Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 4, 2024, 10:04 a.m.	Sept. 4, 2024, 10:06 a.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`54dd56c2c79350de18dc0be27360520d`
SHA256	`4dd18eb9b199c980ea742761d2faddc7d977b7f938ba158852cc7be6d0b681b4`
CRC32	`8B8DE47F`
ssdeep	`49152:nso3sEFO4iNDPvNrb7KnjPU4ECoK8efYTc:RFFWNbNK7Uc8Er`
Yara	PE_Header_Zero - PE File Signature anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description)

lamp.exe "C:\Users\test22\AppData\Local\Temp\lamp.exe"
1700

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.215.113.100	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.100:80 -> 192.168.56.103:49164	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.103:49161 -> 185.215.113.100:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.100:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49161 -> 185.215.113.100:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.100:80 -> 192.168.56.103:49161	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49161 -> 185.215.113.100:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.100:80 -> 192.168.56.103:49161	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 185.215.113.100:80 -> 192.168.56.103:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.100:80 -> 192.168.56.103:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49161 -> 185.215.113.100:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49161 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49161 -> 185.215.113.100:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.100:80 -> 192.168.56.103:49161	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.100:80 -> 192.168.56.103:49161	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.100:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.100:80 -> 192.168.56.103:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.100:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49164 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.100:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49164 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.100:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Sept. 4, 2024, 10:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 4, 2024, 10:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 4, 2024, 10:04 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (13 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 4, 2024, 10:04 a.m.			0	0
IsDebuggerPresent Sept. 4, 2024, 10:04 a.m.			0	0
IsDebuggerPresent Sept. 4, 2024, 10:04 a.m.			0	0
IsDebuggerPresent Sept. 4, 2024, 10:04 a.m.			0	0
IsDebuggerPresent Sept. 4, 2024, 10:04 a.m.			0	0
IsDebuggerPresent Sept. 4, 2024, 10:04 a.m.			0	0
IsDebuggerPresent Sept. 4, 2024, 10:04 a.m.			0	0
IsDebuggerPresent Sept. 4, 2024, 10:04 a.m.			0	0
IsDebuggerPresent Sept. 4, 2024, 10:04 a.m.			0	0
IsDebuggerPresent Sept. 4, 2024, 10:04 a.m.			0	0
IsDebuggerPresent Sept. 4, 2024, 10:05 a.m.			0	0
IsDebuggerPresent Sept. 4, 2024, 10:05 a.m.			0	0
IsDebuggerPresent Sept. 4, 2024, 10:05 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 4, 2024, 10:04 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (7 events)

section	\x00
section	.rsrc
section	.idata
section
section	lgkqvsth
section	mexupnsd
section	.taggant

One or more processes crashed (50 out of 121 events)

