Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 19, 2024, 10:23 a.m.	Sept. 19, 2024, 10:35 a.m.

Size	2.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b68de602a612382378707692d914e63e`
SHA256	`cabc08bd5428d593c82feafd16ffb81b35f596a23d57fcd739b442951b0994a0`
CRC32	`D5EC258B`
ssdeep	`49152:PqJ2VD9AK6O9FJJqG5Xk51Ib2IEruEdZHC0RPzigD2zv8i:42VDOK6O97JqG5Xk51dDDC0Rrh2zki`
Yara	themida_packer - themida packer PE_Header_Zero - PE File Signature IsPE32 - (no description)

game.exe "C:\Users\test22\AppData\Local\Temp\game.exe"
184

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
162.241.62.63	Active	Moloch
185.215.113.103	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49161 -> 185.215.113.103:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.103:49161 -> 185.215.113.103:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.103:80 -> 192.168.56.103:49161	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49161 -> 185.215.113.103:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.103:80 -> 192.168.56.103:49161	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49161 -> 185.215.113.103:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49161 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49161 -> 185.215.113.103:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.103:80 -> 192.168.56.103:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.103:80 -> 192.168.56.103:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.103:80 -> 192.168.56.103:49161	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.103:80 -> 192.168.56.103:49161	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.103:80 -> 192.168.56.103:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.103:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Sept. 19, 2024, 10:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 19, 2024, 10:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 19, 2024, 10:23 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (11 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 19, 2024, 10:23 a.m.			0	0
IsDebuggerPresent Sept. 19, 2024, 10:23 a.m.			0	0
IsDebuggerPresent Sept. 19, 2024, 10:23 a.m.			0	0
IsDebuggerPresent Sept. 19, 2024, 10:23 a.m.			0	0
IsDebuggerPresent Sept. 19, 2024, 10:23 a.m.			0	0
IsDebuggerPresent Sept. 19, 2024, 10:23 a.m.			0	0
IsDebuggerPresent Sept. 19, 2024, 10:23 a.m.			0	0
IsDebuggerPresent Sept. 19, 2024, 10:23 a.m.			0	0
IsDebuggerPresent Sept. 19, 2024, 10:23 a.m.			0	0
IsDebuggerPresent Sept. 19, 2024, 10:23 a.m.			0	0
IsDebuggerPresent Sept. 19, 2024, 10:23 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 19, 2024, 10:23 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.rsrc
section	.idata
section	yctsmbqx
section	ttaiowsu
section	.taggant

One or more processes crashed (50 out of 112 events)

