Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 2, 2024, 10:58 a.m.	Sept. 2, 2024, 11:04 a.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5f608251065b3a8efb3d707df00ffede`
SHA256	`27dab34b33fd6fd425193ab264e1a0bbcc695a173c64de5d479fc96e189f979e`
CRC32	`EDDB6A1F`
ssdeep	`24576:ULGk0+QMiQ/s4oeI0uWqD3qcrantWSvMP17B2BSLiI7YJisKRgOLqJ1A5j/:ULGFQluWqDrran/417wBhKjLpp`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature IsPE32 - (no description)

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
2580

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.215.113.100	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.100:80 -> 192.168.56.101:49162	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49162 -> 185.215.113.100:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.101:49162 -> 185.215.113.100:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.100:80 -> 192.168.56.101:49162	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49162 -> 185.215.113.100:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.100:80 -> 192.168.56.101:49162	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49162 -> 185.215.113.100:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.101:49164 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.100:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.100:80 -> 192.168.56.101:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.100:80 -> 192.168.56.101:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.100:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49164 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.100:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49164 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.100:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49164 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.100:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49164 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.100:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Sept. 2, 2024, 10:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 2, 2024, 10:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 2, 2024, 10:58 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 89 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 2, 2024, 10:58 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:58 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:58 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:58 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:58 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:58 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:58 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 2, 2024, 10:58 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (7 events)

section	\x00
section	.rsrc
section	.idata
section
section	agodkpeb
section	frgsmfqf
section	.taggant

One or more processes crashed (50 out of 122 events)