Time & API	Arguments	Status
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: lamp+0x4ee0b9 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 5169337 exception.address: 0x79e0b9 registers.esp: 11599252 registers.edi: 0 registers.eax: 1 registers.ebp: 11599268 registers.edx: 9715712 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 53 e9 98 02 00 00 bb 7a e6 6b 7b 55 51 e9 68 exception.symbol: lamp+0x242386 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 2368390 exception.address: 0x4f2386 registers.esp: 11599220 registers.edi: 2228596840 registers.eax: 5213080 registers.ebp: 3995205652 registers.edx: 2818048 registers.ebx: 4294942000 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 51 b9 ea 26 f9 74 41 49 49 c1 e1 01 68 11 25 exception.symbol: lamp+0x243268 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 2372200 exception.address: 0x4f3268 registers.esp: 11599220 registers.edi: 2228596840 registers.eax: 5215793 registers.ebp: 3995205652 registers.edx: 234729 registers.ebx: 4294942836 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 68 7d 00 86 48 e9 18 fe ff ff 87 14 24 e9 72 exception.symbol: lamp+0x3c81b8 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 3965368 exception.address: 0x6781b8 registers.esp: 11599220 registers.edi: 6812422 registers.eax: 30161 registers.ebp: 3995205652 registers.edx: 587241 registers.ebx: 53216044 registers.esi: 4294940408 registers.ecx: 812	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 50 89 34 24 be 00 90 49 77 81 c6 51 f9 f9 49 exception.symbol: lamp+0x3ca1d0 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 3973584 exception.address: 0x67a1d0 registers.esp: 11599216 registers.edi: 536378 registers.eax: 26199 registers.ebp: 3995205652 registers.edx: 141 registers.ebx: 6788729 registers.esi: 0 registers.ecx: 6791196	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 68 6f 30 d6 6a 89 34 24 89 2c 24 68 f2 10 f5 exception.symbol: lamp+0x3ca484 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 3974276 exception.address: 0x67a484 registers.esp: 11599220 registers.edi: 536378 registers.eax: 26199 registers.ebp: 3995205652 registers.edx: 141 registers.ebx: 6788729 registers.esi: 0 registers.ecx: 6817395	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 52 89 e2 81 c2 04 00 00 00 81 ea 04 00 00 00 exception.symbol: lamp+0x3ca341 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 3973953 exception.address: 0x67a341 registers.esp: 11599220 registers.edi: 50665 registers.eax: 26199 registers.ebp: 3995205652 registers.edx: 141 registers.ebx: 6788729 registers.esi: 0 registers.ecx: 6794407	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 50 68 93 c5 3f 7f 58 56 be bf b1 51 79 01 f0 exception.symbol: lamp+0x3cdde5 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 3988965 exception.address: 0x67dde5 registers.esp: 11599220 registers.edi: 12594798 registers.eax: 29228 registers.ebp: 3995205652 registers.edx: 134889 registers.ebx: 4294941476 registers.esi: 0 registers.ecx: 6836106	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 81 ec 04 00 00 00 e9 13 exception.symbol: lamp+0x3d869e exception.instruction: in eax, dx exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4032158 exception.address: 0x68869e registers.esp: 11599212 registers.edi: 12594798 registers.eax: 1447909480 registers.ebp: 3995205652 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 6829529 registers.ecx: 20	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: lamp+0x3d56a9 exception.address: 0x6856a9 exception.module: lamp.exe exception.exception_code: 0xc000001d exception.offset: 4019881 registers.esp: 11599212 registers.edi: 12594798 registers.eax: 1 registers.ebp: 3995205652 registers.edx: 22104 registers.ebx: 0 registers.esi: 6829529 registers.ecx: 20	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 7a 38 2d 12 01 exception.symbol: lamp+0x3d6b0b exception.instruction: in eax, dx exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4025099 exception.address: 0x686b0b registers.esp: 11599212 registers.edi: 12594798 registers.eax: 1447909480 registers.ebp: 3995205652 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 6829529 registers.ecx: 10	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 3a 22 e2 35 e9 e0 03 00 00 89 e3 exception.symbol: lamp+0x3dc5ea exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4048362 exception.address: 0x68c5ea registers.esp: 11599220 registers.edi: 12594798 registers.eax: 29459 registers.ebp: 3995205652 registers.edx: 6379 registers.ebx: 6867507 registers.esi: 10 registers.ecx: 0	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 0f 81 00 00 00 00 66 b9 3b af 64 8f exception.symbol: lamp+0x3dcebe exception.instruction: int 1 exception.module: lamp.exe exception.exception_code: 0xc0000005 exception.offset: 4050622 exception.address: 0x68cebe registers.esp: 11599180 registers.edi: 0 registers.eax: 11599180 registers.ebp: 3995205652 registers.edx: 3562329932 registers.ebx: 6868896 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 51 b9 ca 11 cb 55 68 