Time & API	Arguments	Status
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb 60 bd 14 00 2d ee e9 00 02 00 00 26 1e 5f e3 exception.symbol: game+0x241bfd exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 2366461 exception.address: 0x5a1bfd registers.esp: 3341228 registers.edi: 0 registers.eax: 3341244 registers.ebp: 3341244 registers.edx: 3341236 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 57 68 d0 6e a4 59 89 1c 24 bb 78 44 f3 74 52 exception.symbol: game+0x242542 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 2368834 exception.address: 0x5a2542 registers.esp: 3341192 registers.edi: 0 registers.eax: 27789 registers.ebp: 3995926548 registers.edx: 3341236 registers.ebx: 5906476 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 31 ff ff 34 3b 81 ec 04 00 00 00 89 04 24 e9 exception.symbol: game+0x2428b3 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 2369715 exception.address: 0x5a28b3 registers.esp: 3341196 registers.edi: 0 registers.eax: 27789 registers.ebp: 3995926548 registers.edx: 3341236 registers.ebx: 5934265 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 53 89 0c 24 56 e9 7a f6 ff ff 5f 05 0e d4 f7 exception.symbol: game+0x242c2d exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 2370605 exception.address: 0x5a2c2d registers.esp: 3341196 registers.edi: 4294942608 registers.eax: 235753 registers.ebp: 3995926548 registers.edx: 3341236 registers.ebx: 5934265 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 81 ee 34 13 63 7b 03 34 24 81 ec 04 00 00 00 exception.symbol: game+0x243728 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 2373416 exception.address: 0x5a3728 registers.esp: 3341192 registers.edi: 4294942608 registers.eax: 27427 registers.ebp: 3995926548 registers.edx: 520247114 registers.ebx: 5934265 registers.esi: 5910843 registers.ecx: 343683926	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb bb 68 a1 df 4d e9 26 fe ff ff 68 2d 7a 07 1d exception.symbol: game+0x243834 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 2373684 exception.address: 0x5a3834 registers.esp: 3341196 registers.edi: 1259 registers.eax: 27427 registers.ebp: 3995926548 registers.edx: 520247114 registers.ebx: 0 registers.esi: 5913622 registers.ecx: 343683926	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 53 bb d3 74 d1 00 81 ec 04 00 00 00 89 14 24 exception.symbol: game+0x3bd940 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 3922240 exception.address: 0x71d940 registers.esp: 3341196 registers.edi: 5946223 registers.eax: 1206473296 registers.ebp: 3995926548 registers.edx: 7462500 registers.ebx: 0 registers.esi: 7458713 registers.ecx: 775159808	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 52 ba 28 af cf 7f e9 10 fd ff ff 89 1c 24 57 exception.symbol: game+0x3c2ee8 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 3944168 exception.address: 0x722ee8 registers.esp: 3341196 registers.edi: 5946223 registers.eax: 29281 registers.ebp: 3995926548 registers.edx: 7511293 registers.ebx: 4294941664 registers.esi: 7458713 registers.ecx: 1549541099	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 51 b9 45 81 fb 7b e9 8a fb ff ff 89 f1 5e 01 exception.symbol: game+0x3cb2a1 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 3977889 exception.address: 0x72b2a1 registers.esp: 3341192 registers.edi: 8990318 registers.eax: 27755 registers.ebp: 3995926548 registers.edx: 7515384 registers.ebx: 7485687 registers.esi: 0 registers.ecx: 7485687	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 50 e9 06 fa ff ff 50 b8 60 80 1b 7a 55 e9 06 exception.symbol: game+0x3cb717 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 3979031 exception.address: 0x72b717 registers.esp: 3341196 registers.edi: 8990318 registers.eax: 27755 registers.ebp: 3995926548 registers.edx: 7543139 registers.ebx: 7485687 registers.esi: 0 registers.ecx: 7485687	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 55 50 56 c7 04 24 34 7e 68 78 81 34 24 17 cf exception.symbol: game+0x3cb663 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 3978851 exception.address: 0x72b663 registers.esp: 3341196 registers.edi: 8990318 registers.eax: 1114345 registers.ebp: 3995926548 registers.edx: 7518251 registers.ebx: 0 registers.esi: 0 registers.ecx: 7485687	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 68 34 13 b8 47 89 2c 24 exception.symbol: game+0x3cfcbb exception.instruction: in eax, dx exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 3996859 exception.address: 0x72fcbb registers.esp: 3341188 registers.edi: 8990318 registers.eax: 1447909480 registers.ebp: 3995926548 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 7522415 registers.ecx: 20	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: game+0x3cfc87 exception.address: 0x72fc87 exception.module: game.exe exception.exception_code: 0xc000001d exception.offset: 3996807 registers.esp: 3341188 registers.edi: 8990318 registers.eax: 1 registers.ebp: 3995926548 registers.edx: 22104 registers.ebx: 0 registers.esi: 7522415 registers.ecx: 20	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 