: 7075865 registers.esi: 0 registers.ecx: 1971716238	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 aa 02 7f 57 31 04 24 33 04 24 31 exception.symbol: runus+0x420056 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4325462 exception.address: 0x6c0056 registers.esp: 1441396 registers.edi: 12314961 registers.eax: 31778 registers.ebp: 3995140116 registers.edx: 7067653 registers.ebx: 7107643 registers.esi: 0 registers.ecx: 1971716238	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 68 50 00 41 7e ff 34 24 ff 34 24 e9 d4 04 00 exception.symbol: runus+0x41fff0 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4325360 exception.address: 0x6bfff0 registers.esp: 1441396 registers.edi: 605849941 registers.eax: 31778 registers.ebp: 3995140116 registers.edx: 0 registers.ebx: 7079375 registers.esi: 0 registers.ecx: 1971716238	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 55 53 bb 4f 83 9f 7d 53 81 2c 24 11 2b ff 27 exception.symbol: runus+0x42081c exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4327452 exception.address: 0x6c081c registers.esp: 1441396 registers.edi: 605849941 registers.eax: 31122 registers.ebp: 3995140116 registers.edx: 0 registers.ebx: 7110844 registers.esi: 0 registers.ecx: 690332544	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb bb 25 6f 7d 6f 68 7d af 6c 72 e9 f5 fb ff ff exception.symbol: runus+0x420b54 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4328276 exception.address: 0x6c0b54 registers.esp: 1441396 registers.edi: 0 registers.eax: 31122 registers.ebp: 3995140116 registers.edx: 0 registers.ebx: 7082512 registers.esi: 0 registers.ecx: 3939837675	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 56 89 e6 81 c6 04 00 00 00 e9 67 07 00 00 25 exception.symbol: runus+0x421825 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4331557 exception.address: 0x6c1825 registers.esp: 1441396 registers.edi: 25723 registers.eax: 26722 registers.ebp: 3995140116 registers.edx: 32894 registers.ebx: 7110577 registers.esi: 7095292 registers.ecx: 62844	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 30 e8 dd 69 e9 9c 02 00 00 5f 68 exception.symbol: runus+0x421d00 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4332800 exception.address: 0x6c1d00 registers.esp: 1441396 registers.edi: 0 registers.eax: 26722 registers.ebp: 3995140116 registers.edx: 32894 registers.ebx: 7086481 registers.esi: 7095292 registers.ecx: 81129	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 52 e9 72 02 00 00 68 c4 4c 74 7a 89 3c 24 bf exception.symbol: runus+0x429864 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4364388 exception.address: 0x6c9864 registers.esp: 1441396 registers.edi: 7143948 registers.eax: 4294942664 registers.ebp: 3995140116 registers.edx: 2130566132 registers.ebx: 7114818 registers.esi: 14205016 registers.ecx: 322689	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 04 24 e9 bc 08 00 00 81 c4 04 00 exception.symbol: runus+0x4330c5 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4403397 exception.address: 0x6d30c5 registers.esp: 1441392 registers.edi: 7132797 registers.eax: 27121 registers.ebp: 3995140116 registers.edx: 2130566132 registers.ebx: 1971716070 registers.esi: 7155411 registers.ecx: 0	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 50 b8 4a 38 2f 66 52 e9 00 00 00 00 68 05 99 exception.symbol: runus+0x433a50 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4405840 exception.address: 0x6d3a50 registers.esp: 1441396 registers.edi: 7132797 registers.eax: 27121 registers.ebp: 3995140116 registers.edx: 2130566132 registers.ebx: 1971716070 registers.esi: 7182532 registers.ecx: 0	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb e9 ab fe ff ff 89 3c 24 e9 e8 fe ff ff 05 04 exception.symbol: runus+0x433591 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4404625 exception.address: 0x6d3591 registers.esp: 1441396 registers.edi: 0 registers.eax: 27121 registers.ebp: 3995140116 registers.edx: 2130566132 registers.ebx: 604292951 registers.esi: 7158400 registers.ecx: 0	1
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: fb 50 e9 0f 06 00 00 51 b9 de 28 f7 4f e9 29 05 exception.symbol: runus+0x4476b9 exception.instruction: sti exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 4486841 exception.address: 0x6e76b9 registers.esp: 1441396 registers.edi: 7217977 registers.eax: 3806340712 registers.ebp: 3995140116 registers.edx: 4294943024 registers.ebx: 7178893 registers.esi: 7178889 registers.ecx: 7266269	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.100/e2b1563c6670f193.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/vcruntime140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://31.41.244.11/mine/random.exe