86 19 1e 7e 89 0c 24 e9 exception.symbol: lamp+0x3e3d35 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4078901 exception.address: 0x693d35 registers.esp: 11599220 registers.edi: 12594798 registers.eax: 4294940200 registers.ebp: 3995205652 registers.edx: 803821136 registers.ebx: 506840151 registers.esi: 6926671 registers.ecx: 6879871	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 55 68 63 97 85 6f 5d b9 1b 57 7a 10 56 89 2c exception.symbol: lamp+0x3ecd16 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4115734 exception.address: 0x69cd16 registers.esp: 11599220 registers.edi: 5177930 registers.eax: 0 registers.ebp: 3995205652 registers.edx: 6 registers.ebx: 262633 registers.esi: 1971262480 registers.ecx: 6935012	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 57 bf e6 d1 75 2f 52 89 e2 55 bd 04 00 00 00 exception.symbol: lamp+0x3f0c10 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4131856 exception.address: 0x6a0c10 registers.esp: 11599212 registers.edi: 5177930 registers.eax: 29480 registers.ebp: 3995205652 registers.edx: 6978826 registers.ebx: 38856159 registers.esi: 1971262480 registers.ecx: 1811240096	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb e9 19 00 00 00 56 be 48 1e 3f 76 21 f5 ff 34 exception.symbol: lamp+0x3f1224 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4133412 exception.address: 0x6a1224 registers.esp: 11599212 registers.edi: 709865 registers.eax: 29480 registers.ebp: 3995205652 registers.edx: 6952326 registers.ebx: 0 registers.esi: 1971262480 registers.ecx: 1811240096	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 57 e9 b4 01 00 00 bd e7 c3 f4 7f e9 57 01 00 exception.symbol: lamp+0x3f34cb exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4142283 exception.address: 0x6a34cb registers.esp: 11599208 registers.edi: 709865 registers.eax: 33270 registers.ebp: 3995205652 registers.edx: 6952326 registers.ebx: 6958890 registers.esi: 1971262480 registers.ecx: 6952326	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 52 ba 78 4e 9f 3f e9 f2 fd ff ff 5a 57 e9 cf exception.symbol: lamp+0x3f39c3 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4143555 exception.address: 0x6a39c3 registers.esp: 11599212 registers.edi: 4294937376 registers.eax: 33270 registers.ebp: 3995205652 registers.edx: 6952326 registers.ebx: 6992160 registers.esi: 1971262480 registers.ecx: 84201	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 68 50 f2 23 49 89 0c 24 b9 e4 19 00 00 51 c7 exception.symbol: lamp+0x404345 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4211525 exception.address: 0x6b4345 registers.esp: 11599212 registers.edi: 4062627604 registers.eax: 29322 registers.ebp: 3995205652 registers.edx: 705495040 registers.ebx: 1 registers.esi: 318826231 registers.ecx: 7056374	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 57 89 e7 e9 0e 02 00 00 81 c4 04 00 00 00 8f exception.symbol: lamp+0x403c50 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4209744 exception.address: 0x6b3c50 registers.esp: 11599212 registers.edi: 4062627604 registers.eax: 0 registers.ebp: 3995205652 registers.edx: 705495040 registers.ebx: 116969 registers.esi: 318826231 registers.ecx: 7029862	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 50 56 be 97 5f fd 7b e9 dc 03 00 00 58 8f 04 exception.symbol: lamp+0x4186ca exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4294346 exception.address: 0x6c86ca registers.esp: 11599176 registers.edi: 7111843 registers.eax: 26416 registers.ebp: 3995205652 registers.edx: 2130566132 registers.ebx: 2130566132 registers.esi: 7107574 registers.ecx: 705495040	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 2c 24 89 e5 81 c5 04 00 00 00 83 exception.symbol: lamp+0x418948 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4294984 exception.address: 0x6c8948 registers.esp: 11599180 registers.edi: 7138259 registers.eax: 26416 registers.ebp: 3995205652 registers.edx: 2130566132 registers.ebx: 2130566132 registers.esi: 7107574 registers.ecx: 705495040	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 55 89 3c 24 81 ec 04 00 00 00 89 3c 24 bf e8 exception.symbol: lamp+0x4187b4 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4294580 exception.address: 0x6c87b4 registers.esp: 11599180 registers.edi: 7138259 registers.eax: 26416 registers.ebp: 3995205652 registers.edx: 2130566132 registers.ebx: 4294943808 registers.esi: 7107574 registers.ecx: 3633079904	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 50 89 34 24 68 51 0d f6 61 e9 78 06 00 00 f7 exception.symbol: lamp+0x419855 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4298837 exception.address: 0x6c9855 registers.esp: 11599180 registers.edi: 7115585 registers.eax: 27087 registers.ebp: 3995205652 registers.edx: 7115585 registers.ebx: 7143119 registers.esi: 7114801 registers.ecx: 0	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 04 24 89 34 24 e9 90 f8 ff ff 58 exception.symbol: lamp+0x419e22 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4300322 exception.address: 0x6c9e22 registers.esp: 11599180 registers.edi: 