Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 13, 2024, 9:33 a.m.	Sept. 13, 2024, 9:45 a.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`7696fd52645fd5bde71ca7eb4b2fa935`
SHA256	`45bbfe6526c7aa0ac16355e301a467c2533bb1b2455dea1405deb80be734f990`
CRC32	`9BA3690A`
ssdeep	`24576:5SsLrYJswjqQBhcHER9RvUArP+G+EkMNSriZZT3a/dFkyBVZMyPd29zlLVAfl9D:YmrYtjqccHmRvUAr+E5ZZ+VZMCYjkv`
Yara	themida_packer - themida packer PE_Header_Zero - PE File Signature IsPE32 - (no description)

sera.exe "C:\Users\test22\AppData\Local\Temp\sera.exe"
1540

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.215.113.103	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49161 -> 185.215.113.103:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49161 -> 185.215.113.103:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.103:80 -> 192.168.56.103:49161	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49161 -> 185.215.113.103:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.103:80 -> 192.168.56.103:49161	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 185.215.113.103:80 -> 192.168.56.103:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.103:80 -> 192.168.56.103:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49161 -> 185.215.113.103:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49161 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49161 -> 185.215.113.103:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.103:80 -> 192.168.56.103:49161	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.103:80 -> 192.168.56.103:49161	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.103:80 -> 192.168.56.103:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Sept. 13, 2024, 9:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 13, 2024, 9:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 13, 2024, 9:28 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (11 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 13, 2024, 9:28 a.m.			0	0
IsDebuggerPresent Sept. 13, 2024, 9:28 a.m.			0	0
IsDebuggerPresent Sept. 13, 2024, 9:28 a.m.			0	0
IsDebuggerPresent Sept. 13, 2024, 9:28 a.m.			0	0
IsDebuggerPresent Sept. 13, 2024, 9:28 a.m.			0	0
IsDebuggerPresent Sept. 13, 2024, 9:28 a.m.			0	0
IsDebuggerPresent Sept. 13, 2024, 9:28 a.m.			0	0
IsDebuggerPresent Sept. 13, 2024, 9:28 a.m.			0	0
IsDebuggerPresent Sept. 13, 2024, 9:28 a.m.			0	0
IsDebuggerPresent Sept. 13, 2024, 9:28 a.m.			0	0
IsDebuggerPresent Sept. 13, 2024, 9:28 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 13, 2024, 9:28 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (7 events)

section	\x00
section	.rsrc
section	.idata
section
section	wrhqshyt
section	nschhmlb
section	.taggant

One or more processes crashed (50 out of 111 events)

