Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 21, 2024, 9:06 a.m.	Sept. 21, 2024, 9:10 a.m.

Size	2.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`6daa440752eea065bbfd1f6c1cd37ed0`
SHA256	`a1970ec9ec2bb6c7f2dca7ca19c67cb9625af76ab6f7f35f60a018fa2a728209`
CRC32	`F7BB104F`
ssdeep	`49152:I3l5Bg6Xmx9RwCZXxJNEg1sQgrh6WWiSgIKzr9ocZ:Glzjm3RwCnrr2Q1hmd`
Yara	themida_packer - themida packer PE_Header_Zero - PE File Signature anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description)

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
652

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.215.113.103	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49163 -> 185.215.113.103:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.103:49163 -> 185.215.113.103:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.103:80 -> 192.168.56.103:49163	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49163 -> 185.215.113.103:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.103:80 -> 192.168.56.103:49163	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49163 -> 185.215.113.103:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49163 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 185.215.113.103:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49165 -> 185.215.113.103:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.103:80 -> 192.168.56.103:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.103:80 -> 192.168.56.103:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.103:80 -> 192.168.56.103:49163	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.103:80 -> 192.168.56.103:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 185.215.113.103:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.103:80 -> 192.168.56.103:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 185.215.113.103:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49165 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 185.215.113.103:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49165 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 185.215.113.103:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Sept. 21, 2024, 9:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 21, 2024, 9:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 21, 2024, 9:06 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (11 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 21, 2024, 9:06 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:06 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:06 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:06 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:06 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:06 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:06 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:06 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:06 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:06 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:06 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 21, 2024, 9:06 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.rsrc
section	.idata
section	hlsayvii
section	bioqaxiv
section	.taggant

One or more processes crashed (50 out of 115 events)

