Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 17, 2024, 1:24 p.m.	Sept. 17, 2024, 1:26 p.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8bc68fd89fc539a6f195fb11cafff7dd`
SHA256	`8075620c17e17a2b207561a491e1cb873b5fa86fe2df1b4130a3f0afb05a67ab`
CRC32	`BAFE4D45`
ssdeep	`49152:FQV7UMxHP8iPpaFFrftubbiz5pdjFeTR:FoUmPpaFFrEbbiz5DU`
Yara	themida_packer - themida packer PE_Header_Zero - PE File Signature IsPE32 - (no description)

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
2076

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.215.113.103	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49162 -> 185.215.113.103:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 185.215.113.103:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.103:80 -> 192.168.56.103:49162	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 185.215.113.103:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.103:80 -> 192.168.56.103:49162	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 185.215.113.103:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49163 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 185.215.113.103:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.103:80 -> 192.168.56.103:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.103:80 -> 192.168.56.103:49163	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 185.215.113.103:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49163 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 185.215.113.103:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49163 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 185.215.113.103:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49163 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 185.215.113.103:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49163 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 185.215.113.103:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Sept. 17, 2024, 1:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 17, 2024, 1:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 17, 2024, 1:24 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (15 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 17, 2024, 1:24 p.m.			0	0
IsDebuggerPresent Sept. 17, 2024, 1:24 p.m.			0	0
IsDebuggerPresent Sept. 17, 2024, 1:24 p.m.			0	0
IsDebuggerPresent Sept. 17, 2024, 1:24 p.m.			0	0
IsDebuggerPresent Sept. 17, 2024, 1:24 p.m.			0	0
IsDebuggerPresent Sept. 17, 2024, 1:24 p.m.			0	0
IsDebuggerPresent Sept. 17, 2024, 1:24 p.m.			0	0
IsDebuggerPresent Sept. 17, 2024, 1:24 p.m.			0	0
IsDebuggerPresent Sept. 17, 2024, 1:24 p.m.			0	0
IsDebuggerPresent Sept. 17, 2024, 1:24 p.m.			0	0
IsDebuggerPresent Sept. 17, 2024, 1:24 p.m.			0	0
IsDebuggerPresent Sept. 17, 2024, 1:24 p.m.			0	0
IsDebuggerPresent Sept. 17, 2024, 1:24 p.m.			0	0
IsDebuggerPresent Sept. 17, 2024, 1:24 p.m.			0	0
IsDebuggerPresent Sept. 17, 2024, 1:24 p.m.			0	0

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 17, 2024, 1:24 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (7 events)

section	\x00
section	.rsrc
section	.idata
section
section	sfkjqfyj
section	gwvxqktk
section	.taggant

One or more processes crashed (50 out of 125 events)

