Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 3, 2024, 9:02 a.m.	Sept. 3, 2024, 9:10 a.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f43b5c1b6de35a7fdb2c48ff380bac60`
SHA256	`9e62023a9a8c8286c8b71f0d980647a658312b3d9837db0529cc57955353bbd2`
CRC32	`D1C4A9AC`
ssdeep	`49152:xX+ELx25v1rOda0buFBXapKwqMImVmZjr:x/kXrvnXYqdjr`
Yara	PE_Header_Zero - PE File Signature anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description)

rome.exe "C:\Users\test22\AppData\Local\Temp\rome.exe"
296

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.215.113.100	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.100:80 -> 192.168.56.103:49162	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.103:49162 -> 185.215.113.100:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 185.215.113.100:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.100:80 -> 192.168.56.103:49162	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 185.215.113.100:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.100:80 -> 192.168.56.103:49162	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 185.215.113.100:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49162 -> 185.215.113.100:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 185.215.113.100:80 -> 192.168.56.103:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49162 -> 185.215.113.100:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.100:80 -> 192.168.56.103:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.100:80 -> 192.168.56.103:49162	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.100:80 -> 192.168.56.103:49162	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 185.215.113.100:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.100:80 -> 192.168.56.103:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 185.215.113.100:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49165 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 185.215.113.100:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49165 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 185.215.113.100:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Sept. 3, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 3, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 3, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (12 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 3, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Sept. 3, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Sept. 3, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Sept. 3, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Sept. 3, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Sept. 3, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Sept. 3, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Sept. 3, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Sept. 3, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Sept. 3, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Sept. 3, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Sept. 3, 2024, 9:02 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 3, 2024, 9:02 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (7 events)

section	\x00
section	.rsrc
section	.idata
section
section	dyhszjng
section	rgkskrbl
section	.taggant

One or more processes crashed (50 out of 118 events)