Time & API	Arguments	Status
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb 60 bd 14 00 bc ee e9 00 02 00 00 61 a9 ab 87 exception.symbol: random+0x241cd6 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2366678 exception.address: 0xe91cd6 registers.esp: 4455000 registers.edi: 0 registers.eax: 4455016 registers.ebp: 4455016 registers.edx: 4455008 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 52 51 e9 9b f8 ff ff 5d e9 38 f9 ff ff ba e8 exception.symbol: random+0x2428e8 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2369768 exception.address: 0xe928e8 registers.esp: 4454968 registers.edi: 0 registers.eax: 32806 registers.ebp: 4005298196 registers.edx: 4455008 registers.ebx: 15281742 registers.esi: 0 registers.ecx: 237801	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 53 89 0c 24 e9 50 00 00 00 56 be 9b b5 42 80 exception.symbol: random+0x243be0 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2374624 exception.address: 0xe93be0 registers.esp: 4454964 registers.edi: 0 registers.eax: 31234 registers.ebp: 4005298196 registers.edx: 4455008 registers.ebx: 15283119 registers.esi: 0 registers.ecx: 1815040657	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 0c 24 e9 45 00 00 00 b8 exception.symbol: random+0x243bfe exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2374654 exception.address: 0xe93bfe registers.esp: 4454968 registers.edi: 0 registers.eax: 31234 registers.ebp: 4005298196 registers.edx: 1259 registers.ebx: 15286121 registers.esi: 0 registers.ecx: 1815040657	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 57 57 89 e7 81 c7 04 00 00 00 83 ef 04 e9 37 exception.symbol: random+0x3bf7bb exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3930043 exception.address: 0x100f7bb registers.esp: 4454964 registers.edi: 15318461 registers.eax: 27681 registers.ebp: 4005298196 registers.edx: 2130566132 registers.ebx: 61408169 registers.esi: 16824273 registers.ecx: 16840348	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 31 c0 ff 34 08 ff 34 24 ff 34 24 e9 00 00 00 exception.symbol: random+0x3c006c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3932268 exception.address: 0x101006c registers.esp: 4454968 registers.edi: 15318461 registers.eax: 27681 registers.ebp: 4005298196 registers.edx: 2130566132 registers.ebx: 61408169 registers.esi: 16824273 registers.ecx: 16868029	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 56 68 bd 09 7e 49 e9 13 04 00 00 5e 31 d6 e9 exception.symbol: random+0x3bfa1c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3930652 exception.address: 0x100fa1c registers.esp: 4454968 registers.edi: 15318461 registers.eax: 4294942200 registers.ebp: 4005298196 registers.edx: 2130566132 registers.ebx: 179945 registers.esi: 16824273 registers.ecx: 16868029	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb ba d5 93 cb 4b 31 ea 31 d5 31 ea 81 c5 ff ff exception.symbol: random+0x3c1893 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3938451 exception.address: 0x1011893 registers.esp: 4454968 registers.edi: 4294943132 registers.eax: 27564 registers.ebp: 4005298196 registers.edx: 1549541099 registers.ebx: 179945 registers.esi: 16824273 registers.ecx: 16875827	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 57 89 14 24 89 2c 24 57 55 c7 04 24 b3 7f bf exception.symbol: random+0x3c3735 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3946293 exception.address: 0x1013735 registers.esp: 4454968 registers.edi: 1242856423 registers.eax: 134889 registers.ebp: 4005298196 registers.edx: 2076516106 registers.ebx: 4294937888 registers.esi: 2076516106 registers.ecx: 16886385	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 56 e9 b3 c5 ff ff 89 04 exception.symbol: random+0x3ce958 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3991896 exception.address: 0x101e958 registers.esp: 4454960 registers.edi: 5123704 registers.eax: 1447909480 registers.ebp: 4005298196 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 16885633 registers.ecx: 20	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: random+0x3ccbe1 exception.address: 0x101cbe1 exception.module: random.exe exception.exception_code: 0xc000001d exception.offset: 3984353 registers.esp: 4454960 registers.edi: 5123704 registers.eax: 1 registers.ebp: 4005298196 registers.edx: 22104 registers.ebx: 0 registers.esi: 16885633 registers.ecx: 20	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 b3 31 2d 12 01 exception.symbol: random+0x3d010a exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3997962 exception.address: 0x102010a registers.esp: 4454960 registers.edi: 5123704 registers.eax: 1447909480 registers.ebp: 4005298196 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 16885633 registers.ecx: 10	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 66 8b f2 6a 00 55 e8 03 00 00 00 20 exception.symbol: random+0x3d2fe5 exception.instruction: int 1 exception.module: random.exe exception.exception_code: 0xc0000005 exception.offset: 4009957 exception.address: 0x1022fe5 registers.esp: 4454928 registers.edi: 0 registers.eax: 4454928 registers.ebp: 4005298196 registers.edx: 12641 registers.ebx: 16920842 