Time & API	Arguments	Status
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: sera+0x4d60b9 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 5071033 exception.address: 0x10960b9 registers.esp: 2751832 registers.edi: 0 registers.eax: 1 registers.ebp: 2751848 registers.edx: 19066880 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 c1 43 2f 1d e9 19 05 00 00 81 c4 exception.symbol: sera+0x2420cf exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 2367695 exception.address: 0xe020cf registers.esp: 2751800 registers.edi: 1971192040 registers.eax: 32311 registers.ebp: 4004708372 registers.edx: 12320768 registers.ebx: 14719949 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 53 c7 04 24 74 b3 99 5b e9 15 05 00 00 5f 05 exception.symbol: sera+0x24209e exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 2367646 exception.address: 0xe0209e registers.esp: 2751800 registers.edi: 1971192040 registers.eax: 32311 registers.ebp: 4004708372 registers.edx: 237801 registers.ebx: 14690925 registers.esi: 3 registers.ecx: 0	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 68 09 00 5b 01 e9 e5 f6 ff ff 05 2e 57 68 a3 exception.symbol: sera+0x243ad1 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 2374353 exception.address: 0xe03ad1 registers.esp: 2751796 registers.edi: 1971192040 registers.eax: 14692285 registers.ebp: 4004708372 registers.edx: 237801 registers.ebx: 1721938575 registers.esi: 3 registers.ecx: 1648131959	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb e9 bf 00 00 00 68 cf 11 1c 51 89 24 24 83 04 exception.symbol: sera+0x24368f exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 2373263 exception.address: 0xe0368f registers.esp: 2751800 registers.edi: 0 registers.eax: 14695478 registers.ebp: 4004708372 registers.edx: 237801 registers.ebx: 1721938575 registers.esi: 1259 registers.ecx: 1648131959	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb e9 e1 02 00 00 83 c4 04 83 c4 04 83 c6 04 68 exception.symbol: sera+0x3b97f9 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 3905529 exception.address: 0xf797f9 registers.esp: 2751796 registers.edi: 14727801 registers.eax: 31153 registers.ebp: 4004708372 registers.edx: 14684193 registers.ebx: 2347008 registers.esi: 16224049 registers.ecx: 16224580	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 0c 24 e9 e3 fe ff ff 56 89 04 24 exception.symbol: sera+0x3b9ad4 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 3906260 exception.address: 0xf79ad4 registers.esp: 2751800 registers.edi: 14727801 registers.eax: 31153 registers.ebp: 4004708372 registers.edx: 14684193 registers.ebx: 2347008 registers.esi: 16224049 registers.ecx: 16255733	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 57 bf 87 46 ec 7d 50 53 c7 04 24 b3 53 04 3d exception.symbol: sera+0x3b973a exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 3905338 exception.address: 0xf7973a registers.esp: 2751800 registers.edi: 14727801 registers.eax: 31153 registers.ebp: 4004708372 registers.edx: 14684193 registers.ebx: 0 registers.esi: 322689 registers.ecx: 16227537	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb e9 ce 05 00 00 8b 0c 24 83 c4 04 c1 e1 08 53 exception.symbol: sera+0x3bfc63 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 3931235 exception.address: 0xf7fc63 registers.esp: 2751796 registers.edi: 1183058442 registers.eax: 26491 registers.ebp: 4004708372 registers.edx: 1235725194 registers.ebx: 16246124 registers.esi: 48340 registers.ecx: 16250615	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 52 89 34 24 c7 04 24 4d 09 cb 7b 81 34 24 c7 exception.symbol: sera+0x3c02db exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 3932891 exception.address: 0xf802db registers.esp: 2751800 registers.edi: 1183058442 registers.eax: 26491 registers.ebp: 4004708372 registers.edx: 1235725194 registers.ebx: 0 registers.esi: 134889 registers.ecx: 16253922	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 51 89 e1 81 c1 04 00 00 00 83 e9 04 51 e9 f9 exception.symbol: sera+0x3c6849 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 3958857 exception.address: 0xf86849 registers.esp: 2751800 registers.edi: 16304699 registers.eax: 27851 registers.ebp: 4004708372 registers.edx: 1297650853 registers.ebx: 6186086 registers.esi: 134889 registers.ecx: 6186086	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 52 e9 c9 fd ff ff ff 34 24 e9 5b 06 00 00 05 exception.symbol: sera+0x3c600d exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 3956749 exception.address: 0xf8600d registers.esp: 2751800 registers.edi: 16279923 registers.eax: 27851 registers.ebp: 4004708372 registers.edx: 1297650853 registers.ebx: 6186086 registers.esi: 0 registers.ecx: 202985	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 68 2b c2 f4 3b 89 14 24 exception.symbol: sera+0x3cc502 exception.instruction: in eax, dx exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 3982594 exception.address: 0xf8c502 registers.esp: 2751792 registers.edi: 4337262 registers.eax: 1447909480 registers.ebp: 4004708372 