Time & API	Arguments	Status
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: rome+0x4e30b9 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 5124281 exception.address: 0x18c30b9 registers.esp: 2620056 registers.edi: 0 registers.eax: 1 registers.ebp: 2620072 registers.edx: 27672576 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 50 b8 67 13 ff 7f 05 ad d6 fe 5e f7 d8 57 68 exception.symbol: rome+0x2422d7 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 2368215 exception.address: 0x16222d7 registers.esp: 2620020 registers.edi: 1971192040 registers.eax: 26643 registers.ebp: 4013228052 registers.edx: 20840448 registers.ebx: 0 registers.esi: 3 registers.ecx: 23207279	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 68 45 ad 01 6d 89 04 24 c7 04 24 94 53 be 7f exception.symbol: rome+0x242946 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 2369862 exception.address: 0x1622946 registers.esp: 2620024 registers.edi: 1971192040 registers.eax: 26643 registers.ebp: 4013228052 registers.edx: 20840448 registers.ebx: 0 registers.esi: 3 registers.ecx: 23233922	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 51 e9 17 f8 ff ff 81 c1 04 00 00 00 e9 56 f4 exception.symbol: rome+0x2429b2 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 2369970 exception.address: 0x16229b2 registers.esp: 2620024 registers.edi: 242921 registers.eax: 26643 registers.ebp: 4013228052 registers.edx: 20840448 registers.ebx: 4294943924 registers.esi: 3 registers.ecx: 23233922	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 68 ce bd f3 12 89 2c 24 68 fe 45 7e 7e ff 34 exception.symbol: rome+0x2436e1 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 2373345 exception.address: 0x16236e1 registers.esp: 2620024 registers.edi: 23242755 registers.eax: 30831 registers.ebp: 4013228052 registers.edx: 126865361 registers.ebx: 1851517184 registers.esi: 3 registers.ecx: 23233922	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 55 52 68 d3 58 5d 67 5a 81 ca d1 fe bf 37 c1 exception.symbol: rome+0x24386e exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 2373742 exception.address: 0x162386e registers.esp: 2620024 registers.edi: 23242755 registers.eax: 30831 registers.ebp: 4013228052 registers.edx: 1259 registers.ebx: 1851517184 registers.esi: 4294939772 registers.ecx: 23233922	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 50 57 50 b8 43 3b 77 7b 53 89 c3 89 df 5b 58 exception.symbol: rome+0x3bd924 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 3922212 exception.address: 0x179d924 registers.esp: 2620020 registers.edi: 24761368 registers.eax: 27700 registers.ebp: 4013228052 registers.edx: 2130566132 registers.ebx: 57344875 registers.esi: 24744662 registers.ecx: 875	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 c7 04 24 ed a0 13 exception.symbol: rome+0x3bdc07 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 3922951 exception.address: 0x179dc07 registers.esp: 2620024 registers.edi: 24789068 registers.eax: 27700 registers.ebp: 4013228052 registers.edx: 2130566132 registers.ebx: 57344875 registers.esi: 24744662 registers.ecx: 875	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb e9 60 01 00 00 83 c4 04 e9 a3 00 00 00 50 89 exception.symbol: rome+0x3bd612 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 3921426 exception.address: 0x179d612 registers.esp: 2620024 registers.edi: 24764120 registers.eax: 0 registers.ebp: 4013228052 registers.edx: 2130566132 registers.ebx: 334569 registers.esi: 24744662 registers.ecx: 875	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 52 89 2c 24 53 89 14 24 e9 2a 01 00 00 81 e5 exception.symbol: rome+0x3c0028 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 3932200 exception.address: 0x17a0028 registers.esp: 2620020 registers.edi: 95 registers.eax: 28339 registers.ebp: 4013228052 registers.edx: 95 registers.ebx: 24767334 registers.esi: 24771226 registers.ecx: 0	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb e9 6f 00 00 00 81 ef 85 99 95 2b 01 f8 e9 e7 exception.symbol: rome+0x3c01aa exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 3932586 exception.address: 0x17a01aa registers.esp: 2620024 registers.edi: 2298801283 registers.eax: 4294941512 registers.ebp: 4013228052 registers.edx: 95 registers.ebx: 24767334 registers.esi: 24799565 registers.ecx: 0	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb e9 be 02 00 00 b8 a0 5f ff 6b f7 d0 40 48 e9 exception.symbol: rome+0x3c0ba2 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 3935138 exception.address: 0x17a0ba2 registers.esp: 2620024 registers.edi: 2298801283 registers.eax: 134889 registers.ebp: 4013228052 registers.edx: 0 registers.ebx: 24777133 registers.esi: 24799565 registers.ecx: 199045313	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 52 54 ff 34 24 5a 51 50 exception.symbol: rome+0x3c8c98 exception.instruction: in eax, dx exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 3968152 exception.address: 0x17a8c98 registers.esp: 2620016 registers.edi: 4337262 registers.eax: 1447909480 registers.ebp: 4013228052 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 