Time & API	Arguments	Status
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: random+0x4f20b9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 5185721 exception.address: 0x10b20b9 registers.esp: 1374676 registers.edi: 0 registers.eax: 1 registers.ebp: 1374692 registers.edx: 19243008 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 50 e9 34 09 00 00 05 04 00 00 00 57 68 04 00 exception.symbol: random+0x24204a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2367562 exception.address: 0xe0204a registers.esp: 1374640 registers.edi: 14687656 registers.eax: 26841 registers.ebp: 4004708372 registers.edx: 12320768 registers.ebx: 0 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 68 b7 7a 4d 64 89 2c 24 83 ec 04 89 2c 24 89 exception.symbol: random+0x242212 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2368018 exception.address: 0xe02212 registers.esp: 1374644 registers.edi: 14714497 registers.eax: 26841 registers.ebp: 4004708372 registers.edx: 12320768 registers.ebx: 0 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 68 e5 e2 0a 42 e9 exception.symbol: random+0x241e46 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2367046 exception.address: 0xe01e46 registers.esp: 1374644 registers.edi: 14690869 registers.eax: 26841 registers.ebp: 4004708372 registers.edx: 604292947 registers.ebx: 0 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb ba 37 ad fc 7f 81 ea 7d b0 f7 6e 42 c1 e2 01 exception.symbol: random+0x242f12 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2371346 exception.address: 0xe02f12 registers.esp: 1374644 registers.edi: 14721255 registers.eax: 30020 registers.ebp: 4004708372 registers.edx: 604292947 registers.ebx: 0 registers.esi: 3 registers.ecx: 2115087333	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 57 50 b8 1c c1 bf 7b 35 1a c7 db 2b 40 83 c0 exception.symbol: random+0x242dc2 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2371010 exception.address: 0xe02dc2 registers.esp: 1374644 registers.edi: 14721255 registers.eax: 238825 registers.ebp: 4004708372 registers.edx: 4294940160 registers.ebx: 0 registers.esi: 3 registers.ecx: 2115087333	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 52 ba 90 74 fa 77 53 bb 25 ad fe 63 c1 eb 03 exception.symbol: random+0x3c7137 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3961143 exception.address: 0xf87137 registers.esp: 1374640 registers.edi: 14726797 registers.eax: 28080 registers.ebp: 4004708372 registers.edx: 14683953 registers.ebx: 16279043 registers.esi: 16278596 registers.ecx: 2138439680	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 53 56 c7 04 24 23 28 d3 6c 89 14 24 e9 2a 02 exception.symbol: random+0x3c6d21 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3960097 exception.address: 0xf86d21 registers.esp: 1374644 registers.edi: 14726797 registers.eax: 28080 registers.ebp: 4004708372 registers.edx: 14683953 registers.ebx: 16307123 registers.esi: 16278596 registers.ecx: 2138439680	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 50 e9 d8 03 00 00 01 44 24 04 e9 9e 02 00 00 exception.symbol: random+0x3c6b6a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3959658 exception.address: 0xf86b6a registers.esp: 1374644 registers.edi: 606898513 registers.eax: 28080 registers.ebp: 4004708372 registers.edx: 14683953 registers.ebx: 16307123 registers.esi: 4294942188 registers.ecx: 2138439680	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 52 57 53 bb 23 0e fe 7b bf 31 a6 80 bb 01 df exception.symbol: random+0x3cccde exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3984606 exception.address: 0xf8ccde registers.esp: 1374644 registers.edi: 606898513 registers.eax: 26934 registers.ebp: 4004708372 registers.edx: 16306117 registers.ebx: 57344875 registers.esi: 0 registers.ecx: 1549541099	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 50 89 3c 24 89 34 24 89 e6 81 ec 04 00 00 00 exception.symbol: random+0x3d3d43 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4013379 exception.address: 0xf93d43 registers.esp: 1374644 registers.edi: 4294943480 registers.eax: 27052 registers.ebp: 4004708372 registers.edx: 1114345 registers.ebx: 16306143 registers.esi: 16298485 registers.ecx: 16360577	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 50 89 14 24 89 0c 24 54 exception.symbol: random+0x3d6f0a exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4026122 exception.address: 0xf96f0a registers.esp: 1374636 registers.edi: 4294943480 registers.eax: 1447909480 registers.ebp: 4004708372 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 16340925 registers.ecx: 20	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: random+0x3d6afa exception.address: 0xf96afa exception.module: random.exe exception.exception_code: 0xc000001d exception.offset: 4025082 registers.esp: 1374636 registers.edi: 4294943480 registers.eax: 1 registers.ebp: 4004708372 registers.edx: 22104 registers.ebx: 0 registers.esi: 16340925 registers.ecx: 20	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 18 3a 2d 12 01 exception.symbol: random+0x3da516 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4039958 exception.address: 0xf9a516 registers.esp: 1374636 registers.edi: 4294943480 registers.eax: 1447909480 registers.ebp: 4004708372 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 16340925 registers.ecx: 10	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 e9 0f 00 00 00 23 be 07 36 5b a3 57 exception.symbol: random+0x3de346 exception.instruction: int 1 exception.module: random.exe exception.exception_code: 0xc0000005 exception.offset: 4055878 exception.address: 0xf9e346 registers.esp: 1374604 registers.edi: 0 registers.eax: 1374604 registers.ebp: 4004708372 registers.edx: 16376472 registers.ebx: 16377032 registers.esi: 0 registers.ecx: 876910421	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 d6 fd ff ff 5f 51 89 e1 81 c1 04 00 00 00 exception.symbol: random+0x3df046 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4059206 exception.address: 0xf9f046 registers.esp: 1374640 registers.edi: 4294943480 registers.eax: 26859 registers.ebp: 4004708372 registers.edx: 16377144 registers.ebx: 16377902 registers.esi: 16574 registers.ecx: 16574	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 68 c4 e1 be 29 89 2c 24 54 e9 af f8 ff ff c1 exception.symbol: random+0x3df111 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4059409 exception.address: 0xf9f111 registers.esp: 1374644 registers.edi: 4294943480 registers.eax: 26859 registers.ebp: 4004708372 registers.edx: 16377144 registers.ebx: 16404761 registers.esi: 16574 registers.ecx: 16574	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 ac fb ff ff 87 34 24 8b 24 24 50 f7 14 24 exception.symbol: random+0x3df224 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4059684 exception.address: 0xf9f224 registers.esp: 1374644 registers.edi: 4294943480 registers.eax: 26859 registers.ebp: 4004708372 registers.edx: 16377144 registers.ebx: 16380585 registers.esi: 2283 registers.ecx: 0	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 51 89 04 24 c7 04 24 c5 ff bf 3f 81 34 24 e9 exception.symbol: random+0x3e663a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4089402 exception.address: 0xfa663a registers.esp: 1374644 registers.edi: 4294943480 registers.eax: 16440277 registers.ebp: 4004708372 registers.edx: 654654 registers.ebx: 16380585 registers.esi: 2283 registers.ecx: 16388303	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 52 89 04 24 e9 c4 ff ff ff 5a 05 03 15 f2 97 exception.symbol: random+0x3e6103 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4088067 exception.address: 0xfa6103 registers.esp: 1374644 registers.edi: 4294937788 registers.eax: 16440277 registers.ebp: 4004708372 registers.edx: 654654 registers.ebx: 16380585 registers.esi: 2283 registers.ecx: 6744402	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 0b 02 00 00 01 d0 e9 1d f8 ff ff 57 e9 b3 exception.symbol: random+0x3f29c9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4139465 exception.address: 0xfb29c9 registers.esp: 1374636 registers.edi: 14684966 registers.eax: 16461294 registers.ebp: 4004708372 registers.edx: 0 registers.ebx: 36061627 registers.esi: 1968968720 registers.ecx: 605325649	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 51 b9 96 ca e7 7d e9 fd 02 00 00 81 ea ee 2b exception.symbol: random+0x3f35e7 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4142567 exception.address: 0xfb35e7 registers.esp: 1374632 registers.edi: 16461698 registers.eax: 30791 registers.ebp: 4004708372 registers.edx: 1075746730 registers.ebx: 36061627 registers.esi: 1968968720 registers.ecx: 1114450346	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 68 01 64 2b 7b 89 04 24 50 89 e0 05 04 00 00 exception.symbol: random+0x3f374b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4142923 exception.address: 0xfb374b registers.esp: 1374636 registers.edi: 16492489 registers.eax: 30791 registers.ebp: 4004708372 registers.edx: 1075746730 registers.ebx: 36061627 registers.esi: 1968968720 registers.ecx: 1114450346	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 56 01 00 00 4b e9 c4 fe ff ff 5c e9 ab 00 exception.symbol: random+0x3f365a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4142682 exception.address: 0xfb365a registers.esp: 1374636 registers.edi: 16492489 registers.eax: 4294939636 registers.ebp: 4004708372 registers.edx: 1075746730 registers.ebx: 898281 registers.esi: 1968968720 registers.ecx: 1114450346	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 81 ee 3d 1e c3 7e 55 bd fb de 7b 5d 81 ee f2 exception.symbol: random+0x3f6a92 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4156050 exception.address: 0xfb6a92 registers.esp: 1374632 registers.edi: 16492489 registers.eax: 31266 registers.ebp: 4004708372 registers.edx: 580083650 registers.ebx: 1297916899 registers.esi: 16474031 registers.ecx: 580083650	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 ac ff ff ff c1 e9 05 81 f1 70 b7 14 76 29 exception.symbol: random+0x3f656c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4154732 exception.address: 