registers.esi: 1699586889 registers.ecx: 16920484	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb e9 34 01 00 00 42 81 ea 9d 05 e7 5e e9 2f f7 exception.symbol: random+0x3d3e68 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4013672 exception.address: 0x1023e68 registers.esp: 4454968 registers.edi: 6379 registers.eax: 4294939676 registers.ebp: 4005298196 registers.edx: 1373268074 registers.ebx: 16952203 registers.esi: 1373241344 registers.ecx: 1373268074	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 50 89 34 24 e9 09 00 00 00 5e ff 34 24 e9 c6 exception.symbol: random+0x3db393 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4043667 exception.address: 0x102b393 registers.esp: 4454968 registers.edi: 604801363 registers.eax: 16954742 registers.ebp: 4005298196 registers.edx: 654654 registers.ebx: 1366641797 registers.esi: 0 registers.ecx: 16942879	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 52 ba c7 fb f5 5f 01 d6 5a 51 c7 04 24 92 34 exception.symbol: random+0x3e2fc9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4075465 exception.address: 0x1032fc9 registers.esp: 4454964 registers.edi: 15275686 registers.eax: 25916 registers.ebp: 4005298196 registers.edx: 6 registers.ebx: 50515471 registers.esi: 16984665 registers.ecx: 0	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 52 89 0c 24 e9 c1 fa ff ff c1 2c 24 03 c1 2c exception.symbol: random+0x3e3317 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4076311 exception.address: 0x1033317 registers.esp: 4454968 registers.edi: 15275686 registers.eax: 25916 registers.ebp: 4005298196 registers.edx: 6 registers.ebx: 50515471 registers.esi: 17010581 registers.ecx: 0	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 57 68 a6 e5 f6 37 89 34 24 57 68 ba e7 fe 7c exception.symbol: random+0x3e2a8d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4074125 exception.address: 0x1032a8d registers.esp: 4454968 registers.edi: 15275686 registers.eax: 25916 registers.ebp: 4005298196 registers.edx: 6 registers.ebx: 45214035 registers.esi: 16987897 registers.ecx: 0	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb e9 37 fe ff ff 89 24 24 83 04 24 04 5f 81 c7 exception.symbol: random+0x3e8605 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4097541 exception.address: 0x1038605 registers.esp: 4454960 registers.edi: 17008202 registers.eax: 1076201 registers.ebp: 4005298196 registers.edx: 228721198 registers.ebx: 235159812 registers.esi: 0 registers.ecx: 245713269	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 50 b8 6e 45 fa 3f 51 b9 a6 e5 ae 7d f7 d1 81 exception.symbol: random+0x3ed495 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4117653 exception.address: 0x103d495 registers.esp: 4454956 registers.edi: 17025719 registers.eax: 31709 registers.ebp: 4005298196 registers.edx: 1664478852 registers.ebx: 4022320895 registers.esi: 17008202 registers.ecx: 1681500989	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 56 e9 2c 01 00 00 59 83 c4 04 e9 0c 02 00 00 exception.symbol: random+0x3ecc1e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4115486 exception.address: 0x103cc1e registers.esp: 4454960 registers.edi: 17057428 registers.eax: 31709 registers.ebp: 4005298196 registers.edx: 1664478852 registers.ebx: 4022320895 registers.esi: 17008202 registers.ecx: 1681500989	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb e9 d0 01 00 00 89 3c 24 e9 33 05 00 00 35 a0 exception.symbol: random+0x3ecd87 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4115847 exception.address: 0x103cd87 registers.esp: 4454960 registers.edi: 17028616 registers.eax: 31709 registers.ebp: 4005298196 registers.edx: 1664478852 registers.ebx: 4022320895 registers.esi: 0 registers.ecx: 604292949	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb e9 55 00 00 00 89 14 24 50 89 1c 24 52 68 52 exception.symbol: random+0x40ca78 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4246136 exception.address: 0x105ca78 registers.esp: 4454924 registers.edi: 1373241344 registers.eax: 31736 registers.ebp: 4005298196 registers.edx: 2130566132 registers.ebx: 17154182 registers.esi: 17150011 registers.ecx: 1373241344	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 68 61 f4 c6 14 89 3c 24 89 1c 24 89 14 24 c7 exception.symbol: random+0x40cad9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4246233 exception.address: 0x105cad9 registers.esp: 4454928 registers.edi: 1373241344 registers.eax: 0 registers.ebp: 4005298196 registers.edx: 2130566132 registers.ebx: 17157302 registers.esi: 17150011 registers.ecx: 116969	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 1c 24 68 81 5c 5a 2d e9 exception.symbol: random+0x40d509 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4248841 exception.address: 0x105d509 registers.esp: 4454928 registers.edi: 1373241344 registers.eax: 0 registers.ebp: 4005298196 registers.edx: 2130566132 registers.ebx: 604292949 registers.esi: 17161971 registers.ecx: 1219662330	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 56 e9 c3 00 00 00 58 5b f7 d0 35 4d 89 86 53 exception.symbol: random+0x411488 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4265096 