24806485 registers.ecx: 20	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: rome+0x3cc13e exception.address: 0x17ac13e exception.module: rome.exe exception.exception_code: 0xc000001d exception.offset: 3981630 registers.esp: 2620016 registers.edi: 4337262 registers.eax: 1 registers.ebp: 4013228052 registers.edx: 22104 registers.ebx: 0 registers.esi: 24806485 registers.ecx: 20	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 6b 2a 2d 12 01 exception.symbol: rome+0x3cb95c exception.instruction: in eax, dx exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 3979612 exception.address: 0x17ab95c registers.esp: 2620016 registers.edi: 4337262 registers.eax: 1447909480 registers.ebp: 4013228052 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 24806485 registers.ecx: 10	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 81 ef e3 04 ee 77 81 ef c3 30 f5 6a e9 38 00 exception.symbol: rome+0x3d16dc exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4003548 exception.address: 0x17b16dc registers.esp: 2620020 registers.edi: 24841789 registers.eax: 30867 registers.ebp: 4013228052 registers.edx: 2130566132 registers.ebx: 67314827 registers.esi: 10 registers.ecx: 776208384	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 51 50 b8 4d e9 a5 17 89 c1 e9 17 ff ff ff 89 exception.symbol: rome+0x3d12bf exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4002495 exception.address: 0x17b12bf registers.esp: 2620024 registers.edi: 24872656 registers.eax: 30867 registers.ebp: 4013228052 registers.edx: 2130566132 registers.ebx: 67314827 registers.esi: 10 registers.ecx: 776208384	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 0c 24 c7 04 24 09 e9 d3 3b ff 0c exception.symbol: rome+0x3d142f exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4002863 exception.address: 0x17b142f registers.esp: 2620024 registers.edi: 24844696 registers.eax: 30867 registers.ebp: 4013228052 registers.edx: 0 registers.ebx: 67314827 registers.esi: 10 registers.ecx: 977248	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 60 b9 6d f2 5c 75 61 66 ba 39 24 66 exception.symbol: rome+0x3d1b25 exception.instruction: int 1 exception.module: rome.exe exception.exception_code: 0xc0000005 exception.offset: 4004645 exception.address: 0x17b1b25 registers.esp: 2619984 registers.edi: 0 registers.eax: 2619984 registers.ebp: 4013228052 registers.edx: 1969526241 registers.ebx: 24845411 registers.esi: 38369 registers.ecx: 1969526241	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 57 e9 d0 00 00 00 c1 ee 06 46 81 e6 c0 c8 df exception.symbol: rome+0x3e0849 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4065353 exception.address: 0x17c0849 registers.esp: 2620024 registers.edi: 24907961 registers.eax: 1225879144 registers.ebp: 4013228052 registers.edx: 6 registers.ebx: 67315049 registers.esi: 1971262480 registers.ecx: 0	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 55 bd eb 86 d1 7f 81 ee 31 d2 04 31 81 c6 4d exception.symbol: rome+0x3e1a83 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4070019 exception.address: 0x17c1a83 registers.esp: 2620020 registers.edi: 24907961 registers.eax: 29928 registers.ebp: 4013228052 registers.edx: 354849110 registers.ebx: 67315049 registers.esi: 24908336 registers.ecx: 330705738	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 55 bd 2c 6f 98 26 e9 a8 03 00 00 68 1d e0 e0 exception.symbol: rome+0x3e14f4 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4068596 exception.address: 0x17c14f4 registers.esp: 2620024 registers.edi: 24907961 registers.eax: 29928 registers.ebp: 4013228052 registers.edx: 0 registers.ebx: 67315049 registers.esi: 24911288 registers.ecx: 979177	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 81 c7 ea 82 fe 72 03 3c 24 e9 00 00 00 00 81 exception.symbol: rome+0x3e5e8d exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4087437 exception.address: 0x17c5e8d registers.esp: 2620012 registers.edi: 24925351 registers.eax: 29748 registers.ebp: 4013228052 registers.edx: 254345611 registers.ebx: 789881183 registers.esi: 24911288 registers.ecx: 254345611	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 29 c9 ff 34 0f ff 34 24 e9 b5 01 00 00 55 50 exception.symbol: rome+0x3e5b5e exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4086622 exception.address: 0x17c5b5e registers.esp: 2620016 registers.edi: 24955099 registers.eax: 29748 registers.ebp: 4013228052 registers.edx: 254345611 registers.ebx: 789881183 registers.esi: 24911288 registers.ecx: 254345611	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb bb bf d2 a7 73 c1 eb 04 52 89 3c 24 bf 50 29 exception.symbol: rome+0x3e5585 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4085125 exception.address: 0x17c5585 registers.esp: 2620016 registers.edi: 24955099 registers.eax: 14215509 registers.ebp: 4013228052 registers.edx: 254345611 registers.ebx: 789881183 registers.esi: 24911288 registers.ecx: 4294940108	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 81 c6 05 17 f9 3f 03 34 24 e9 f5 02 00 00 89 exception.symbol: rome+0x3e85c9 