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 16286287 registers.ecx: 20	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: sera+0x3cb361 exception.address: 0xf8b361 exception.module: sera.exe exception.exception_code: 0xc000001d exception.offset: 3978081 registers.esp: 2751792 registers.edi: 4337262 registers.eax: 1 registers.ebp: 4004708372 registers.edx: 22104 registers.ebx: 0 registers.esi: 16286287 registers.ecx: 20	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 ca 2b 2d 12 01 exception.symbol: sera+0x3cc88c exception.instruction: in eax, dx exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 3983500 exception.address: 0xf8c88c registers.esp: 2751792 registers.edi: 4337262 registers.eax: 1447909480 registers.ebp: 4004708372 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 16286287 registers.ecx: 10	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 0f 8b 02 00 00 00 b5 47 66 8b cb 64 exception.symbol: sera+0x3d0cae exception.instruction: int 1 exception.module: sera.exe exception.exception_code: 0xc0000005 exception.offset: 4000942 exception.address: 0xf90cae registers.esp: 2751760 registers.edi: 0 registers.eax: 2751760 registers.ebp: 4004708372 registers.edx: 3510 registers.ebx: 16321974 registers.esi: 1804977674 registers.ecx: 1337703881	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 56 be bb 1b ff 77 53 89 14 24 ba 1f 48 95 00 exception.symbol: sera+0x3d1376 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4002678 exception.address: 0xf91376 registers.esp: 2751796 registers.edi: 16323221 registers.eax: 26436 registers.ebp: 4004708372 registers.edx: 2130526355 registers.ebx: 14513874 registers.esi: 10 registers.ecx: 714735616	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 55 89 04 24 c7 04 24 48 a0 bb 3f e9 37 fe ff exception.symbol: sera+0x3d169d exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4003485 exception.address: 0xf9169d registers.esp: 2751800 registers.edi: 16349657 registers.eax: 26436 registers.ebp: 4004708372 registers.edx: 2130526355 registers.ebx: 14513874 registers.esi: 10 registers.ecx: 714735616	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 53 55 bd 00 11 f3 7f bb 79 9e 1e ff 01 eb ff exception.symbol: sera+0x3d1457 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4002903 exception.address: 0xf91457 registers.esp: 2751800 registers.edi: 16349657 registers.eax: 2283 registers.ebp: 4004708372 registers.edx: 2130526355 registers.ebx: 4294943644 registers.esi: 10 registers.ecx: 714735616	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 55 89 14 24 ba ce 43 e9 12 52 81 34 24 ee 16 exception.symbol: sera+0x3dfbc4 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4062148 exception.address: 0xf9fbc4 registers.esp: 2751800 registers.edi: 4294941500 registers.eax: 16409965 registers.ebp: 4004708372 registers.edx: 6 registers.ebx: 604292945 registers.esi: 1971262480 registers.ecx: 0	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb e9 b2 03 00 00 ff 74 24 04 5a 8f 04 24 8b 24 exception.symbol: sera+0x3e1c1c exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4070428 exception.address: 0xfa1c1c registers.esp: 2751796 registers.edi: 4294941500 registers.eax: 32671 registers.ebp: 4004708372 registers.edx: 16389916 registers.ebx: 317277134 registers.esi: 1971262480 registers.ecx: 83680076	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 53 89 14 24 57 bf 21 fa 7b 1d 89 7c 24 04 5f exception.symbol: sera+0x3e1df3 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4070899 exception.address: 0xfa1df3 registers.esp: 2751800 registers.edi: 4294941500 registers.eax: 0 registers.ebp: 4004708372 registers.edx: 16393267 registers.ebx: 317277134 registers.esi: 1179202795 registers.ecx: 83680076	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb e9 e0 02 00 00 c7 04 24 00 9c f7 3b e9 4a 08 exception.symbol: sera+0x3e33ad exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4076461 exception.address: 0xfa33ad registers.esp: 2751800 registers.edi: 4294941500 registers.eax: 32011 registers.ebp: 4004708372 registers.edx: 857153349 registers.ebx: 1986789566 registers.esi: 16427783 registers.ecx: 83680076	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 3c 24 e9 17 01 00 00 8b 14 24 e9 exception.symbol: sera+0x3e3041 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4075585 exception.address: 0xfa3041 registers.esp: 2751800 registers.edi: 4294941500 registers.eax: 262633 registers.ebp: 4004708372 registers.edx: 857153349 registers.ebx: 0 registers.esi: 16399399 registers.ecx: 83680076	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 55 89 04 24 b8 7d f5 ba 7b 0d 0a ce 75 2a e9 exception.symbol: sera+0x3eba0a exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4110858 exception.address: 0xfaba0a registers.esp: 2751792 registers.edi: 16457029 registers.eax: 26958 registers.ebp: 4004708372 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 16399399 registers.ecx: 714735616	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 56 89 04 24 68 04 cf 39 26 ff 34 24 8b 04 24 exception.symbol: sera+0x3ebe72 