Performs some HTTP requests (10 events)

request	GET http://185.215.113.100/
request	POST http://185.215.113.100/e2b1563c6670f193.php
request	GET http://185.215.113.100/0d60be0de163924d/sqlite3.dll
request	GET http://185.215.113.100/0d60be0de163924d/freebl3.dll
request	GET http://185.215.113.100/0d60be0de163924d/mozglue.dll
request	GET http://185.215.113.100/0d60be0de163924d/msvcp140.dll
request	GET http://185.215.113.100/0d60be0de163924d/nss3.dll
request	GET http://185.215.113.100/0d60be0de163924d/softokn3.dll
request	GET http://185.215.113.100/0d60be0de163924d/vcruntime140.dll
request	GET http://31.41.244.11/mine/random.exe

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.100/e2b1563c6670f193.php

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 81920 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 995328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x61e00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (50 out of 4437 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\fldfpgipfncgndfolcbkdeeknbbbnhcc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\te\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\am\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\fr\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\uk\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\fr\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliob\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\nb\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\zh_CN\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\es_419\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Current Tabs\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\topbar_floating_button_close.png\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es_419\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\manifest.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\lo\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\03019df3fd85a69a8ebd1facc6da9ba73e469774fe77f579fc5a08b8328c1d6b.sth\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\cs\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\ar\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\fr_CA\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\52\manifest.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\ka\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT

Creates executable files on the filesystem (7 events)

file	C:\Users\test22\AppData\RoamingFCBAECGIEB.exe
file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

An executable file was downloaded by the process runus.exe (8 events)

Time & API	Arguments	Status	Return
InternetReadFile Aug. 25, 2024, 6:42 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 25, 2024, 6:42 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 25, 2024, 6:42 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 25, 2024, 6:42 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 25, 2024, 6:42 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 25, 2024, 6:42 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 25, 2024, 6:42 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 25, 2024, 6:42 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌPJr>r>r>Ó=r>Ó;(r>]:r>]=r>];ýr>Ó:r>Ó?r>r?^r>7r>Ár><r>Richr>PEL²¿fàæÊ L@PLâ @W kàÄLtL Ü@à.rsrcàì@À.idata î@À 0+°ð@àndpvhoyi0à1.ò@àepkiwgovL @à.taggant0 L"$@à request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00013c00', u'virtual_address': u'0x00001000', u'entropy': 7.974862605858724, u'name': u' \\x00 ', u'virtual_size': u'0x0023d000'}

entropy

7.97486260586

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001a8800', u'virtual_address': u'0x004ef000', u'entropy': 7.9542573174627025, u'name': u'xnccregs', u'virtual_size': u'0x001a9000'}

entropy

7.95425731746

description

A section with a high entropy has been found

entropy

0.994125874126

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Queries for potentially installed applications (40 events)

Time & API	Arguments	Status	Return
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1	0
RegOpenKeyExA Aug. 25, 2024, 6:42 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall		2

Communicates with host for which no DNS query was performed (2 events)

host	185.215.113.100
host	31.41.244.11

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 512 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 25, 2024, 6:42 p.m.	class_name: 18467-41 window_name:		0	0

A process attempted to delay the analysis task. (1 event)

description

runus.exe tried to sleep 1599 seconds, actually delayed analysis time by 1599 seconds

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Aug. 25, 2024, 6:42 p.m.	key_handle: 0x0000038c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\00000004
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 25, 2024, 6:42 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 52 e9 d3 10 00 00 89 e3 exception.symbol: runus+0x3ce4a3 exception.instruction: in eax, dx exception.module: runus.exe exception.exception_code: 0xc0000096 exception.offset: 3990691 exception.address: 0x66e4a3 registers.esp: 1441428 registers.edi: 14036375 registers.eax: 1447909480 registers.ebp: 3995140116 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 6741963 registers.ecx: 20	1	0	0

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.tc
Cylance	Unsafe
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Miner.vho
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!D3348D383A61
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.d3348d383a614ddf
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
Avira	TR/Crypt.TPM.Gen
Kingsoft	malware.kb.b.993
Gridinsoft	Trojan.Heur!.03A120A1
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Miner.vho
AhnLab-V3	Trojan/Win.Generic.R661988
BitDefenderTheta	Gen:NN.ZexaF.36812.VDWaaSTjwgc
DeepInstinct	MALICIOUS
Malwarebytes	Spyware.Stealc
Zoner	Probably Heur.ExeHeaderL
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (D)

runus.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All