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4097481 exception.address: 0x17c85c9 registers.esp: 2620012 registers.edi: 24955099 registers.eax: 31677 registers.ebp: 4013228052 registers.edx: 1680489839 registers.ebx: 1744361075 registers.esi: 24937364 registers.ecx: 1639808647	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 68 b0 0d 34 28 89 2c 24 89 04 24 e9 c7 fd ff exception.symbol: rome+0x3e8d7d exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4099453 exception.address: 0x17c8d7d registers.esp: 2620016 registers.edi: 24955099 registers.eax: 0 registers.ebp: 4013228052 registers.edx: 1680489839 registers.ebx: 604277078 registers.esi: 24940425 registers.ecx: 1639808647	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 1c 24 e9 22 fe ff ff c1 e5 08 81 exception.symbol: rome+0x3f5a28 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4151848 exception.address: 0x17d5a28 registers.esp: 2620016 registers.edi: 2147303327 registers.eax: 25019206 registers.ebp: 4013228052 registers.edx: 2130566132 registers.ebx: 24987815 registers.esi: 2130521503 registers.ecx: 776208384	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 68 20 5e bd 4a 89 2c 24 68 ff 37 e2 58 89 14 exception.symbol: rome+0x3f58eb exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4151531 exception.address: 0x17d58eb registers.esp: 2620016 registers.edi: 2147303327 registers.eax: 24994346 registers.ebp: 4013228052 registers.edx: 0 registers.ebx: 24987815 registers.esi: 1426090592 registers.ecx: 776208384	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 81 ea 71 80 ef 77 50 e9 c4 fb ff ff 87 1c 24 exception.symbol: rome+0x409367 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4232039 exception.address: 0x17e9367 registers.esp: 2619980 registers.edi: 33472 registers.eax: 28084 registers.ebp: 4013228052 registers.edx: 25070882 registers.ebx: 0 registers.esi: 25065196 registers.ecx: 776208384	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 50 51 e9 6f f6 ff ff 47 81 c7 43 22 81 7e e9 exception.symbol: rome+0x409826 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4233254 exception.address: 0x17e9826 registers.esp: 2619984 registers.edi: 0 registers.eax: 28084 registers.ebp: 4013228052 registers.edx: 25073718 registers.ebx: 0 registers.esi: 3986525024 registers.ecx: 776208384	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 68 4f b2 32 77 89 04 24 c7 04 24 ca c7 bf 5f exception.symbol: rome+0x40a3b7 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4236215 exception.address: 0x17ea3b7 registers.esp: 2619984 registers.edi: 25076121 registers.eax: 3067101288 registers.ebp: 4013228052 registers.edx: 25102409 registers.ebx: 4294944524 registers.esi: 25075545 registers.ecx: 0	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb e9 82 fa ff ff 81 f2 13 bd af 29 01 d0 8b 14 exception.symbol: rome+0x40d1aa exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4247978 exception.address: 0x17ed1aa registers.esp: 2619984 registers.edi: 0 registers.eax: 25088705 registers.ebp: 4013228052 registers.edx: 1195308366 registers.ebx: 8320 registers.esi: 25083453 registers.ecx: 3884537680	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 57 89 0c 24 89 3c 24 53 e9 84 00 00 00 01 f5 exception.symbol: rome+0x4131e1 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4272609 exception.address: 0x17f31e1 registers.esp: 2619984 registers.edi: 4013228052 registers.eax: 24811 registers.ebp: 4013228052 registers.edx: 25109400 registers.ebx: 25113390 registers.esi: 0 registers.ecx: 25107917	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb bb 54 32 84 10 50 89 e0 e9 60 fb ff ff 01 d7 exception.symbol: rome+0x41557c exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4281724 exception.address: 0x17f557c registers.esp: 2619984 registers.edi: 4013228052 registers.eax: 25146488 registers.ebp: 4013228052 registers.edx: 81129 registers.ebx: 4294944120 registers.esi: 0 registers.ecx: 489045881	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 50 53 bb af 0c f3 67 89 d8 e9 77 00 00 00 81 exception.symbol: rome+0x416ba6 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4287398 exception.address: 0x17f6ba6 registers.esp: 2619980 registers.edi: 4013228052 registers.eax: 25582 registers.ebp: 4013228052 registers.edx: 81129 registers.ebx: 25125801 registers.esi: 0 registers.ecx: 1937023	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 55 89 04 24 56 c7 04 24 62 b0 b0 6c 8b 04 24 exception.symbol: rome+0x4164f2 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4285682 exception.address: 0x17f64f2 registers.esp: 2619984 registers.edi: 4013228052 registers.eax: 157417 registers.ebp: 4013228052 registers.edx: 81129 registers.ebx: 25128339 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb e9 ab 00 00 00 81 f6 15 47 ff 3e 52 ba f1 b9 exception.symbol: rome+0x4177e6 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4290534 exception.address: 0x17f77e6 registers.esp: 2619980 registers.edi: 510920664 registers.eax: 30060 registers.ebp: 4013228052 registers.edx: 573382234 registers.ebx: 25130287 registers.esi: 25128340 