exception.address: 0x1061488 registers.esp: 4454928 registers.edi: 17169428 registers.eax: 27062 registers.ebp: 4005298196 registers.edx: 17169428 registers.ebx: 17300820 registers.esi: 322408 registers.ecx: 17202655	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 55 68 1e 9b 3f 27 e9 cc fb ff ff 40 e9 d7 f9 exception.symbol: random+0x411c95 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4267157 exception.address: 0x1061c95 registers.esp: 4454928 registers.edi: 4294943608 registers.eax: 3232065623 registers.ebp: 4005298196 registers.edx: 17169428 registers.ebx: 17300820 registers.esi: 322408 registers.ecx: 17202655	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 81 c2 6c 1e fb 1c 51 89 2c 24 52 68 a8 09 f3 exception.symbol: random+0x412657 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4269655 exception.address: 0x1062657 registers.esp: 4454924 registers.edi: 4294943608 registers.eax: 31443 registers.ebp: 4005298196 registers.edx: 17179141 registers.ebx: 17300820 registers.esi: 322408 registers.ecx: 17202655	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb e9 9e fd ff ff c7 04 24 58 19 7b 1f 8b 14 24 exception.symbol: random+0x4126d3 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4269779 exception.address: 0x10626d3 registers.esp: 4454928 registers.edi: 44777 registers.eax: 31443 registers.ebp: 4005298196 registers.edx: 17210584 registers.ebx: 17300820 registers.esi: 4294938516 registers.ecx: 17202655	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 01 2f 65 33 89 34 24 52 55 bd 23 exception.symbol: random+0x413517 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4273431 exception.address: 0x1063517 registers.esp: 4454928 registers.edi: 2298801283 registers.eax: 17213978 registers.ebp: 4005298196 registers.edx: 397926367 registers.ebx: 4294938812 registers.esi: 4294938516 registers.ecx: 1603475477	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb e9 a9 05 00 00 b8 9c 4c af 2f 29 c3 58 56 89 exception.symbol: random+0x419228 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4297256 exception.address: 0x1069228 registers.esp: 4454928 registers.edi: 0 registers.eax: 17210378 registers.ebp: 4005298196 registers.edx: 0 registers.ebx: 3939837675 registers.esi: 4294938516 registers.ecx: 1969225870	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb bb d3 5a 2f 10 ba 96 36 39 6f e9 8d 05 00 00 exception.symbol: random+0x41a67c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4302460 exception.address: 0x106a67c registers.esp: 4454928 registers.edi: 3250542417 registers.eax: 31604 registers.ebp: 4005298196 registers.edx: 27307 registers.ebx: 1051421355 registers.esi: 0 registers.ecx: 17214701	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 50 89 34 24 be e1 2d e5 7f 55 c7 04 24 76 2d exception.symbol: random+0x41b7ac exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4306860 exception.address: 0x106b7ac registers.esp: 4454928 registers.edi: 3250542417 registers.eax: 32845 registers.ebp: 4005298196 registers.edx: 92120733 registers.ebx: 1620004401 registers.esi: 17247964 registers.ecx: 17214701	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 57 52 e9 a0 00 00 00 81 c6 fd b6 34 73 81 ee exception.symbol: random+0x41af47 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4304711 exception.address: 0x106af47 registers.esp: 4454928 registers.edi: 81129 registers.eax: 32845 registers.ebp: 4005298196 registers.edx: 4294937508 registers.ebx: 1620004401 registers.esi: 17247964 registers.ecx: 17214701	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 68 45 c3 86 70 e9 ca 00 00 00 bd 91 d7 d3 5b exception.symbol: random+0x42e71c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4384540 exception.address: 0x107e71c registers.esp: 4454924 registers.edi: 17293173 registers.eax: 25919 registers.ebp: 4005298196 registers.edx: 16951317 registers.ebx: 17264495 registers.esi: 3260396 registers.ecx: 1836937313	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb e9 d2 01 00 00 81 f1 66 4d 82 a2 29 ca 8b 0c exception.symbol: random+0x42e16b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4383083 exception.address: 0x107e16b registers.esp: 4454928 registers.edi: 17319092 registers.eax: 25919 registers.ebp: 4005298196 registers.edx: 16951317 registers.ebx: 17264495 registers.esi: 82608982 registers.ecx: 4294944676	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 68 d6 02 9e 70 89 2c 24 68 e0 63 c7 6a 8b 2c exception.symbol: random+0x434875 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4409461 exception.address: 0x1084875 registers.esp: 4454928 registers.edi: 17297751 registers.eax: 27726 registers.ebp: 4005298196 registers.edx: 2130566132 registers.ebx: 1969225702 registers.esi: 17345780 registers.ecx: 0	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 53 89 0c 24 89 3c 24 83 ec 04 e9 56 fd ff ff exception.symbol: random+0x4345c7 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4408775 exception.address: 0x10845c7 registers.esp: 4454928 registers.edi: 17297751 registers.eax: 27726 registers.ebp: 4005298196 registers.edx: 2130566132 registers.ebx: 