3e 2f 2d 12 01 exception.symbol: game+0x3cdacd exception.instruction: in eax, dx exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 3988173 exception.address: 0x72dacd registers.esp: 3341188 registers.edi: 8990318 registers.eax: 1447909480 registers.ebp: 3995926548 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 7522415 registers.ecx: 10	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 56 50 e9 83 f5 ff ff 89 c2 8b 04 24 e9 37 f7 exception.symbol: game+0x3d5e17 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4021783 exception.address: 0x735e17 registers.esp: 3341196 registers.edi: 8990318 registers.eax: 25929 registers.ebp: 3995926548 registers.edx: 7583740 registers.ebx: 50514781 registers.esi: 10 registers.ecx: 775159808	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 68 e7 5e 88 2d 89 3c 24 53 89 34 24 68 79 87 exception.symbol: game+0x3d5879 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4020345 exception.address: 0x735879 registers.esp: 3341196 registers.edi: 8990318 registers.eax: 0 registers.ebp: 3995926548 registers.edx: 7560848 registers.ebx: 50514781 registers.esi: 10 registers.ecx: 1370464	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 57 e8 03 00 00 00 20 5f c3 5f exception.symbol: game+0x3d60a5 exception.instruction: int 1 exception.module: game.exe exception.exception_code: 0xc0000005 exception.offset: 4022437 exception.address: 0x7360a5 registers.esp: 3341156 registers.edi: 0 registers.eax: 3341156 registers.ebp: 3995926548 registers.edx: 2019586719 registers.ebx: 7561704 registers.esi: 7536640 registers.ecx: 819016032	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 55 89 04 24 e9 89 fa ff ff 4f 50 b8 77 a0 fe exception.symbol: game+0x3e5456 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4084822 exception.address: 0x745456 registers.esp: 3341196 registers.edi: 1141481 registers.eax: 25530 registers.ebp: 3995926548 registers.edx: 0 registers.ebx: 7623881 registers.esi: 1971262480 registers.ecx: 0	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 50 b8 7a 9c e7 73 05 b1 99 fb 74 35 9f 15 84 exception.symbol: game+0x3e6f54 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4091732 exception.address: 0x746f54 registers.esp: 3341192 registers.edi: 1141481 registers.eax: 25917 registers.ebp: 3995926548 registers.edx: 1766942017 registers.ebx: 256520049 registers.esi: 1971262480 registers.ecx: 7629049	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 57 56 be 44 a5 d5 3f e9 4b 02 00 00 54 5a 81 exception.symbol: game+0x3e719b exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4092315 exception.address: 0x74719b registers.esp: 3341196 registers.edi: 2179369302 registers.eax: 0 registers.ebp: 3995926548 registers.edx: 1766942017 registers.ebx: 256520049 registers.esi: 1971262480 registers.ecx: 7631986	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 29 c0 50 89 14 24 89 c2 68 b7 3d 51 4f e9 4d exception.symbol: game+0x3e7b18 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4094744 exception.address: 0x747b18 registers.esp: 3341196 registers.edi: 2179369302 registers.eax: 26658 registers.ebp: 3995926548 registers.edx: 797961025 registers.ebx: 760169575 registers.esi: 1971262480 registers.ecx: 7659106	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 50 e9 b6 04 00 00 21 df 5b 68 4f c2 b7 19 e9 exception.symbol: game+0x3e7a69 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4094569 exception.address: 0x747a69 registers.esp: 3341196 registers.edi: 2179369302 registers.eax: 4294943204 registers.ebp: 3995926548 registers.edx: 797961025 registers.ebx: 760169575 registers.esi: 2761722984 registers.ecx: 7659106	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 57 e9 9e fa ff ff 51 b9 35 f0 cd 7d 81 c1 00 exception.symbol: game+0x3f4c90 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4148368 exception.address: 0x754c90 registers.esp: 3341184 registers.edi: 2179369302 registers.eax: 30650 registers.ebp: 3995926548 registers.edx: 2130566132 registers.ebx: 295723012 registers.esi: 7685213 registers.ecx: 775159808	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 55 81 ec 04 00 00 00 89 14 24 e9 61 08 00 00 exception.symbol: game+0x3f4565 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4146533 exception.address: 0x754565 registers.esp: 3341188 registers.edi: 2179369302 registers.eax: 30650 registers.ebp: 3995926548 registers.edx: 2130566132 registers.ebx: 4294939572 registers.esi: 7715863 registers.ecx: 1783979243	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 68 4f 45 08 17 89 3c 24 51 89 1c 24 52 68 7e exception.symbol: game+0x3fff87 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4194183 exception.address: 0x75ff87 registers.esp: 3341188 registers.edi: 0 registers.eax: 7733908 registers.ebp: 3995926548 registers.edx: 2130566132 registers.ebx: 116969 registers.esi: 774172694 registers.ecx: 775159808	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 68 c2 27 51 77 e9 ce f8 ff ff c1 e2 08 83 ea exception.symbol: game+0x414ed1 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4280017 