Time & API	Arguments	Status
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: random+0x4d20b9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 5054649 exception.address: 0x16f20b9 registers.esp: 3274740 registers.edi: 0 registers.eax: 1 registers.ebp: 3274756 registers.edx: 25726976 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 56 e9 2a 02 00 00 5f 31 c6 58 81 e6 4c 41 ba exception.symbol: random+0x242194 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2367892 exception.address: 0x1462194 registers.esp: 3274708 registers.edi: 1971192040 registers.eax: 25643 registers.ebp: 4011393044 registers.edx: 21397912 registers.ebx: 21364736 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 68 8a 76 63 3a 89 1c 24 c7 04 24 72 12 7b 7f exception.symbol: random+0x2425de exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2368990 exception.address: 0x14625de registers.esp: 3274708 registers.edi: 1971192040 registers.eax: 235753 registers.ebp: 4011393044 registers.edx: 21375180 registers.ebx: 21364736 registers.esi: 3 registers.ecx: 0	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 51 b9 6f 08 bf 3f 41 e9 4a 03 00 00 81 f2 38 exception.symbol: random+0x243550 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2372944 exception.address: 0x1463550 registers.esp: 3274704 registers.edi: 1971192040 registers.eax: 21376554 registers.ebp: 4011393044 registers.edx: 21375180 registers.ebx: 1506721636 registers.esi: 3 registers.ecx: 1624664615	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 56 be 66 df bc 7a 31 d6 e9 ab 05 00 00 87 3c exception.symbol: random+0x243371 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2372465 exception.address: 0x1463371 registers.esp: 3274708 registers.edi: 1971192040 registers.eax: 21404920 registers.ebp: 4011393044 registers.edx: 21375180 registers.ebx: 1506721636 registers.esi: 3 registers.ecx: 1624664615	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb e9 6f fe ff ff 33 14 24 31 14 24 33 14 24 5c exception.symbol: random+0x24323f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2372159 exception.address: 0x146323f registers.esp: 3274708 registers.edi: 1971192040 registers.eax: 21379620 registers.ebp: 4011393044 registers.edx: 21375180 registers.ebx: 0 registers.esi: 1259 registers.ecx: 1624664615	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 56 68 ce 72 73 0b 89 1c 24 bb c7 3c fb 7f 43 exception.symbol: random+0x3b9500 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3904768 exception.address: 0x15d9500 registers.esp: 3274704 registers.edi: 21411445 registers.eax: 28789 registers.ebp: 4011393044 registers.edx: 22908549 registers.ebx: 2347008 registers.esi: 22907981 registers.ecx: 1400897536	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 64 92 bb 5b 89 04 24 c7 04 24 05 exception.symbol: random+0x3b8ff9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3903481 exception.address: 0x15d8ff9 registers.esp: 3274708 registers.edi: 4294941264 registers.eax: 2298801283 registers.ebp: 4011393044 registers.edx: 22937338 registers.ebx: 2347008 registers.esi: 22907981 registers.ecx: 1400897536	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 52 ba 1f 21 bf 7e 01 d6 e9 27 08 00 00 54 8b exception.symbol: random+0x3be384 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3924868 exception.address: 0x15de384 registers.esp: 3274704 registers.edi: 4294941264 registers.eax: 28158 registers.ebp: 4011393044 registers.edx: 2130566132 registers.ebx: 7143533 registers.esi: 22930251 registers.ecx: 109	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 68 d1 5d 6e 7b 5a 68 63 7b 93 2d 89 14 24 e9 exception.symbol: random+0x3bee76 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3927670 exception.address: 0x15dee76 registers.esp: 3274708 registers.edi: 1549541099 registers.eax: 0 registers.ebp: 4011393044 registers.edx: 2130566132 registers.ebx: 7143533 registers.esi: 22933153 registers.ecx: 109	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 55 bd b7 7e b5 7f 68 c8 d1 a5 73 89 0c 24 50 exception.symbol: random+0x3c64ac exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3957932 exception.address: 0x15e64ac registers.esp: 3274704 registers.edi: 22962094 registers.eax: 31791 registers.ebp: 4011393044 registers.edx: 42336 registers.ebx: 22933179 registers.esi: 42904 registers.ecx: 14288	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 56 be 5d c3 be 7f b9 98 6f 1f a3 50 b8 34 4f exception.symbol: random+0x3c6194 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3957140 exception.address: 0x15e6194 registers.esp: 3274708 registers.edi: 22964833 registers.eax: 31791 registers.ebp: 4011393044 registers.edx: 0 registers.ebx: 1114345 registers.esi: 42904 registers.ecx: 14288	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 51 54 59 81 c1 04 00 00 exception.symbol: random+0x3c7fa5 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3964837 exception.address: 0x15e7fa5 registers.esp: 3274700 registers.edi: 22964833 registers.eax: 1447909480 registers.ebp: 4011393044 