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4111986 exception.address: 0xfabe72 registers.esp: 2751792 registers.edi: 16457029 registers.eax: 26958 registers.ebp: 4004708372 registers.edx: 2130566132 registers.ebx: 14827 registers.esi: 4294943248 registers.ecx: 714735616	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 81 c3 e6 ab f3 6b e9 19 fd ff ff 56 be 21 db exception.symbol: sera+0x40875b exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4228955 exception.address: 0xfc875b registers.esp: 2751756 registers.edi: 1967199411 registers.eax: 30515 registers.ebp: 4004708372 registers.edx: 2130566132 registers.ebx: 16546916 registers.esi: 16542802 registers.ecx: 714735616	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 57 89 0c 24 52 83 ec 04 e9 62 02 00 00 01 f3 exception.symbol: sera+0x40857d exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4228477 exception.address: 0xfc857d registers.esp: 2751760 registers.edi: 1967199411 registers.eax: 0 registers.ebp: 4004708372 registers.edx: 2130566132 registers.ebx: 16550043 registers.esi: 16542802 registers.ecx: 604277077	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 7c ec 6a 3d c1 24 24 07 ff 04 24 exception.symbol: sera+0x40a661 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4236897 exception.address: 0xfca661 registers.esp: 2751760 registers.edi: 1967199411 registers.eax: 30099 registers.ebp: 4004708372 registers.edx: 474531514 registers.ebx: 1979554999 registers.esi: 16586077 registers.ecx: 491085663	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb e9 3a 00 00 00 59 8b 14 24 83 c4 04 50 89 0c exception.symbol: sera+0x40a9dd exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4237789 exception.address: 0xfca9dd registers.esp: 2751760 registers.edi: 1967199411 registers.eax: 1358981728 registers.ebp: 4004708372 registers.edx: 474531514 registers.ebx: 0 registers.esi: 16558929 registers.ecx: 491085663	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 53 89 e3 81 c3 04 00 00 00 83 eb 04 33 1c 24 exception.symbol: sera+0x40c1ab exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4243883 exception.address: 0xfcc1ab registers.esp: 2751760 registers.edi: 16560518 registers.eax: 25988 registers.ebp: 4004708372 registers.edx: 16587867 registers.ebx: 16561417 registers.esi: 16561441 registers.ecx: 0	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb e9 43 fd ff ff 89 d0 8b 14 24 e9 b1 02 00 00 exception.symbol: sera+0x40ba58 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4242008 exception.address: 0xfcba58 registers.esp: 2751760 registers.edi: 16560518 registers.eax: 3527879272 registers.ebp: 4004708372 registers.edx: 16565027 registers.ebx: 16561417 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb e9 64 fb ff ff 89 04 24 53 51 89 e1 52 ba 04 exception.symbol: sera+0x40c94e exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4245838 exception.address: 0xfcc94e registers.esp: 2751760 registers.edi: 16560518 registers.eax: 27719 registers.ebp: 4004708372 registers.edx: 16593109 registers.ebx: 16561417 registers.esi: 0 registers.ecx: 2020538014	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 68 a6 44 3b 4f 5b f7 d3 81 eb e5 44 c5 32 f7 exception.symbol: sera+0x40c503 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4244739 exception.address: 0xfcc503 registers.esp: 2751760 registers.edi: 606896464 registers.eax: 27719 registers.ebp: 4004708372 registers.edx: 16568453 registers.ebx: 16561417 registers.esi: 0 registers.ecx: 2020538014	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 52 53 68 e2 f1 fb 79 e9 80 00 00 00 5b 45 81 exception.symbol: sera+0x411269 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4264553 exception.address: 0xfd1269 registers.esp: 2751756 registers.edi: 606896464 registers.eax: 32702 registers.ebp: 4004708372 registers.edx: 0 registers.ebx: 16583111 registers.esi: 0 registers.ecx: 1969225870	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 68 08 f0 33 14 e9 87 04 00 00 8b 34 24 e9 89 exception.symbol: sera+0x410bb2 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4262834 exception.address: 0xfd0bb2 registers.esp: 2751760 registers.edi: 606896464 registers.eax: 0 registers.ebp: 4004708372 registers.edx: 0 registers.ebx: 16586273 registers.esi: 0 registers.ecx: 731028877	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb e9 c8 f9 ff ff 5d 89 c1 e9 22 fd ff ff 8b 0c exception.symbol: sera+0x413f41 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4276033 exception.address: 0xfd3f41 registers.esp: 2751760 registers.edi: 0 registers.eax: 32235 registers.ebp: 4004708372 registers.edx: 16596945 registers.ebx: 1460101480 registers.esi: 0 registers.ecx: 731028877	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 31 f6 e9 00 00 00 00 ff 34 16 ff 34 24 e9 00 exception.symbol: sera+0x4149d3 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4278739 exception.address: 0xfd49d3 registers.esp: 2751760 registers.edi: 0 registers.eax: 30461 registers.ebp: 4004708372 registers.edx: 16627784 registers.ebx: 1460101480 