exception.address: 0x774ed1 registers.esp: 3341156 registers.edi: 7845646 registers.eax: 1795275346 registers.ebp: 3995926548 registers.edx: 2130566132 registers.ebx: 1845494017 registers.esi: 4294941052 registers.ecx: 2138380627	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 9a 12 af 77 e9 ca 01 00 00 5e 56 exception.symbol: game+0x4154bf exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4281535 exception.address: 0x7754bf registers.esp: 3341156 registers.edi: 7845646 registers.eax: 4294942624 registers.ebp: 3995926548 registers.edx: 577973791 registers.ebx: 1636202123 registers.esi: 1337297248 registers.ecx: 7847173	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 68 c3 8c 6a 5d e9 9a f8 ff ff 81 f3 00 4f f3 exception.symbol: game+0x416eee exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4288238 exception.address: 0x776eee registers.esp: 3341156 registers.edi: 7857364 registers.eax: 32636 registers.ebp: 3995926548 registers.edx: 206774897 registers.ebx: 238018980 registers.esi: 1337297248 registers.ecx: 7847173	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 56 89 14 24 c7 04 24 05 28 5f 67 ff 34 24 8b exception.symbol: game+0x416b75 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4287349 exception.address: 0x776b75 registers.esp: 3341156 registers.edi: 7857364 registers.eax: 1426090592 registers.ebp: 3995926548 registers.edx: 206774897 registers.ebx: 4294937572 registers.esi: 1337297248 registers.ecx: 7847173	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb e9 5f 00 00 00 f7 d7 c1 ef 07 81 f7 29 52 9e exception.symbol: game+0x41b776 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4306806 exception.address: 0x77b776 registers.esp: 3341152 registers.edi: 7843150 registers.eax: 30444 registers.ebp: 3995926548 registers.edx: 0 registers.ebx: 65804 registers.esi: 7827670 registers.ecx: 1969225870	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 55 89 04 24 89 34 24 e9 9a f9 ff ff 45 c1 ed exception.symbol: game+0x41b449 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4305993 exception.address: 0x77b449 registers.esp: 3341156 registers.edi: 7846234 registers.eax: 30444 registers.ebp: 3995926548 registers.edx: 0 registers.ebx: 65804 registers.esi: 7827670 registers.ecx: 760913293	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 52 ba 06 c4 ff 2e 68 69 01 5f 55 89 1c 24 e9 exception.symbol: game+0x41e069 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4317289 exception.address: 0x77e069 registers.esp: 3341156 registers.edi: 0 registers.eax: 7856851 registers.ebp: 3995926548 registers.edx: 81129 registers.ebx: 5909870 registers.esi: 7827670 registers.ecx: 760913293	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 29 c0 e9 ca 01 00 00 89 24 24 83 04 24 04 8b exception.symbol: game+0x41efb3 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4321203 exception.address: 0x77efb3 registers.esp: 3341156 registers.edi: 7892525 registers.eax: 32566 registers.ebp: 3995926548 registers.edx: 64470 registers.ebx: 2141363366 registers.esi: 7859039 registers.ecx: 166360612	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb e9 fe 05 00 00 89 2c 24 bd d5 cd f6 55 81 ed exception.symbol: game+0x41f042 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4321346 exception.address: 0x77f042 registers.esp: 3341156 registers.edi: 7892525 registers.eax: 4294937668 registers.ebp: 3995926548 registers.edx: 1844034130 registers.ebx: 2141363366 registers.esi: 7859039 registers.ecx: 166360612	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 04 24 89 e0 05 04 00 00 exception.symbol: game+0x420553 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4326739 exception.address: 0x780553 registers.esp: 3341156 registers.edi: 7892525 registers.eax: 25712 registers.ebp: 3995926548 registers.edx: 7889088 registers.ebx: 2141363366 registers.esi: 4516182 registers.ecx: 4294944216	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb e9 9e 01 00 00 31 74 24 04 e9 b1 00 00 00 c1 exception.symbol: game+0x4272f1 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4354801 exception.address: 0x7872f1 registers.esp: 3341156 registers.edi: 0 registers.eax: 31990 registers.ebp: 3995926548 registers.edx: 7895964 registers.ebx: 2147483650 registers.esi: 7874142 registers.ecx: 1995002192	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 45 a9 f7 7d 89 1c 24 e9 84 06 00 exception.symbol: game+0x438418 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4424728 exception.address: 0x798418 registers.esp: 3341152 registers.edi: 7940147 registers.eax: 27665 registers.ebp: 3995926548 registers.edx: 7963252 registers.ebx: 7940115 registers.esi: 7940111 registers.ecx: 775159808	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb e9 9a 00 00 00 81 c4 04 00 00 00 81 ea cd dd exception.symbol: game+0x4384ea exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4424938 exception.address: 0x7984ea registers.esp: 3341156 registers.edi: 4294942832 registers.eax: 27665 registers.ebp: 3995926548 registers.edx: 7990917 registers.ebx: 604292944 registers.esi: 7940111 