registers.ecx: 573382234	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 52 54 5a 51 b9 04 00 00 00 57 bf ac ae ba 4f exception.symbol: rome+0x417983 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4290947 exception.address: 0x17f7983 registers.esp: 2619984 registers.edi: 510920664 registers.eax: 30060 registers.ebp: 4013228052 registers.edx: 573382234 registers.ebx: 25160347 registers.esi: 25128340 registers.ecx: 573382234	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 50 52 57 bf 83 a7 7e 77 81 e7 26 8e 7b 4e 4f exception.symbol: rome+0x41770b exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4290315 exception.address: 0x17f770b registers.esp: 2619984 registers.edi: 1338198120 registers.eax: 30060 registers.ebp: 4013228052 registers.edx: 573382234 registers.ebx: 25133219 registers.esi: 0 registers.ecx: 573382234	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 68 8c a1 78 28 89 34 24 e9 41 00 00 00 58 50 exception.symbol: rome+0x4240f6 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4342006 exception.address: 0x18040f6 registers.esp: 2619984 registers.edi: 25155786 registers.eax: 28613 registers.ebp: 4013228052 registers.edx: 4294941976 registers.ebx: 25155754 registers.esi: 25208094 registers.ecx: 1077936232	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 68 53 f9 21 00 89 14 24 68 fc a0 ec 4f ff 34 exception.symbol: rome+0x434cc3 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4410563 exception.address: 0x1814cc3 registers.esp: 2619980 registers.edi: 25227372 registers.eax: 25249216 registers.ebp: 4013228052 registers.edx: 2130566132 registers.ebx: 1969225702 registers.esi: 4243436 registers.ecx: 0	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 ba fb c2 e2 3f f7 exception.symbol: rome+0x434dae exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4410798 exception.address: 0x1814dae registers.esp: 2619984 registers.edi: 25227372 registers.eax: 25279875 registers.ebp: 4013228052 registers.edx: 2130566132 registers.ebx: 1969225702 registers.esi: 4243436 registers.ecx: 0	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb e9 12 00 00 00 81 ef f0 88 fe 7f 4f 81 f7 41 exception.symbol: rome+0x435095 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4411541 exception.address: 0x1815095 registers.esp: 2619984 registers.edi: 25227372 registers.eax: 25279875 registers.ebp: 4013228052 registers.edx: 9451 registers.ebx: 4294939560 registers.esi: 4243436 registers.ecx: 0	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 56 c7 04 24 b9 ee 7d 5f 89 3c 24 e9 76 03 00 exception.symbol: rome+0x43aeca exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4435658 exception.address: 0x181aeca registers.esp: 2619984 registers.edi: 25253582 registers.eax: 29669 registers.ebp: 4013228052 registers.edx: 98601296 registers.ebx: 25277243 registers.esi: 4243436 registers.ecx: 0	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 52 56 be 9c 71 b5 7f e9 19 00 00 00 c1 24 24 exception.symbol: rome+0x448e52 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4492882 exception.address: 0x1828e52 registers.esp: 2619984 registers.edi: 0 registers.eax: 31981 registers.ebp: 4013228052 registers.edx: 0 registers.ebx: 11921745 registers.esi: 25333796 registers.ecx: 776208384	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 29 ff 53 53 e9 ce 00 00 00 81 e7 1f d8 fa 3b exception.symbol: rome+0x452281 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4530817 exception.address: 0x1832281 registers.esp: 2619984 registers.edi: 4013228052 registers.eax: 25397429 registers.ebp: 4013228052 registers.edx: 11 registers.ebx: 4025985489 registers.esi: 4243436 registers.ecx: 25368116	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 68 d1 12 8d 3d e9 5c 01 00 00 b8 44 53 2a 7a exception.symbol: rome+0x4524d4 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4531412 exception.address: 0x18324d4 registers.esp: 2619984 registers.edi: 4294942212 registers.eax: 25397429 registers.ebp: 4013228052 registers.edx: 11 registers.ebx: 4025985489 registers.esi: 4243436 registers.ecx: 2179041617	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 50 89 2c 24 bd b4 f9 ef 6b 01 ea e9 aa 01 00 exception.symbol: rome+0x45b45a exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4568154 exception.address: 0x183b45a registers.esp: 2619980 registers.edi: 4294942212 registers.eax: 30840 registers.ebp: 4013228052 registers.edx: 25407773 registers.ebx: 1284574597 registers.esi: 2005598220 registers.ecx: 776208384	1
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: fb 57 89 2c 24 68 a3 55 12 31 89 34 24 e9 67 f9 exception.symbol: rome+0x45ba71 exception.instruction: sti exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 4569713 exception.address: 0x183ba71 registers.esp: 2619984 registers.edi: 4294942212 registers.eax: 30840 registers.ebp: 4013228052 registers.edx: 25410433 registers.ebx: 0 registers.esi: 604275024 registers.ecx: 776208384	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.100/e2b1563c6670f193.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/vcruntime140.dll