0xfb656c registers.esp: 1374636 registers.edi: 16492489 registers.eax: 31266 registers.ebp: 4004708372 registers.edx: 580083650 registers.ebx: 1297916899 registers.esi: 16505297 registers.ecx: 580083650	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 aa 01 00 00 81 34 24 86 b7 57 20 89 3c 24 exception.symbol: random+0x3f639d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4154269 exception.address: 0xfb639d registers.esp: 1374636 registers.edi: 16492489 registers.eax: 31266 registers.ebp: 4004708372 registers.edx: 4294939260 registers.ebx: 607947093 registers.esi: 16505297 registers.ecx: 580083650	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 fc 06 00 00 83 c4 04 e9 df 02 00 00 5d c1 exception.symbol: random+0x419ba5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4299685 exception.address: 0xfd9ba5 registers.esp: 1374600 registers.edi: 16614736 registers.eax: 32396 registers.ebp: 4004708372 registers.edx: 2130566132 registers.ebx: 16620359 registers.esi: 16614736 registers.ecx: 2138439680	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 d7 0e 7f 77 55 e9 ec fe ff ff 5a exception.symbol: random+0x41a170 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4301168 exception.address: 0xfda170 registers.esp: 1374604 registers.edi: 16614736 registers.eax: 32396 registers.ebp: 4004708372 registers.edx: 2130566132 registers.ebx: 16652755 registers.esi: 16614736 registers.ecx: 2138439680	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 50 e9 fa fb ff ff 29 c5 e9 25 fc ff ff 5a 81 exception.symbol: random+0x41a37a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4301690 exception.address: 0xfda37a registers.esp: 1374604 registers.edi: 3300232032 registers.eax: 32396 registers.ebp: 4004708372 registers.edx: 4294938388 registers.ebx: 16652755 registers.esi: 16614736 registers.ecx: 2138439680	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 29 ff 83 ec 04 89 1c 24 56 89 exception.symbol: random+0x41b852 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4307026 exception.address: 0xfdb852 registers.esp: 1374604 registers.edi: 16624655 registers.eax: 26827 registers.ebp: 4004708372 registers.edx: 16652037 registers.ebx: 436241744 registers.esi: 16623875 registers.ecx: 0	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 14 24 57 e9 94 fc ff ff bb 3a 37 exception.symbol: random+0x41b718 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4306712 exception.address: 0xfdb718 registers.esp: 1374604 registers.edi: 4294943156 registers.eax: 3515426408 registers.ebp: 4004708372 registers.edx: 16652037 registers.ebx: 436241744 registers.esi: 16623875 registers.ecx: 0	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 70 00 00 00 68 3b d7 7f 37 e9 34 05 00 00 exception.symbol: random+0x41bdf1 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4308465 exception.address: 0xfdbdf1 registers.esp: 1374600 registers.edi: 4294943156 registers.eax: 26331 registers.ebp: 4004708372 registers.edx: 73482279 registers.ebx: 1910578498 registers.esi: 16628315 registers.ecx: 0	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 68 87 5d 6a 3b 89 34 24 89 04 24 68 ed 25 0b exception.symbol: random+0x41bb22 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4307746 exception.address: 0xfdbb22 registers.esp: 1374604 registers.edi: 4294943156 registers.eax: 26331 registers.ebp: 4004708372 registers.edx: 73482279 registers.ebx: 1910578498 registers.esi: 16654646 registers.ecx: 0	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 57 51 c7 04 24 00 15 ff 7e c1 2c 24 01 c1 2c exception.symbol: random+0x41c4c2 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4310210 exception.address: 0xfdc4c2 registers.esp: 1374604 registers.edi: 4294943156 registers.eax: 26331 registers.ebp: 4004708372 registers.edx: 0 registers.ebx: 9824597 registers.esi: 16631338 registers.ecx: 0	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 53 54 5b 57 bf 04 00 00 00 e9 00 fc ff ff 5c exception.symbol: random+0x41cf5f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4312927 exception.address: 0xfdcf5f registers.esp: 1374604 registers.edi: 4294943156 registers.eax: 0 registers.ebp: 4004708372 registers.edx: 0 registers.ebx: 1442867808 registers.esi: 16634613 registers.ecx: 0	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 2d c0 7e f2 6f 81 ec 04 00 00 00 e9 78 04 00 exception.symbol: random+0x41dfb8 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4317112 exception.address: 0xfddfb8 registers.esp: 1374600 registers.edi: 4294943156 registers.eax: 16636785 registers.ebp: 4004708372 registers.edx: 0 registers.ebx: 910364410 registers.esi: 16634613 registers.ecx: 0	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 5b 07 00 00 58 e9 3b 08 00 00 01 f3 5e 4b exception.symbol: random+0x41df6c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4317036 exception.address: 0xfddf6c registers.esp: 1374604 registers.edi: 4294943156 registers.eax: 16667352 registers.ebp: 4004708372 registers.edx: 0 registers.ebx: 910364410 registers.esi: 16634613 