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 22968997 registers.ecx: 20	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: random+0x3ccbda exception.address: 0x15ecbda exception.module: random.exe exception.exception_code: 0xc000001d exception.offset: 3984346 registers.esp: 3274700 registers.edi: 22964833 registers.eax: 1 registers.ebp: 4011393044 registers.edx: 22104 registers.ebx: 0 registers.esi: 22968997 registers.ecx: 20	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 25 2c 2d 12 01 exception.symbol: random+0x3c95e2 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3970530 exception.address: 0x15e95e2 registers.esp: 3274700 registers.edi: 22964833 registers.eax: 1447909480 registers.ebp: 4011393044 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 22968997 registers.ecx: 10	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 57 50 89 e0 05 04 00 00 00 57 e9 00 00 00 00 exception.symbol: random+0x3d073a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3999546 exception.address: 0x15f073a registers.esp: 3274708 registers.edi: 22964833 registers.eax: 3469836384 registers.ebp: 4011393044 registers.edx: 0 registers.ebx: 23006628 registers.esi: 10 registers.ecx: 1400897536	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 0f bf cb f9 64 8f 05 00 00 00 00 8b exception.symbol: random+0x3d0fdf exception.instruction: int 1 exception.module: random.exe exception.exception_code: 0xc0000005 exception.offset: 4001759 exception.address: 0x15f0fdf registers.esp: 3274668 registers.edi: 0 registers.eax: 3274668 registers.ebp: 4011393044 registers.edx: 798436072 registers.ebx: 23007397 registers.esi: 1897861285 registers.ecx: 4261	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 68 fc bb 96 7c 89 14 24 50 b8 97 b1 bd 7d 89 exception.symbol: random+0x3df903 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4061443 exception.address: 0x15ff903 registers.esp: 3274704 registers.edi: 21365070 registers.eax: 26470 registers.ebp: 4011393044 registers.edx: 6 registers.ebx: 23064887 registers.esi: 1971262480 registers.ecx: 0	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 53 bb e0 52 da 60 81 c3 88 27 ed 73 e9 7e 07 exception.symbol: random+0x3df291 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4059793 exception.address: 0x15ff291 registers.esp: 3274708 registers.edi: 21365070 registers.eax: 0 registers.ebp: 4011393044 registers.edx: 6 registers.ebx: 23067861 registers.esi: 1971262480 registers.ecx: 9693526	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 00 6b 12 67 89 2c 24 e9 e7 fd ff exception.symbol: random+0x3e14d7 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4068567 exception.address: 0x16014d7 registers.esp: 3274704 registers.edi: 21365070 registers.eax: 27477 registers.ebp: 4011393044 registers.edx: 6 registers.ebx: 23067861 registers.esi: 23073384 registers.ecx: 431519232	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 3c 24 56 89 2c 24 53 e9 exception.symbol: random+0x3e1897 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4069527 exception.address: 0x1601897 registers.esp: 3274708 registers.edi: 21365070 registers.eax: 27477 registers.ebp: 4011393044 registers.edx: 6 registers.ebx: 10938707 registers.esi: 23100861 registers.ecx: 4294942572	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 50 89 2c 24 bd a1 8e 27 33 e9 58 03 00 00 89 exception.symbol: random+0x3e2323 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4072227 exception.address: 0x1602323 registers.esp: 3274708 registers.edi: 21365070 registers.eax: 32041 registers.ebp: 4011393044 registers.edx: 872943736 registers.ebx: 23079541 registers.esi: 1179202795 registers.ecx: 0	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb e9 a3 fa ff ff 47 c1 e7 03 81 cf e2 e6 f6 30 exception.symbol: random+0x3e708c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4092044 exception.address: 0x160708c registers.esp: 3274696 registers.edi: 21365070 registers.eax: 27711 registers.ebp: 4011393044 registers.edx: 1306049045 registers.ebx: 23079541 registers.esi: 23095644 registers.ecx: 1306049045	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 51 e9 a7 07 00 00 89 d0 5a 81 44 24 04 14 43 exception.symbol: random+0x3e6c79 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4091001 exception.address: 0x1606c79 registers.esp: 3274700 registers.edi: 21365070 registers.eax: 27711 registers.ebp: 4011393044 registers.edx: 82608464 registers.ebx: 4294942724 registers.esi: 23123355 registers.ecx: 1306049045	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 55 68 6b 18 31 33 e9 c5 02 00 00 01 f0 51 b9 exception.symbol: random+0x3f61f1 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4153841 exception.address: 0x16161f1 registers.esp: 3274700 registers.edi: 39190 registers.eax: 23188339 registers.ebp: 4011393044 registers.edx: 2130566132 registers.ebx: 961873017 registers.esi: 1728095320 registers.ecx: 1400897536	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 68 5c eb f8 7b 8b 14 24 57 c7 04 24 14 ee 9a exception.symbol: random+0x3f5e68 