606896464 registers.esi: 17345780 registers.ecx: 4294942428	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 29 d2 e9 6a 00 00 00 81 ec 04 00 00 00 89 3c exception.symbol: random+0x43ce4f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4443727 exception.address: 0x108ce4f registers.esp: 4454928 registers.edi: 17342454 registers.eax: 17382556 registers.ebp: 4005298196 registers.edx: 2130566132 registers.ebx: 1026887728 registers.esi: 17345780 registers.ecx: 1373241344	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 50 e9 83 f8 ff ff 81 f3 81 a0 0c 7f 31 dd 5b exception.symbol: random+0x43d4f5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4445429 exception.address: 0x108d4f5 registers.esp: 4454928 registers.edi: 17342454 registers.eax: 17382556 registers.ebp: 4005298196 registers.edx: 4294940828 registers.ebx: 1026887728 registers.esi: 367612496 registers.ecx: 1373241344	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 52 83 ec 04 89 2c 24 bd 4c 22 f0 6f e9 a7 06 exception.symbol: random+0x441199 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4460953 exception.address: 0x1091199 registers.esp: 4454924 registers.edi: 17342454 registers.eax: 27645 registers.ebp: 4005298196 registers.edx: 106 registers.ebx: 17371421 registers.esi: 176744655 registers.ecx: 107	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 57 89 1c 24 e9 57 0a 00 00 5b e9 ee 00 00 00 exception.symbol: random+0x441173 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4460915 exception.address: 0x1091173 registers.esp: 4454928 registers.edi: 17342454 registers.eax: 4294942484 registers.ebp: 4005298196 registers.edx: 605849942 registers.ebx: 17399066 registers.esi: 176744655 registers.ecx: 107	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 36 00 00 00 81 ca a4 be exception.symbol: random+0x44a08d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4497549 exception.address: 0x109a08d registers.esp: 4454924 registers.edi: 1967212189 registers.eax: 29114 registers.ebp: 4005298196 registers.edx: 16951317 registers.ebx: 17407684 registers.esi: 3260396 registers.ecx: 1836937313	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 53 e9 85 05 00 00 53 bb 3b 07 ef 7f 4b e9 56 exception.symbol: random+0x44a35d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4498269 exception.address: 0x109a35d registers.esp: 4454928 registers.edi: 1967212189 registers.eax: 29114 registers.ebp: 4005298196 registers.edx: 16951317 registers.ebx: 17436798 registers.esi: 3260396 registers.ecx: 1836937313	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 04 24 b8 a8 2c cf 7d 52 exception.symbol: random+0x44a5d1 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4498897 exception.address: 0x109a5d1 registers.esp: 4454928 registers.edi: 1967212189 registers.eax: 29114 registers.ebp: 4005298196 registers.edx: 16951317 registers.ebx: 17436798 registers.esi: 4294941720 registers.ecx: 322689	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 50 b8 94 20 fd 6f 83 c0 ff 91 f7 d1 91 53 89 exception.symbol: random+0x45bd0f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4570383 exception.address: 0x10abd0f registers.esp: 4454928 registers.edi: 2617067145 registers.eax: 28110 registers.ebp: 4005298196 registers.edx: 783356520 registers.ebx: 17506993 registers.esi: 4294942056 registers.ecx: 2148043278	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 50 89 1c 24 68 1f 5b ef 2d 8b 1c 24 e9 ed fe exception.symbol: random+0x45ca83 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4573827 exception.address: 0x10aca83 registers.esp: 4454924 registers.edi: 2617067145 registers.eax: 30839 registers.ebp: 4005298196 registers.edx: 17482015 registers.ebx: 1222051568 registers.esi: 4294942056 registers.ecx: 2148043278	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 89 3c 24 c7 04 24 exception.symbol: random+0x45c999 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4573593 exception.address: 0x10ac999 registers.esp: 4454928 registers.edi: 2617067145 registers.eax: 30839 registers.ebp: 4005298196 registers.edx: 17512854 registers.ebx: 1222051568 registers.esi: 4294942056 registers.ecx: 2148043278	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 0c 24 89 e1 81 c1 04 00 00 00 e9 exception.symbol: random+0x45c2ed exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4571885 exception.address: 0x10ac2ed registers.esp: 4454928 registers.edi: 1760003432 registers.eax: 30839 registers.ebp: 4005298196 registers.edx: 17512854 registers.ebx: 4294939408 registers.esi: 4294942056 registers.ecx: 2148043278	1
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: fb e9 88 fa ff ff ba 09 7b b1 4c 81 ee e8 1d b9 exception.symbol: random+0x465afd exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 4610813 exception.address: 0x10b5afd registers.esp: 4454924 registers.edi: 17199736 registers.eax: 26453 registers.ebp: 4005298196 registers.edx: 395049983 registers.ebx: 16910336 registers.esi: 17518922 registers.ecx: 3738837507	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.103/e2b1563c6670f193.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/vcruntime140.dll