604292951 registers.eax: 27087 registers.ebp: 3995205652 registers.edx: 7115585 registers.ebx: 7118595 registers.esi: 7114801 registers.ecx: 0	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 81 c6 67 6b 7f 59 e9 d6 00 00 00 f7 d7 81 f7 exception.symbol: lamp+0x41dc78 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4316280 exception.address: 0x6cdc78 registers.esp: 11599176 registers.edi: 604292951 registers.eax: 30388 registers.ebp: 3995205652 registers.edx: 1899916998 registers.ebx: 611108863 registers.esi: 7132227 registers.ecx: 1907045812	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 31 c0 e9 f2 fb ff ff 8b 1c 24 83 c4 04 89 f3 exception.symbol: lamp+0x41d9d5 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4315605 exception.address: 0x6cd9d5 registers.esp: 11599180 registers.edi: 604292951 registers.eax: 30388 registers.ebp: 3995205652 registers.edx: 1899916998 registers.ebx: 611108863 registers.esi: 7162615 registers.ecx: 1907045812	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 53 89 34 24 be 87 9c b3 2c e9 00 00 00 00 83 exception.symbol: lamp+0x41dd0f exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4316431 exception.address: 0x6cdd0f registers.esp: 11599180 registers.edi: 604292951 registers.eax: 4294939404 registers.ebp: 3995205652 registers.edx: 1899916998 registers.ebx: 611108863 registers.esi: 7162615 registers.ecx: 918461837	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 81 c2 5f 51 be 5f 03 14 24 e9 0e 00 00 00 81 exception.symbol: lamp+0x422355 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4334421 exception.address: 0x6d2355 registers.esp: 11599176 registers.edi: 604292951 registers.eax: 30407 registers.ebp: 3995205652 registers.edx: 7150018 registers.ebx: 65804 registers.esi: 7162615 registers.ecx: 1969225870	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 50 81 ec 04 00 00 00 e9 83 02 00 00 f7 14 24 exception.symbol: lamp+0x421eac exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4333228 exception.address: 0x6d1eac registers.esp: 11599180 registers.edi: 0 registers.eax: 90601 registers.ebp: 3995205652 registers.edx: 7153105 registers.ebx: 65804 registers.esi: 7162615 registers.ecx: 1969225870	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 51 51 89 2c 24 bd 6a 11 bd 7d 81 f5 db 5b 1e exception.symbol: lamp+0x422e9c exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4337308 exception.address: 0x6d2e9c registers.esp: 11599176 registers.edi: 7153887 registers.eax: 25981 registers.ebp: 3995205652 registers.edx: 7153105 registers.ebx: 447671622 registers.esi: 7162615 registers.ecx: 2029464064	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 2c 24 89 0c 24 52 e9 1d 00 00 00 exception.symbol: lamp+0x422b78 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4336504 exception.address: 0x6d2b78 registers.esp: 11599180 registers.edi: 7179868 registers.eax: 25981 registers.ebp: 3995205652 registers.edx: 7153105 registers.ebx: 447671622 registers.esi: 7162615 registers.ecx: 2029464064	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb e9 48 ff ff ff 5d 35 29 af 82 85 e9 d1 fd ff exception.symbol: lamp+0x422c67 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4336743 exception.address: 0x6d2c67 registers.esp: 11599180 registers.edi: 7156896 registers.eax: 25981 registers.ebp: 3995205652 registers.edx: 24811 registers.ebx: 447671622 registers.esi: 0 registers.ecx: 2029464064	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb e9 33 01 00 00 52 ba b3 59 e6 7d 01 d6 e9 3c exception.symbol: lamp+0x425a6d exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4348525 exception.address: 0x6d5a6d registers.esp: 11599180 registers.edi: 7156896 registers.eax: 0 registers.ebp: 3995205652 registers.edx: 7169072 registers.ebx: 447671622 registers.esi: 0 registers.ecx: 3105222504	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb e9 86 fe ff ff 01 f5 5e c1 e5 08 e9 79 00 00 exception.symbol: lamp+0x428220 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4358688 exception.address: 0x6d8220 registers.esp: 11599176 registers.edi: 7156896 registers.eax: 29732 registers.ebp: 3995205652 registers.edx: 2037535178 registers.ebx: 7173298 registers.esi: 16562 registers.ecx: 7174954	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb e9 01 fb ff ff 81 c3 00 25 ff 7d 81 e3 73 6f exception.symbol: lamp+0x428730 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4359984 exception.address: 0x6d8730 registers.esp: 11599180 registers.edi: 7156896 registers.eax: 29732 registers.ebp: 3995205652 registers.edx: 2037535178 registers.ebx: 7173298 registers.esi: 16562 registers.ecx: 7204686	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 55 52 e9 9d f6 ff ff 01 c3 58 83 eb 04 e9 12 exception.symbol: lamp+0x428505 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4359429 exception.address: 0x6d8505 registers.esp: 11599180 registers.edi: 0 registers.eax: 3939837675 registers.ebp: 3995205652 registers.edx: 2037535178 registers.ebx: 7173298 registers.esi: 16562 registers.ecx: 7178262	