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4152936 exception.address: 0x1615e68 registers.esp: 3274700 registers.edi: 39190 registers.eax: 23160399 registers.ebp: 4011393044 registers.edx: 0 registers.ebx: 961873017 registers.esi: 1459645024 registers.ecx: 1400897536	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb e9 b3 03 00 00 54 5a 81 c2 04 00 00 00 81 c2 exception.symbol: random+0x408142 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4227394 exception.address: 0x1628142 registers.esp: 3274664 registers.edi: 2130566132 registers.eax: 27735 registers.ebp: 4011393044 registers.edx: 2130566132 registers.ebx: 2876303745 registers.esi: 23226503 registers.ecx: 23230621	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 57 54 8b 3c 24 83 c4 04 e9 e2 ff ff ff 81 c4 exception.symbol: random+0x40817d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4227453 exception.address: 0x162817d registers.esp: 3274668 registers.edi: 2130566132 registers.eax: 27735 registers.ebp: 4011393044 registers.edx: 2130566132 registers.ebx: 2876303745 registers.esi: 23226503 registers.ecx: 23258356	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 52 e9 36 f6 ff ff exception.symbol: random+0x408385 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4227973 exception.address: 0x1628385 registers.esp: 3274668 registers.edi: 2130566132 registers.eax: 27735 registers.ebp: 4011393044 registers.edx: 1342204512 registers.ebx: 0 registers.esi: 23226503 registers.ecx: 23233808	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 56 c7 04 24 7f 8c 66 7b 89 3c 24 bf f1 66 e1 exception.symbol: random+0x40ad81 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4238721 exception.address: 0x162ad81 registers.esp: 3274664 registers.edi: 23199744 registers.eax: 25742 registers.ebp: 4011393044 registers.edx: 45086780 registers.ebx: 23242089 registers.esi: 23241261 registers.ecx: 0	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb e9 a7 fe ff ff 81 c7 04 00 00 00 68 27 7d d8 exception.symbol: random+0x40a7e0 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4237280 exception.address: 0x162a7e0 registers.esp: 3274668 registers.edi: 23199744 registers.eax: 25742 registers.ebp: 4011393044 registers.edx: 45086780 registers.ebx: 23267831 registers.esi: 23241261 registers.ecx: 0	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb e9 3a fd ff ff 81 eb d5 00 ae 4c 01 da 5b 51 exception.symbol: random+0x40ad5e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4238686 exception.address: 0x162ad5e registers.esp: 3274668 registers.edi: 322689 registers.eax: 25742 registers.ebp: 4011393044 registers.edx: 45086780 registers.ebx: 23244847 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 05 87 67 9f 73 05 06 e3 eb 7e 03 04 24 2d 06 exception.symbol: random+0x40b685 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4241029 exception.address: 0x162b685 registers.esp: 3274664 registers.edi: 322689 registers.eax: 23245104 registers.ebp: 4011393044 registers.edx: 45086780 registers.ebx: 23244847 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 51 68 01 46 bb 7a 59 56 be f9 86 c5 18 31 f1 exception.symbol: random+0x40b3dc exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4240348 exception.address: 0x162b3dc registers.esp: 3274668 registers.edi: 322689 registers.eax: 23248173 registers.ebp: 4011393044 registers.edx: 45086780 registers.ebx: 23244847 registers.esi: 711040397 registers.ecx: 0	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 50 68 a2 1a d7 7f ff 34 24 e9 21 02 00 00 56 exception.symbol: random+0x40c6b1 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4245169 exception.address: 0x162c6b1 registers.esp: 3274668 registers.edi: 322689 registers.eax: 44777 registers.ebp: 4011393044 registers.edx: 585074096 registers.ebx: 0 registers.esi: 711040397 registers.ecx: 23251450	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 51 e9 8e fb ff ff 50 b8 d0 e0 bd 71 89 c1 58 exception.symbol: random+0x4124ae exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4269230 exception.address: 0x16324ae registers.esp: 3274668 registers.edi: 23275842 registers.eax: 28851 registers.ebp: 4011393044 registers.edx: 0 registers.ebx: 65804 registers.esi: 0 registers.ecx: 83433	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 56 c7 04 24 00 00 00 00 ff 34 24 e9 28 07 00 exception.symbol: random+0x413506 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4273414 exception.address: 0x1633506 registers.esp: 3274668 registers.edi: 52036 registers.eax: 32443 registers.ebp: 4011393044 registers.edx: 2095172420 registers.ebx: 2095172420 registers.esi: 23310220 registers.ecx: 11604	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 50 89 e0 05 04 00 00 00 2d 04 00 00 00 33 04 exception.symbol: random+0x4133d0 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4273104 exception.address: 0x16333d0 registers.esp: 3274668 registers.edi: 52036 registers.eax: 4294937976 registers.ebp: 4011393044 registers.edx: 2095172420 registers.ebx: 9038160 registers.esi: 23310220 registers.ecx: 11604	