Performs some HTTP requests (9 events)

request	GET http://185.215.113.103/
request	POST http://185.215.113.103/e2b1563c6670f193.php
request	GET http://185.215.113.103/0d60be0de163924d/sqlite3.dll
request	GET http://185.215.113.103/0d60be0de163924d/freebl3.dll
request	GET http://185.215.113.103/0d60be0de163924d/mozglue.dll
request	GET http://185.215.113.103/0d60be0de163924d/msvcp140.dll
request	GET http://185.215.113.103/0d60be0de163924d/nss3.dll
request	GET http://185.215.113.103/0d60be0de163924d/softokn3.dll
request	GET http://185.215.113.103/0d60be0de163924d/vcruntime140.dll

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.103/e2b1563c6670f193.php

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 21, 2024, 9:06 a.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 9:06 a.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 9:06 a.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 81920 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c51000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:06 a.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:06 a.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:06 a.m.	process_identifier: 652 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:06 a.m.	process_identifier: 652 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:06 a.m.	process_identifier: 652 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:06 a.m.	process_identifier: 652 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:06 a.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:06 a.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:06 a.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:06 a.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:06 a.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:06 a.m.	process_identifier: 652 region_size: 995328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x61e00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

random.exe tried to sleep 178 seconds, actually delayed analysis time by 178 seconds

Steals private information from local Internet browsers (50 out of 5864 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\apenkfbbpmhihehmihndmmcdanacolnh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\ciojocpkclfflombbcfigcijjcbkmhaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opfgelmcmbiajamepnmloijbpoleiama\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\fiikommddbeccaoicoejoniammnalkfa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCK\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\fa\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000001\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\naepdomgkenhinolocfifgehidddafch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch\CURRENT

Creates executable files on the filesystem (6 events)

file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 21, 2024, 9:06 a.m.	snapshot_handle: 0x00000374 process_name: taskhost.exe process_identifier: 508	1	1
Process32NextW Sept. 21, 2024, 9:06 a.m.	snapshot_handle: 0x00000374 process_name: pw.exe process_identifier: 1684	1	1
Process32NextW Sept. 21, 2024, 9:06 a.m.	snapshot_handle: 0x00000530 process_name: mscorsvw.exe process_identifier: 2440	1	1

An executable file was downloaded by the process random.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile Sept. 21, 2024, 9:06 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 21, 2024, 9:06 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 21, 2024, 9:06 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 21, 2024, 9:06 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 21, 2024, 9:06 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 21, 2024, 9:06 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 21, 2024, 9:06 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00013a00', u'virtual_address': u'0x00001000', u'entropy': 7.966977636621546, u'name': u' \\x00 ', u'virtual_size': u'0x0023d000'}

entropy

7.96697763662

description

A section with a high entropy has been found

Expresses interest in specific running processes (1 event)

process

system

Queries for potentially installed applications (50 out of 52 events)

Time & API	Arguments	Status
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000374 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExA Sept. 21, 2024, 9:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Communicates with host for which no DNS query was performed (1 event)

host

185.215.113.103

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 71 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:06 a.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 9:06 a.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\00000004
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 21, 2024, 9:06 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 56 e9 b3 c5 ff ff 89 04 exception.symbol: random+0x3ce958 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3991896 exception.address: 0x101e958 registers.esp: 4454960 registers.edi: 5123704 registers.eax: 1447909480 registers.ebp: 4005298196 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 16885633 registers.ecx: 20	1	0	0

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All