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 31 ff ff 34 07 ff 34 24 ff 34 24 ff 34 24 5a exception.symbol: lamp+0x439db1 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4431281 exception.address: 0x6e9db1 registers.esp: 11599180 registers.edi: 7200965 registers.eax: 7275428 registers.ebp: 3995205652 registers.edx: 713352 registers.ebx: 7200933 registers.esi: 7200929 registers.ecx: 705495040	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 50 e9 1b fa ff ff 89 14 24 56 89 2c 24 bd 53 exception.symbol: lamp+0x43a296 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4432534 exception.address: 0x6ea296 registers.esp: 11599180 registers.edi: 4294943496 registers.eax: 7275428 registers.ebp: 3995205652 registers.edx: 604277078 registers.ebx: 7200933 registers.esi: 7200929 registers.ecx: 705495040	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 52 e9 83 04 00 00 4b e9 00 00 00 00 93 57 50 exception.symbol: lamp+0x447836 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4487222 exception.address: 0x6f7836 registers.esp: 11599176 registers.edi: 7303665 registers.eax: 29633 registers.ebp: 3995205652 registers.edx: 2130566132 registers.ebx: 7286556 registers.esi: 10141676 registers.ecx: 705537672	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 68 da 93 08 3a 89 3c 24 c7 04 24 5c 5a 90 43 exception.symbol: lamp+0x4472e1 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4485857 exception.address: 0x6f72e1 registers.esp: 11599180 registers.edi: 7333298 registers.eax: 29633 registers.ebp: 3995205652 registers.edx: 2130566132 registers.ebx: 7286556 registers.esi: 10141676 registers.ecx: 705537672	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 56 89 14 24 53 bb exception.symbol: lamp+0x447715 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4486933 exception.address: 0x6f7715 registers.esp: 11599180 registers.edi: 7306446 registers.eax: 29633 registers.ebp: 3995205652 registers.edx: 604292949 registers.ebx: 7286556 registers.esi: 10141676 registers.ecx: 0	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 6e 29 f0 6c 89 1c 24 e9 bd fb ff exception.symbol: lamp+0x44da2b exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4512299 exception.address: 0x6fda2b registers.esp: 11599176 registers.edi: 7316646 registers.eax: 31165 registers.ebp: 3995205652 registers.edx: 7328320 registers.ebx: 1869777373 registers.esi: 10141676 registers.ecx: 705495040	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 31 c0 ff 34 02 ff 34 24 8b 0c 24 56 68 a0 90 exception.symbol: lamp+0x44dbd7 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4512727 exception.address: 0x6fdbd7 registers.esp: 11599180 registers.edi: 7316646 registers.eax: 31165 registers.ebp: 3995205652 registers.edx: 7359485 registers.ebx: 1869777373 registers.esi: 10141676 registers.ecx: 705495040	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 51 89 04 24 e9 b8 03 00 00 5d 55 bd 47 33 a0 exception.symbol: lamp+0x44d2e0 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4510432 exception.address: 0x6fd2e0 registers.esp: 11599180 registers.edi: 7316646 registers.eax: 4294939084 registers.ebp: 3995205652 registers.edx: 7359485 registers.ebx: 1869777373 registers.esi: 10141676 registers.ecx: 1086149480	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb e9 d7 01 00 00 5a e9 c8 fc ff ff 5d 55 bd 82 exception.symbol: lamp+0x44e664 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4515428 exception.address: 0x6fe664 registers.esp: 11599176 registers.edi: 7331739 registers.eax: 27170 registers.ebp: 3995205652 registers.edx: 1037295753 registers.ebx: 1869777373 registers.esi: 10141676 registers.ecx: 1344267824	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb e9 ca 01 00 00 81 c5 04 00 00 00 55 89 3c 24 exception.symbol: lamp+0x44e438 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4514872 exception.address: 0x6fe438 registers.esp: 11599180 registers.edi: 7358909 registers.eax: 27170 registers.ebp: 3995205652 registers.edx: 1037295753 registers.ebx: 1869777373 registers.esi: 10141676 registers.ecx: 1344267824	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb e9 31 00 00 00 87 3c 24 8b 24 24 68 bb 7a d1 exception.symbol: lamp+0x44e3c6 exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4514758 exception.address: 0x6fe3c6 registers.esp: 11599180 registers.edi: 7334621 registers.eax: 27170 registers.ebp: 3995205652 registers.edx: 1037295753 registers.ebx: 0 registers.esi: 10141676 registers.ecx: 3968028752	1
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: fb 29 ff ff 34 17 ff 34 24 8b 34 24 53 c7 04 24 exception.symbol: lamp+0x45b90d exception.instruction: sti exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4569357 exception.address: 0x70b90d registers.esp: 11599180 registers.edi: 2217960861 registers.eax: 25653 registers.ebp: 3995205652 registers.edx: 7412269 registers.ebx: 2409303706 registers.esi: 198295491 registers.ecx: 109	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.100/e2b1563c6670f193.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/vcruntime140.dll