registers.esi: 0 registers.ecx: 731028877	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 36 0a 9e 77 e9 a3 01 00 00 8b 0c exception.symbol: sera+0x41420b exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4276747 exception.address: 0xfd420b registers.esp: 2751760 registers.edi: 0 registers.eax: 81129 registers.ebp: 4004708372 registers.edx: 16627784 registers.ebx: 1460101480 registers.esi: 4294939260 registers.ecx: 731028877	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb e9 cc 02 00 00 bb b8 fd ff 73 81 eb dd 3e e7 exception.symbol: sera+0x415aaa exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4283050 exception.address: 0xfd5aaa registers.esp: 2751756 registers.edi: 24937 registers.eax: 16603644 registers.ebp: 4004708372 registers.edx: 21860 registers.ebx: 1460101481 registers.esi: 46359 registers.ecx: 1091745047	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 50 b8 92 82 57 7b 52 ba c2 b6 1c 42 e9 3b f6 exception.symbol: sera+0x416410 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4285456 exception.address: 0xfd6410 registers.esp: 2751760 registers.edi: 24937 registers.eax: 16606933 registers.ebp: 4004708372 registers.edx: 21860 registers.ebx: 1371769171 registers.esi: 46359 registers.ecx: 0	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 68 c1 de ea 21 89 04 24 c7 04 24 5f 1a 65 19 exception.symbol: sera+0x42a832 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4368434 exception.address: 0xfea832 registers.esp: 2751756 registers.edi: 16667145 registers.eax: 28136 registers.ebp: 4004708372 registers.edx: 2130566132 registers.ebx: 1969225702 registers.esi: 16687468 registers.ecx: 0	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 e9 6a f6 ff ff b8 exception.symbol: sera+0x42ab73 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4369267 exception.address: 0xfeab73 registers.esp: 2751760 registers.edi: 16667145 registers.eax: 28136 registers.ebp: 4004708372 registers.edx: 2130566132 registers.ebx: 1969225702 registers.esi: 16715604 registers.ecx: 0	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb e9 5a 06 00 00 5a 51 53 51 c7 04 24 f3 52 fb exception.symbol: sera+0x42a1b0 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4366768 exception.address: 0xfea1b0 registers.esp: 2751760 registers.edi: 16667145 registers.eax: 28136 registers.ebp: 4004708372 registers.edx: 2170377301 registers.ebx: 0 registers.esi: 16690224 registers.ecx: 0	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb e9 35 00 00 00 59 89 f5 5e 29 e9 5d 81 c1 36 exception.symbol: sera+0x43066e exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4392558 exception.address: 0xff066e registers.esp: 2751756 registers.edi: 16691493 registers.eax: 32986 registers.ebp: 4004708372 registers.edx: 842856 registers.ebx: 16691461 registers.esi: 16691457 registers.ecx: 16713100	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 53 89 0c 24 55 bd 6a 5b 6f 78 57 bf f9 79 df exception.symbol: sera+0x430f0f exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4394767 exception.address: 0xff0f0f registers.esp: 2751760 registers.edi: 16691493 registers.eax: 32986 registers.ebp: 4004708372 registers.edx: 9451 registers.ebx: 4294937308 registers.esi: 16691457 registers.ecx: 16746086	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 31 f6 ff 34 33 56 e9 9e f8 ff ff 05 46 3c 3f exception.symbol: sera+0x4384d8 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4424920 exception.address: 0xff84d8 registers.esp: 2751760 registers.edi: 3997964239 registers.eax: 27833 registers.ebp: 4004708372 registers.edx: 842856 registers.ebx: 16771063 registers.esi: 33409244 registers.ecx: 714735616	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 04 24 c7 04 24 b8 c3 b9 77 e9 40 exception.symbol: sera+0x437ee6 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4423398 exception.address: 0xff7ee6 registers.esp: 2751760 registers.edi: 607947089 registers.eax: 27833 registers.ebp: 4004708372 registers.edx: 842856 registers.ebx: 16771063 registers.esi: 4294942292 registers.ecx: 714735616	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 56 be d1 9b ff 0f 01 f1 5e 81 c1 a3 7f 7b 3f exception.symbol: sera+0x4450b8 exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4477112 exception.address: 0x10050b8 registers.esp: 2751756 registers.edi: 16463245 registers.eax: 25612 registers.ebp: 4004708372 registers.edx: 2130566132 registers.ebx: 337219475 registers.esi: 3773382680 registers.ecx: 16796195	1
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 04 24 54 8b 04 24 81 c4 04 00 00 exception.symbol: sera+0x44519a exception.instruction: sti exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 4477338 exception.address: 0x100519a registers.esp: 2751760 registers.edi: 16463245 registers.eax: 25612 registers.ebp: 4004708372 registers.edx: 2130566132 registers.ebx: 337219475 registers.esi: 3773382680 registers.ecx: 16821807	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.103/e2b1563c6670f193.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/vcruntime140.dll