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 57 89 04 24 89 0c 24 c7 04 24 c5 fa b3 7f c1 exception.symbol: random+0x415627 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4281895 exception.address: 0x1635627 registers.esp: 3274668 registers.edi: 52036 registers.eax: 30263 registers.ebp: 4011393044 registers.edx: 2095172420 registers.ebx: 4294939684 registers.esi: 23316850 registers.ecx: 81129	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 50 53 68 94 66 1f 1e 5b 81 f3 96 c5 d0 6e 89 exception.symbol: random+0x424a17 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4344343 exception.address: 0x1644a17 registers.esp: 3274664 registers.edi: 3164143636 registers.eax: 26939 registers.ebp: 4011393044 registers.edx: 673712830 registers.ebx: 3187476181 registers.esi: 23346865 registers.ecx: 697045391	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 29 c9 ff 34 31 ff 34 24 5f 51 89 e1 e9 70 00 exception.symbol: random+0x424006 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4341766 exception.address: 0x1644006 registers.esp: 3274668 registers.edi: 3164143636 registers.eax: 26939 registers.ebp: 4011393044 registers.edx: 673712830 registers.ebx: 3187476181 registers.esi: 23373804 registers.ecx: 697045391	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 68 92 e7 73 3d 89 04 24 c7 04 24 6b 81 97 38 exception.symbol: random+0x4248f2 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4344050 exception.address: 0x16448f2 registers.esp: 3274668 registers.edi: 15198545 registers.eax: 26939 registers.ebp: 4011393044 registers.edx: 673712830 registers.ebx: 3187476181 registers.esi: 23373804 registers.ecx: 4294943356	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 68 78 a1 9e 1d e9 20 00 00 00 exception.symbol: random+0x42a9dc exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4368860 exception.address: 0x164a9dc registers.esp: 3274668 registers.edi: 23351188 registers.eax: 31822 registers.ebp: 4011393044 registers.edx: 2089336 registers.ebx: 23404494 registers.esi: 23351152 registers.ecx: 1400897536	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 14 24 54 5a 81 c2 04 00 00 00 e9 exception.symbol: random+0x42aec5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4370117 exception.address: 0x164aec5 registers.esp: 3274668 registers.edi: 23351188 registers.eax: 31822 registers.ebp: 4011393044 registers.edx: 0 registers.ebx: 23375746 registers.esi: 17426771 registers.ecx: 1400897536	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 56 be af 07 e1 56 81 ce 74 e7 fb 53 68 c2 26 exception.symbol: random+0x438302 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4424450 exception.address: 0x1658302 registers.esp: 3274664 registers.edi: 23418879 registers.eax: 30836 registers.ebp: 4011393044 registers.edx: 23429583 registers.ebx: 1969225702 registers.esi: 17426771 registers.ecx: 1400897536	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb e9 da ff ff ff 09 fd 5f f7 d5 68 2c 64 e4 17 exception.symbol: random+0x43837a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4424570 exception.address: 0x165837a registers.esp: 3274668 registers.edi: 23418879 registers.eax: 30836 registers.ebp: 4011393044 registers.edx: 23460419 registers.ebx: 1969225702 registers.esi: 17426771 registers.ecx: 1400897536	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 2d ff ff ff bd 5b 6f cf exception.symbol: random+0x438479 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4424825 exception.address: 0x1658479 registers.esp: 3274668 registers.edi: 23418879 registers.eax: 30836 registers.ebp: 4011393044 registers.edx: 23460419 registers.ebx: 1969225702 registers.esi: 4294939080 registers.ecx: 604292944	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 81 eb 4d b0 ef 2e 57 e9 28 00 00 00 81 c7 d4 exception.symbol: random+0x4455d7 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4478423 exception.address: 0x16655d7 registers.esp: 3274664 registers.edi: 1400897536 registers.eax: 27648 registers.ebp: 4011393044 registers.edx: 673712830 registers.ebx: 23482083 registers.esi: 8896492 registers.ecx: 673712830	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb e9 73 02 00 00 83 c0 04 87 04 24 8b 24 24 5f exception.symbol: random+0x44526c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4477548 exception.address: 0x166526c registers.esp: 3274668 registers.edi: 1400897536 registers.eax: 27648 registers.ebp: 4011393044 registers.edx: 4294942244 registers.ebx: 23509731 registers.esi: 604277079 registers.ecx: 673712830	1
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: fb 55 89 0c 24 e9 96 00 00 00 83 c1 04 87 0c 24 exception.symbol: random+0x44eac0 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4516544 exception.address: 0x166eac0 registers.esp: 3274664 registers.edi: 3164143636 registers.eax: 26028 registers.ebp: 4011393044 registers.edx: 11 registers.ebx: 3187661375 registers.esi: 1409794028 registers.ecx: 23519452	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.103/e2b1563c6670f193.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/vcruntime140.dll