registers.ecx: 775159808	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 53 57 bf f6 4b ff 6d 50 89 f8 50 8b 1c 24 81 exception.symbol: game+0x445196 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4477334 exception.address: 0x7a5196 registers.esp: 3341152 registers.edi: 7995272 registers.eax: 28651 registers.ebp: 3995926548 registers.edx: 8016081 registers.ebx: 1969225702 registers.esi: 7915647 registers.ecx: 775159808	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 31 f6 ff 34 16 e9 36 f8 ff ff 8b 14 24 83 c4 exception.symbol: game+0x445b61 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4479841 exception.address: 0x7a5b61 registers.esp: 3341156 registers.edi: 7995272 registers.eax: 28651 registers.ebp: 3995926548 registers.edx: 8044732 registers.ebx: 1969225702 registers.esi: 7915647 registers.ecx: 775159808	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 3a 04 00 00 89 e7 e9 bd 06 00 00 exception.symbol: game+0x445385 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4477829 exception.address: 0x7a5385 registers.esp: 3341156 registers.edi: 7995272 registers.eax: 28651 registers.ebp: 3995926548 registers.edx: 8044732 registers.ebx: 2179172691 registers.esi: 4294941472 registers.ecx: 775159808	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb e9 a3 f8 ff ff 2d 13 57 ff 5f 29 c8 e9 f9 00 exception.symbol: game+0x452e6b exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4533867 exception.address: 0x7b2e6b registers.esp: 3341156 registers.edi: 8103042 registers.eax: 2447987024 registers.ebp: 3995926548 registers.edx: 2130566132 registers.ebx: 8036199 registers.esi: 36225004 registers.ecx: 4294937844	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 3c 24 89 04 24 c7 04 24 exception.symbol: game+0x45abe6 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4565990 exception.address: 0x7babe6 registers.esp: 3341156 registers.edi: 8075150 registers.eax: 26203 registers.ebp: 3995926548 registers.edx: 8129935 registers.ebx: 8075150 registers.esi: 36225004 registers.ecx: 12	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 02 07 00 00 29 d1 81 c1 b3 80 d3 exception.symbol: game+0x45a7bf exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4564927 exception.address: 0x7ba7bf registers.esp: 3341156 registers.edi: 0 registers.eax: 26203 registers.ebp: 3995926548 registers.edx: 8106703 registers.ebx: 8075150 registers.esi: 36225004 registers.ecx: 45541712	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 29 c0 e9 87 02 00 00 5b 87 2c 24 e9 f3 00 00 exception.symbol: game+0x47073e exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4654910 exception.address: 0x7d073e registers.esp: 3341156 registers.edi: 8225025 registers.eax: 31773 registers.ebp: 3995926548 registers.edx: 395049983 registers.ebx: 4001299895 registers.esi: 15692620 registers.ecx: 403241379	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 52 e9 b0 02 00 00 01 5c 24 04 5b e9 b8 05 00 exception.symbol: game+0x47054d exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4654413 exception.address: 0x7d054d registers.esp: 3341156 registers.edi: 8225025 registers.eax: 4294937900 registers.ebp: 3995926548 registers.edx: 395049983 registers.ebx: 633272424 registers.esi: 15692620 registers.ecx: 403241379	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 95 fe ff ff 52 e9 7b 01 exception.symbol: game+0x4712c9 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4657865 exception.address: 0x7d12c9 registers.esp: 3341156 registers.edi: 4294939204 registers.eax: 31200 registers.ebp: 3995926548 registers.edx: 605325653 registers.ebx: 633272424 registers.esi: 8227222 registers.ecx: 338113796	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb e9 26 03 00 00 81 ea d4 2e fa 6e 01 fa 81 c2 exception.symbol: game+0x472267 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4661863 exception.address: 0x7d2267 registers.esp: 3341152 registers.edi: 4294939204 registers.eax: 8199490 registers.ebp: 3995926548 registers.edx: 550825974 registers.ebx: 633272424 registers.esi: 8227222 registers.ecx: 338113796	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb e9 6d ff ff ff 53 e9 e1 f8 ff ff 89 f0 5e 51 exception.symbol: game+0x4726b1 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4662961 exception.address: 0x7d26b1 registers.esp: 3341156 registers.edi: 4294939204 registers.eax: 8230736 registers.ebp: 3995926548 registers.edx: 550825974 registers.ebx: 633272424 registers.esi: 8227222 registers.ecx: 338113796	1
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: fb 56 e9 ed fc ff ff 81 f1 dc ba b6 3b 5b 31 c1 exception.symbol: game+0x472826 exception.instruction: sti exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 4663334 exception.address: 0x7d2826 registers.esp: 3341156 registers.edi: 4294939204 registers.eax: 8202364 registers.ebp: 3995926548 registers.edx: 550825974 registers.ebx: 0 registers.esi: 4011744184 registers.ecx: 338113796	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.103/e2b1563c6670f193.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/vcruntime140.dll