Performs some HTTP requests (9 events)

request	GET http://185.215.113.103/
request	POST http://185.215.113.103/e2b1563c6670f193.php
request	GET http://185.215.113.103/0d60be0de163924d/sqlite3.dll
request	GET http://185.215.113.103/0d60be0de163924d/freebl3.dll
request	GET http://185.215.113.103/0d60be0de163924d/mozglue.dll
request	GET http://185.215.113.103/0d60be0de163924d/msvcp140.dll
request	GET http://185.215.113.103/0d60be0de163924d/nss3.dll
request	GET http://185.215.113.103/0d60be0de163924d/softokn3.dll
request	GET http://185.215.113.103/0d60be0de163924d/vcruntime140.dll

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.103/e2b1563c6670f193.php

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 13, 2024, 9:28 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2024, 9:28 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2024, 9:28 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 81920 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2024, 9:28 a.m.	process_identifier: 1540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2024, 9:28 a.m.	process_identifier: 1540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2024, 9:28 a.m.	process_identifier: 1540 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2024, 9:28 a.m.	process_identifier: 1540 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2024, 9:28 a.m.	process_identifier: 1540 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2024, 9:28 a.m.	process_identifier: 1540 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2024, 9:28 a.m.	process_identifier: 1540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2024, 9:28 a.m.	process_identifier: 1540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2024, 9:28 a.m.	process_identifier: 1540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2024, 9:28 a.m.	process_identifier: 1540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2024, 9:28 a.m.	process_identifier: 1540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2024, 9:28 a.m.	process_identifier: 1540 region_size: 995328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x61e00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

sera.exe tried to sleep 178 seconds, actually delayed analysis time by 178 seconds

Steals private information from local Internet browsers (50 out of 5864 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\apenkfbbpmhihehmihndmmcdanacolnh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\ciojocpkclfflombbcfigcijjcbkmhaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opfgelmcmbiajamepnmloijbpoleiama\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\fiikommddbeccaoicoejoniammnalkfa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCK\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\fa\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000001\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\naepdomgkenhinolocfifgehidddafch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch\CURRENT