Performs some HTTP requests (9 events)

request	GET http://185.215.113.100/
request	POST http://185.215.113.100/e2b1563c6670f193.php
request	GET http://185.215.113.100/0d60be0de163924d/sqlite3.dll
request	GET http://185.215.113.100/0d60be0de163924d/freebl3.dll
request	GET http://185.215.113.100/0d60be0de163924d/mozglue.dll
request	GET http://185.215.113.100/0d60be0de163924d/msvcp140.dll
request	GET http://185.215.113.100/0d60be0de163924d/nss3.dll
request	GET http://185.215.113.100/0d60be0de163924d/softokn3.dll
request	GET http://185.215.113.100/0d60be0de163924d/vcruntime140.dll

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.100/e2b1563c6670f193.php

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 81920 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x013e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 296 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 296 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 296 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 296 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 296 region_size: 995328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x61e00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rome.exe tried to sleep 199 seconds, actually delayed analysis time by 199 seconds

Steals private information from local Internet browsers (50 out of 5864 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\apenkfbbpmhihehmihndmmcdanacolnh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\ciojocpkclfflombbcfigcijjcbkmhaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opfgelmcmbiajamepnmloijbpoleiama\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\fiikommddbeccaoicoejoniammnalkfa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCK\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\fa\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000001\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\naepdomgkenhinolocfifgehidddafch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch\CURRENT

Creates executable files on the filesystem (6 events)

file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (12 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x0000037c process_name: mobsync.exe process_identifier: 1712	1	1
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x0000037c process_name: pw.exe process_identifier: 1688	1	1
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x0000037c process_name: taskhost.exe process_identifier: 1984	1	1
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x0000037c process_name: cmd.exe process_identifier: 1704	1	1
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x0000037c process_name: SearchProtocolHost.exe process_identifier: 1504	1	1
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x0000037c process_name: SearchFilterHost.exe process_identifier: 1692	1	1
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x0000037c process_name: rome.exe process_identifier: 296	1	1
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x0000037c process_name: pw.exe process_identifier: 1740	1	1
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x00000534 process_name: svchost.exe process_identifier: 2408	1	1
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x00000534 process_name: mscorsvw.exe process_identifier: 2436	1	1
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x00000534 process_name: mscorsvw.exe process_identifier: 2476	1	1
Process32NextW Sept. 3, 2024, 9:02 a.m.	snapshot_handle: 0x00000534 process_name: sppsvc.exe process_identifier: 2528	1	1

An executable file was downloaded by the process rome.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile Sept. 3, 2024, 9:02 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 3, 2024, 9:02 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 3, 2024, 9:02 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 3, 2024, 9:02 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 3, 2024, 9:02 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 3, 2024, 9:02 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 3, 2024, 9:02 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00013c00', u'virtual_address': u'0x00001000', u'entropy': 7.9776781442058775, u'name': u' \\x00 ', u'virtual_size': u'0x0023d000'}

entropy

7.97767814421

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001a0000', u'virtual_address': u'0x004e3000', u'entropy': 7.953662702783395, u'name': u'dyhszjng', u'virtual_size': u'0x001a0000'}

entropy

7.95366270278

description

A section with a high entropy has been found

entropy

0.994011976048

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Queries for potentially installed applications (50 out of 52 events)

Time & API	Arguments	Status
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExA Sept. 3, 2024, 9:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Communicates with host for which no DNS query was performed (1 event)

host

185.215.113.100

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 80 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 3, 2024, 9:02 a.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA Sept. 3, 2024, 9:02 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\00000004
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 3, 2024, 9:02 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 52 54 ff 34 24 5a 51 50 exception.symbol: rome+0x3c8c98 exception.instruction: in eax, dx exception.module: rome.exe exception.exception_code: 0xc0000096 exception.offset: 3968152 exception.address: 0x17a8c98 registers.esp: 2620016 registers.edi: 4337262 registers.eax: 1447909480 registers.ebp: 4013228052 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 24806485 registers.ecx: 20	1	0	0

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win32.Generic.tc
Cylance	Unsafe
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.Win32.Miner.vho
Rising	Trojan.Kryptik@AI.88 (RDML:03zpuk5KoEioeTjJeD8WHw)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!F43B5C1B6DE3
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.f43b5c1b6de35a7f
Sophos	Mal/Stealc-A
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/Crypt.TPM.Gen
Kingsoft	malware.kb.b.993
Gridinsoft	Trojan.Heur!.03A120A1
ZoneAlarm	HEUR:Trojan.Win32.Miner.vho
AhnLab-V3	Trojan/Win.Generic.R661988
BitDefenderTheta	Gen:NN.ZexaF.36812.TDWaaCzFXjh
DeepInstinct	MALICIOUS
VBA32	TScope.Malware-Cryptor.SB
Malwarebytes	Spyware.Stealc
Zoner	Probably Heur.ExeHeaderL
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (D)

rome.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All