Performs some HTTP requests (9 events)

request	GET http://185.215.113.103/
request	POST http://185.215.113.103/e2b1563c6670f193.php
request	GET http://185.215.113.103/0d60be0de163924d/sqlite3.dll
request	GET http://185.215.113.103/0d60be0de163924d/freebl3.dll
request	GET http://185.215.113.103/0d60be0de163924d/mozglue.dll
request	GET http://185.215.113.103/0d60be0de163924d/msvcp140.dll
request	GET http://185.215.113.103/0d60be0de163924d/nss3.dll
request	GET http://185.215.113.103/0d60be0de163924d/softokn3.dll
request	GET http://185.215.113.103/0d60be0de163924d/vcruntime140.dll

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.103/e2b1563c6670f193.php

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 19, 2024, 10:23 a.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2024, 10:23 a.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2024, 10:23 a.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 81920 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00361000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2024, 10:23 a.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2024, 10:23 a.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2024, 10:23 a.m.	process_identifier: 184 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02380000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2024, 10:23 a.m.	process_identifier: 184 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2024, 10:23 a.m.	process_identifier: 184 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2024, 10:23 a.m.	process_identifier: 184 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2024, 10:23 a.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2024, 10:23 a.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2024, 10:23 a.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2024, 10:23 a.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2024, 10:23 a.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02290000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2024, 10:23 a.m.	process_identifier: 184 region_size: 995328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x61e00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

game.exe tried to sleep 178 seconds, actually delayed analysis time by 178 seconds

Steals private information from local Internet browsers (50 out of 5864 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\apenkfbbpmhihehmihndmmcdanacolnh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\ciojocpkclfflombbcfigcijjcbkmhaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opfgelmcmbiajamepnmloijbpoleiama\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\fiikommddbeccaoicoejoniammnalkfa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCK\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\fa\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000001\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\naepdomgkenhinolocfifgehidddafch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch\CURRENT

Creates executable files on the filesystem (6 events)

file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 19, 2024, 10:23 a.m.	snapshot_handle: 0x0000037c process_name: taskhost.exe process_identifier: 1836	1	1
Process32NextW Sept. 19, 2024, 10:23 a.m.	snapshot_handle: 0x0000037c process_name: pw.exe process_identifier: 1440	1	1
Process32NextW Sept. 19, 2024, 10:23 a.m.	snapshot_handle: 0x00000538 process_name: svchost.exe process_identifier: 2360	1	1
Process32NextW Sept. 19, 2024, 10:23 a.m.	snapshot_handle: 0x00000538 process_name: mscorsvw.exe process_identifier: 2432	1	1
Process32NextW Sept. 19, 2024, 10:23 a.m.	snapshot_handle: 0x00000538 process_name: sppsvc.exe process_identifier: 2480	1	1

An executable file was downloaded by the process game.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile Sept. 19, 2024, 10:23 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 19, 2024, 10:23 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 19, 2024, 10:23 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 19, 2024, 10:23 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 19, 2024, 10:23 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 19, 2024, 10:23 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 19, 2024, 10:23 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00013c00', u'virtual_address': u'0x00001000', u'entropy': 7.965718891655525, u'name': u' \\x00 ', u'virtual_size': u'0x0023d000'}

entropy

7.96571889166

description

A section with a high entropy has been found

Expresses interest in specific running processes (1 event)

process

system

Queries for potentially installed applications (50 out of 52 events)

Time & API	Arguments	Status
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExA Sept. 19, 2024, 10:23 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Communicates with host for which no DNS query was performed (2 events)

host	162.241.62.63
host	185.215.113.103

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 71 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 19, 2024, 10:23 a.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA Sept. 19, 2024, 10:23 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\00000004
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 19, 2024, 10:23 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 68 34 13 b8 47 89 2c 24 exception.symbol: game+0x3cfcbb exception.instruction: in eax, dx exception.module: game.exe exception.exception_code: 0xc0000096 exception.offset: 3996859 exception.address: 0x72fcbb registers.esp: 3341188 registers.edi: 8990318 registers.eax: 1447909480 registers.ebp: 3995926548 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 7522415 registers.ecx: 20	1	0	0

game.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All