Performs some HTTP requests (9 events)

request	GET http://185.215.113.103/
request	POST http://185.215.113.103/e2b1563c6670f193.php
request	GET http://185.215.113.103/0d60be0de163924d/sqlite3.dll
request	GET http://185.215.113.103/0d60be0de163924d/freebl3.dll
request	GET http://185.215.113.103/0d60be0de163924d/mozglue.dll
request	GET http://185.215.113.103/0d60be0de163924d/msvcp140.dll
request	GET http://185.215.113.103/0d60be0de163924d/nss3.dll
request	GET http://185.215.113.103/0d60be0de163924d/softokn3.dll
request	GET http://185.215.113.103/0d60be0de163924d/vcruntime140.dll

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.103/e2b1563c6670f193.php

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 17, 2024, 1:24 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2024, 1:24 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2024, 1:24 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 81920 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01221000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:24 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:24 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:24 p.m.	process_identifier: 2076 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:24 p.m.	process_identifier: 2076 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:24 p.m.	process_identifier: 2076 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:24 p.m.	process_identifier: 2076 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:24 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:24 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:24 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:24 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:24 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:24 p.m.	process_identifier: 2076 region_size: 995328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x61e00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

random.exe tried to sleep 251 seconds, actually delayed analysis time by 251 seconds

Steals private information from local Internet browsers (50 out of 5864 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\apenkfbbpmhihehmihndmmcdanacolnh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\ciojocpkclfflombbcfigcijjcbkmhaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opfgelmcmbiajamepnmloijbpoleiama\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\fiikommddbeccaoicoejoniammnalkfa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCK\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\fa\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000001\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\naepdomgkenhinolocfifgehidddafch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch\CURRENT