Performs some HTTP requests (9 events)

request	GET http://185.215.113.100/
request	POST http://185.215.113.100/e2b1563c6670f193.php
request	GET http://185.215.113.100/0d60be0de163924d/sqlite3.dll
request	GET http://185.215.113.100/0d60be0de163924d/freebl3.dll
request	GET http://185.215.113.100/0d60be0de163924d/mozglue.dll
request	GET http://185.215.113.100/0d60be0de163924d/msvcp140.dll
request	GET http://185.215.113.100/0d60be0de163924d/nss3.dll
request	GET http://185.215.113.100/0d60be0de163924d/softokn3.dll
request	GET http://185.215.113.100/0d60be0de163924d/vcruntime140.dll

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.100/e2b1563c6670f193.php

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 4, 2024, 10:04 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2024, 10:04 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2024, 10:04 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 81920 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 10:04 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 10:04 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 10:04 a.m.	process_identifier: 1700 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 10:04 a.m.	process_identifier: 1700 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 10:04 a.m.	process_identifier: 1700 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 10:04 a.m.	process_identifier: 1700 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 10:04 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 10:04 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 10:04 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 10:04 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 10:04 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b90000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 10:04 a.m.	process_identifier: 1700 region_size: 995328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x61e00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

lamp.exe tried to sleep 215 seconds, actually delayed analysis time by 215 seconds

Steals private information from local Internet browsers (50 out of 5864 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\apenkfbbpmhihehmihndmmcdanacolnh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\ciojocpkclfflombbcfigcijjcbkmhaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opfgelmcmbiajamepnmloijbpoleiama\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\fiikommddbeccaoicoejoniammnalkfa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCK\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\fa\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000001\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\naepdomgkenhinolocfifgehidddafch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch\CURRENT