Creates executable files on the filesystem (6 events)

file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (9 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 13, 2024, 9:28 a.m.	snapshot_handle: 0x00000384 process_name: mobsync.exe process_identifier: 1552	1	1
Process32NextW Sept. 13, 2024, 9:28 a.m.	snapshot_handle: 0x00000384 process_name: pw.exe process_identifier: 1684	1	1
Process32NextW Sept. 13, 2024, 9:28 a.m.	snapshot_handle: 0x00000384 process_name: conhost.exe process_identifier: 1440	1	1
Process32NextW Sept. 13, 2024, 9:28 a.m.	snapshot_handle: 0x00000384 process_name: sera.exe process_identifier: 1540	1	1
Process32NextW Sept. 13, 2024, 9:28 a.m.	snapshot_handle: 0x00000384 process_name: pw.exe process_identifier: 840	1	1
Process32NextW Sept. 13, 2024, 9:28 a.m.	snapshot_handle: 0x0000053c process_name: svchost.exe process_identifier: 2356	1	1
Process32NextW Sept. 13, 2024, 9:28 a.m.	snapshot_handle: 0x0000053c process_name: mscorsvw.exe process_identifier: 2384	1	1
Process32NextW Sept. 13, 2024, 9:28 a.m.	snapshot_handle: 0x0000053c process_name: mscorsvw.exe process_identifier: 2428	1	1
Process32NextW Sept. 13, 2024, 9:28 a.m.	snapshot_handle: 0x0000053c process_name: sppsvc.exe process_identifier: 2476	1	1

An executable file was downloaded by the process sera.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile Sept. 13, 2024, 9:28 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 13, 2024, 9:28 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 13, 2024, 9:28 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 13, 2024, 9:28 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 13, 2024, 9:28 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 13, 2024, 9:28 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 13, 2024, 9:28 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00013c00', u'virtual_address': u'0x00001000', u'entropy': 7.973075800148625, u'name': u' \\x00 ', u'virtual_size': u'0x0023d000'}

entropy

7.97307580015

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00197a00', u'virtual_address': u'0x004d6000', u'entropy': 7.953080368295282, u'name': u'wrhqshyt', u'virtual_size': u'0x00198000'}

entropy

7.9530803683

description

A section with a high entropy has been found

entropy

0.993895348837

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Queries for potentially installed applications (50 out of 52 events)

Time & API	Arguments	Status
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExA Sept. 13, 2024, 9:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Communicates with host for which no DNS query was performed (1 event)

host

185.215.113.103

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 71 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 13, 2024, 9:28 a.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA Sept. 13, 2024, 9:28 a.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\00000004
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 13, 2024, 9:28 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 68 2b c2 f4 3b 89 14 24 exception.symbol: sera+0x3cc502 exception.instruction: in eax, dx exception.module: sera.exe exception.exception_code: 0xc0000096 exception.offset: 3982594 exception.address: 0xf8c502 registers.esp: 2751792 registers.edi: 4337262 registers.eax: 1447909480 registers.ebp: 4004708372 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 16286287 registers.ecx: 20	1	0	0

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Stealc.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Themida.tc
ALYac	Trojan.GenericKDZ.107878
Cylance	Unsafe
VIPRE	Trojan.GenericKDZ.107878
Sangfor	Trojan.Win32.Agent.Vewc
BitDefender	Trojan.GenericKDZ.107878
Arcabit	Trojan.Generic.D1A566
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Trojan.GenericKDZ.107878
Rising	Trojan.Generic!8.C3 (CLOUD)
Emsisoft	Trojan.GenericKDZ.107878 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!7696FD52645F
Trapmine	malicious.high.ml.score
CTX	exe.trojan.generickdz
Sophos	Mal/Stealc-A
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.7696fd52645fd5bd
Google	Detected
Avira	TR/Crypt.TPM.Gen
Kingsoft	Win32.HeurC.KVMH008.a
Gridinsoft	Malware.Win32.Stealc.tr
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Trojan.GenericKDZ.107878
AhnLab-V3	Trojan/Win.Generic.R665962
McAfee	Artemis!7696FD52645F
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Downloader
Malwarebytes	Spyware.Stealc
Panda	Trj/CI.A
Zoner	Probably Heur.ExeHeaderL
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXEIMZ
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:PWSX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_90% (D)

sera.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All