Creates executable files on the filesystem (6 events)

file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (12 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 17, 2024, 1:24 p.m.	snapshot_handle: 0x0000037c process_name: taskhost.exe process_identifier: 296	1	1
Process32NextW Sept. 17, 2024, 1:24 p.m.	snapshot_handle: 0x0000037c process_name: SearchProtocolHost.exe process_identifier: 1984	1	1
Process32NextW Sept. 17, 2024, 1:24 p.m.	snapshot_handle: 0x0000037c process_name: cmd.exe process_identifier: 792	1	1
Process32NextW Sept. 17, 2024, 1:24 p.m.	snapshot_handle: 0x0000037c process_name: SearchFilterHost.exe process_identifier: 1680	1	1
Process32NextW Sept. 17, 2024, 1:24 p.m.	snapshot_handle: 0x0000037c process_name: pw.exe process_identifier: 2068	1	1
Process32NextW Sept. 17, 2024, 1:24 p.m.	snapshot_handle: 0x0000037c process_name: random.exe process_identifier: 2076	1	1
Process32NextW Sept. 17, 2024, 1:24 p.m.	snapshot_handle: 0x00000534 process_name: svchost.exe process_identifier: 2440	1	1
Process32NextW Sept. 17, 2024, 1:24 p.m.	snapshot_handle: 0x00000534 process_name: mscorsvw.exe process_identifier: 2468	1	1
Process32NextW Sept. 17, 2024, 1:24 p.m.	snapshot_handle: 0x00000534 process_name: mscorsvw.exe process_identifier: 2512	1	1
Process32NextW Sept. 17, 2024, 1:24 p.m.	snapshot_handle: 0x00000534 process_name: sppsvc.exe process_identifier: 2560	1	1
Process32NextW Sept. 17, 2024, 1:24 p.m.	snapshot_handle: 0x00000534 process_name: cmd.exe process_identifier: 2648	1	1
Process32NextW Sept. 17, 2024, 1:24 p.m.	snapshot_handle: 0x00000534 process_name: pw.exe process_identifier: 2680	1	1

An executable file was downloaded by the process random.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile Sept. 17, 2024, 1:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 17, 2024, 1:24 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 17, 2024, 1:24 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 17, 2024, 1:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 17, 2024, 1:24 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 17, 2024, 1:24 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 17, 2024, 1:24 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00013c00', u'virtual_address': u'0x00001000', u'entropy': 7.972037037514948, u'name': u' \\x00 ', u'virtual_size': u'0x0023d000'}

entropy

7.97203703751

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00195600', u'virtual_address': u'0x004d2000', u'entropy': 7.952452737677748, u'name': u'sfkjqfyj', u'virtual_size': u'0x00196000'}

entropy

7.95245273768

description

A section with a high entropy has been found

entropy

0.993863237873

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Queries for potentially installed applications (50 out of 52 events)

Time & API	Arguments	Status
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExA Sept. 17, 2024, 1:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Communicates with host for which no DNS query was performed (1 event)

host

185.215.113.103

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 95 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 17, 2024, 1:24 p.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA Sept. 17, 2024, 1:24 p.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\00000004
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 17, 2024, 1:24 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 51 54 59 81 c1 04 00 00 exception.symbol: random+0x3c7fa5 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3964837 exception.address: 0x15e7fa5 registers.esp: 3274700 registers.edi: 22964833 registers.eax: 1447909480 registers.ebp: 4011393044 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 22968997 registers.ecx: 20	1	0	0

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W32.AIDetectMalware
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Trojan.GenericKDZ.107878
Cylance	Unsafe
VIPRE	Trojan.GenericKDZ.107878
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Trojan.GenericKDZ.107878
Arcabit	Trojan.Generic.D1A566
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Trojan.GenericKDZ.107878
Emsisoft	Trojan.GenericKDZ.107878 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!8BC68FD89FC5
Trapmine	malicious.high.ml.score
CTX	exe.trojan.generickdz
Sophos	Mal/Stealc-A
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.8bc68fd89fc539a6
Google	Detected
Avira	TR/Crypt.TPM.Gen
Kingsoft	Win32.HeurC.KVMH008.a
Gridinsoft	Trojan.Heur!.03A120A1
Microsoft	Trojan:Win32/Sabsik.FL.A!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Trojan.GenericKDZ.107878
Varist	W32/Themida.CM.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R665962
DeepInstinct	MALICIOUS
Malwarebytes	Spyware.Stealc
Zoner	Probably Heur.ExeHeaderL
Tencent	Win32.Trojan.Generic.Eajl
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:PWSX-gen [Trj]

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All