registers.ecx: 0	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 68 ff 30 b0 38 89 34 24 be 4c 01 df 1c 55 c7 exception.symbol: random+0x41e0e6 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4317414 exception.address: 0xfde0e6 registers.esp: 1374604 registers.edi: 4294943156 registers.eax: 16639944 registers.ebp: 4004708372 registers.edx: 44777 registers.ebx: 910364410 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 e3 00 00 00 01 c5 58 e9 0b f8 ff ff fb 83 exception.symbol: random+0x422f4f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4337487 exception.address: 0xfe2f4f registers.esp: 1374600 registers.edi: 4294943156 registers.eax: 27076 registers.ebp: 4004708372 registers.edx: 0 registers.ebx: 16655765 registers.esi: 0 registers.ecx: 1971716238	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 1c 24 e9 6f 00 00 00 4e c1 e6 01 exception.symbol: random+0x422f5d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4337501 exception.address: 0xfe2f5d registers.esp: 1374604 registers.edi: 4294943156 registers.eax: 27076 registers.ebp: 4004708372 registers.edx: 4294943144 registers.ebx: 16682841 registers.esi: 0 registers.ecx: 24811	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 51 b9 9e ba 75 4f 53 e9 56 fb ff ff 50 b8 70 exception.symbol: random+0x42580a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4347914 exception.address: 0xfe580a registers.esp: 1374600 registers.edi: 4294943156 registers.eax: 30544 registers.ebp: 4004708372 registers.edx: 1934146791 registers.ebx: 699246026 registers.esi: 16666028 registers.ecx: 24811	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 e9 03 00 00 4e 56 f7 14 24 5e 81 c6 ff ff exception.symbol: random+0x424dc5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4345285 exception.address: 0xfe4dc5 registers.esp: 1374604 registers.edi: 4294943156 registers.eax: 30544 registers.ebp: 4004708372 registers.edx: 1934146791 registers.ebx: 699246026 registers.esi: 16696572 registers.ecx: 24811	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 52 01 00 00 f7 d2 81 ea 5b 3d b3 9c 89 d6 exception.symbol: random+0x425617 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4347415 exception.address: 0xfe5617 registers.esp: 1374604 registers.edi: 4294943156 registers.eax: 30544 registers.ebp: 4004708372 registers.edx: 1934146791 registers.ebx: 81129 registers.esi: 16668876 registers.ecx: 0	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 52 e9 82 ff ff ff 57 bf f1 86 ff 66 c1 e7 04 exception.symbol: random+0x4267dc exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4351964 exception.address: 0xfe67dc registers.esp: 1374604 registers.edi: 3939837675 registers.eax: 4294943764 registers.ebp: 4004708372 registers.edx: 1978829312 registers.ebx: 16697948 registers.esi: 16668876 registers.ecx: 0	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 81 c7 b9 d2 22 17 56 68 52 7c df 2d 5e 81 ee exception.symbol: random+0x443ea3 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4472483 exception.address: 0x1003ea3 registers.esp: 1374600 registers.edi: 16791559 registers.eax: 29682 registers.ebp: 4004708372 registers.edx: 2547288 registers.ebx: 16743593 registers.esi: 16743589 registers.ecx: 2138439680	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 55 89 e5 81 c5 04 00 00 00 83 ed 04 e9 d8 f7 exception.symbol: random+0x444302 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4473602 exception.address: 0x1004302 registers.esp: 1374604 registers.edi: 16821241 registers.eax: 4294940532 registers.ebp: 4004708372 registers.edx: 2547288 registers.ebx: 16743593 registers.esi: 604292944 registers.ecx: 2138439680	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 81 c7 38 6b ef 7b 52 ba f1 1e ff 73 01 d7 5a exception.symbol: random+0x444bc4 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4475844 exception.address: 0x1004bc4 registers.esp: 1374600 registers.edi: 16794937 registers.eax: 32093 registers.ebp: 4004708372 registers.edx: 1639680667 registers.ebx: 664603068 registers.esi: 604292944 registers.ecx: 358217649	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 51 b9 29 34 4b 57 89 ca 8b 0c 24 e9 3e fe ff exception.symbol: random+0x444d29 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4476201 exception.address: 0x1004d29 registers.esp: 1374604 registers.edi: 16827030 registers.eax: 9451 registers.ebp: 4004708372 registers.edx: 1639680667 registers.ebx: 4294937992 registers.esi: 604292944 registers.ecx: 358217649	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 72 03 00 00 31 fe 5f 89 f1 e9 86 00 00 00 exception.symbol: random+0x44a869 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4499561 exception.address: 0x100a869 registers.esp: 1374604 registers.edi: 16808579 registers.eax: 29497 registers.ebp: 4004708372 registers.edx: 16849386 registers.ebx: 4294937992 registers.esi: 604292944 registers.ecx: 2138439680	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.100/e2b1563c6670f193.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/vcruntime140.dll