Creates executable files on the filesystem (6 events)

file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (12 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 4, 2024, 10:04 a.m.	snapshot_handle: 0x00000380 process_name: mobsync.exe process_identifier: 1552	1	1
Process32NextW Sept. 4, 2024, 10:04 a.m.	snapshot_handle: 0x00000380 process_name: pw.exe process_identifier: 1684	1	1
Process32NextW Sept. 4, 2024, 10:04 a.m.	snapshot_handle: 0x00000380 process_name: taskhost.exe process_identifier: 1904	1	1
Process32NextW Sept. 4, 2024, 10:04 a.m.	snapshot_handle: 0x00000380 process_name: cmd.exe process_identifier: 1680	1	1
Process32NextW Sept. 4, 2024, 10:04 a.m.	snapshot_handle: 0x00000380 process_name: SearchProtocolHost.exe process_identifier: 1648	1	1
Process32NextW Sept. 4, 2024, 10:04 a.m.	snapshot_handle: 0x00000380 process_name: conhost.exe process_identifier: 652	1	1
Process32NextW Sept. 4, 2024, 10:04 a.m.	snapshot_handle: 0x00000380 process_name: SearchFilterHost.exe process_identifier: 292	1	1
Process32NextW Sept. 4, 2024, 10:04 a.m.	snapshot_handle: 0x00000380 process_name: pw.exe process_identifier: 1880	1	1
Process32NextW Sept. 4, 2024, 10:05 a.m.	snapshot_handle: 0x00000534 process_name: svchost.exe process_identifier: 2336	1	1
Process32NextW Sept. 4, 2024, 10:05 a.m.	snapshot_handle: 0x00000534 process_name: mscorsvw.exe process_identifier: 2364	1	1
Process32NextW Sept. 4, 2024, 10:05 a.m.	snapshot_handle: 0x00000534 process_name: mscorsvw.exe process_identifier: 2408	1	1
Process32NextW Sept. 4, 2024, 10:05 a.m.	snapshot_handle: 0x00000534 process_name: sppsvc.exe process_identifier: 2456	1	1

An executable file was downloaded by the process lamp.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile Sept. 4, 2024, 10:04 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 4, 2024, 10:04 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 4, 2024, 10:04 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 4, 2024, 10:04 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 4, 2024, 10:04 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 4, 2024, 10:04 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 4, 2024, 10:04 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00013c00', u'virtual_address': u'0x00001000', u'entropy': 7.973367878257038, u'name': u' \\x00 ', u'virtual_size': u'0x0023d000'}

entropy

7.97336787826

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001a5000', u'virtual_address': u'0x004ee000', u'entropy': 7.954478985804141, u'name': u'lgkqvsth', u'virtual_size': u'0x001a5000'}

entropy

7.9544789858

description

A section with a high entropy has been found

entropy

0.993799323563

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Queries for potentially installed applications (50 out of 52 events)

Time & API	Arguments	Status
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExA Sept. 4, 2024, 10:04 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Communicates with host for which no DNS query was performed (1 event)

host

185.215.113.100

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 83 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 4, 2024, 10:04 a.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA Sept. 4, 2024, 10:04 a.m.	key_handle: 0x00000384 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\00000004
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 4, 2024, 10:04 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 81 ec 04 00 00 00 e9 13 exception.symbol: lamp+0x3d869e exception.instruction: in eax, dx exception.module: lamp.exe exception.exception_code: 0xc0000096 exception.offset: 4032158 exception.address: 0x68869e registers.esp: 11599212 registers.edi: 12594798 registers.eax: 1447909480 registers.ebp: 3995205652 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 6829529 registers.ecx: 20	1	0	0

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Bkav	W32.AIDetectMalware
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.tc
Cylance	Unsafe
VIPRE	Gen:Variant.Jaik.212366
BitDefender	Gen:Variant.Jaik.212366
Cybereason	malicious.2c7935
Arcabit	Trojan.Jaik.D33D8E
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Gen:Variant.Jaik.212366
Rising	Trojan.Kryptik@AI.80 (RDML:ADpNLyPZ6cEpxLMQjcAoZA)
Emsisoft	Gen:Variant.Jaik.212366 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!54DD56C2C793
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.54dd56c2c79350de
Sophos	Mal/Stealc-A
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/Crypt.TPM.Gen
MAX	malware (ai score=86)
Kingsoft	malware.kb.b.996
Gridinsoft	Trojan.Heur!.03A120A1
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Jaik.212366
AhnLab-V3	Trojan/Win.Generic.R661988
BitDefenderTheta	Gen:NN.ZexaF.36812.VDWaaO41B4c
DeepInstinct	MALICIOUS
Malwarebytes	Spyware.Stealc
Zoner	Probably Heur.ExeHeaderL
AVG	Win32:PWSX-gen [Trj]

lamp.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All