Performs some HTTP requests (9 events)

request	GET http://185.215.113.100/
request	POST http://185.215.113.100/e2b1563c6670f193.php
request	GET http://185.215.113.100/0d60be0de163924d/sqlite3.dll
request	GET http://185.215.113.100/0d60be0de163924d/freebl3.dll
request	GET http://185.215.113.100/0d60be0de163924d/mozglue.dll
request	GET http://185.215.113.100/0d60be0de163924d/msvcp140.dll
request	GET http://185.215.113.100/0d60be0de163924d/nss3.dll
request	GET http://185.215.113.100/0d60be0de163924d/softokn3.dll
request	GET http://185.215.113.100/0d60be0de163924d/vcruntime140.dll

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.100/e2b1563c6670f193.php

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 81920 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2580 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2580 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2580 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2580 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2580 region_size: 995328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x61e00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (50 out of 4437 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\fldfpgipfncgndfolcbkdeeknbbbnhcc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\te\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\am\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\fr\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\uk\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\fr\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliob\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\nb\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\zh_CN\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\es_419\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Current Tabs\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\topbar_floating_button_close.png\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es_419\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\manifest.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\lo\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\03019df3fd85a69a8ebd1facc6da9ba73e469774fe77f579fc5a08b8328c1d6b.sth\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\cs\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\ar\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\fr_CA\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\52\manifest.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\ka\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT

Creates executable files on the filesystem (6 events)

file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Sept. 2, 2024, 10:58 a.m.	snapshot_handle: 0x0000037c process_name: mobsync.exe process_identifier: 2308	1	1	0
Process32NextW Sept. 2, 2024, 10:58 a.m.	snapshot_handle: 0x0000037c process_name: random.exe process_identifier: 2580	1	1	0

An executable file was downloaded by the process random.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile Sept. 2, 2024, 10:58 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 2, 2024, 10:58 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 2, 2024, 10:58 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00013c00', u'virtual_address': u'0x00001000', u'entropy': 7.954796654951625, u'name': u' \\x00 ', u'virtual_size': u'0x0023d000'}

entropy

7.95479665495

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001a6800', u'virtual_address': u'0x004f2000', u'entropy': 7.954301431532877, u'name': u'agodkpeb', u'virtual_size': u'0x001a7000'}

entropy

7.95430143153

description

A section with a high entropy has been found

entropy

0.994099466142

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Queries for potentially installed applications (40 events)

Time & API	Arguments	Status	Return
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1	0
RegOpenKeyExA Sept. 2, 2024, 10:58 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall		2

Communicates with host for which no DNS query was performed (1 event)

host

185.215.113.100

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 509 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: 18467-41 window_name:		0	0

A process attempted to delay the analysis task. (1 event)

description

random.exe tried to sleep 1583 seconds, actually delayed analysis time by 1583 seconds

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Sept. 2, 2024, 10:58 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 50 89 14 24 89 0c 24 54 exception.symbol: random+0x3d6f0a exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4026122 exception.address: 0xf96f0a registers.esp: 1374636 registers.edi: 4294943480 registers.eax: 1447909480 registers.ebp: 4004708372 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 16340925 registers.ecx: 20	1	0	0

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.tc
Cylance	Unsafe
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Miner.vho
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!5F608251065B
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.5f608251065b3a8e
Sophos	Mal/Stealc-A
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/Crypt.TPM.Gen
Kingsoft	malware.kb.b.997
Gridinsoft	Trojan.Heur!.03A120A1
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Miner.vho
AhnLab-V3	Trojan/Win.Generic.R661988
BitDefenderTheta	Gen:NN.ZexaF.36812.VDWaaqgyTMi
DeepInstinct	MALICIOUS
Malwarebytes	Spyware.Stealc
Zoner	Probably Heur.ExeHeaderL
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (D)

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All