Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 26, 2024, 10:26 a.m.	Sept. 26, 2024, 10:33 a.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ef4d942f44362d48b109c8a182ba537d`
SHA256	`fb2fdeded1386ef31205d4e56c05942f49b0292688d14bdc0616c22cae4567b3`
CRC32	`FD6216B6`
ssdeep	`24576:lzjuGRTblK2S28Qw+XYLcg7Iv2w0gTT+alkoOndJT9yO+XnpvmOb/GLuSlh4Z3pM:lHuSI2SlQ1ewcGBUU/6uSlmmL`
Yara	themida_packer - themida packer PE_Header_Zero - PE File Signature IsPE32 - (no description)

rana.exe "C:\Users\test22\AppData\Local\Temp\rana.exe"
2544

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.215.113.37	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.37:80 -> 192.168.56.101:49161	2400031	ET DROP Spamhaus DROP Listed Traffic Inbound group 32	Misc Attack
TCP 192.168.56.101:49161 -> 185.215.113.37:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.101:49161 -> 185.215.113.37:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.37:80 -> 192.168.56.101:49161	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49161 -> 185.215.113.37:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.37:80 -> 192.168.56.101:49161	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49161 -> 185.215.113.37:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.101:49161 -> 185.215.113.37:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49161 -> 185.215.113.37:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.37:80 -> 192.168.56.101:49161	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.37:80 -> 192.168.56.101:49161	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.37:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.37:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.37:80 -> 192.168.56.101:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.37:80 -> 192.168.56.101:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.37:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.37:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.37:80 -> 192.168.56.101:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.37:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.37:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.37:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49164 -> 185.215.113.37:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.37:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49164 -> 185.215.113.37:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.37:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Sept. 26, 2024, 10:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 26, 2024, 10:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 26, 2024, 10:26 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 59 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:28 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:28 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:28 a.m.			0	0
IsDebuggerPresent Sept. 26, 2024, 10:28 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 26, 2024, 10:26 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (7 events)

section	\x00
section	.rsrc
section	.idata
section
section	exbnbhbd
section	krctzlzf
section	.taggant

One or more processes crashed (50 out of 122 events)

Time & API	Arguments	Status
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: rana+0x4fd0b9 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 5230777 exception.address: 0x13bd0b9 registers.esp: 3799436 registers.edi: 0 registers.eax: 1 registers.ebp: 3799452 registers.edx: 22401024 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 55 e9 00 00 00 00 81 ec 04 00 00 00 89 3c 24 exception.symbol: rana+0x2607bd exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 2492349 exception.address: 0x11207bd registers.esp: 3799400 registers.edi: 1968898280 registers.eax: 29709 registers.ebp: 4007976980 registers.edx: 17956294 registers.ebx: 1968898280 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 53 e9 c2 fe ff ff 81 f1 78 c1 5d 37 01 cd e9 exception.symbol: rana+0x260748 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 2492232 exception.address: 0x1120748 registers.esp: 3799404 registers.edi: 1968898280 registers.eax: 29709 registers.ebp: 4007976980 registers.edx: 17986003 registers.ebx: 242921 registers.esi: 3 registers.ecx: 4294940160	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb e9 92 06 00 00 83 c0 04 87 04 24 e9 77 01 00 exception.symbol: rana+0x26115e exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 2494814 exception.address: 0x112115e registers.esp: 3799404 registers.edi: 1259 registers.eax: 32214 registers.ebp: 4007976980 registers.edx: 567419420 registers.ebx: 17963278 registers.esi: 0 registers.ecx: 4294940160	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb e9 15 01 00 00 5a 50 ff 74 24 04 8b 04 24 81 exception.symbol: rana+0x3dcb68 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4049768 exception.address: 0x129cb68 registers.esp: 3799400 registers.edi: 17995801 registers.eax: 27464 registers.ebp: 4007976980 registers.edx: 19515106 registers.ebx: 2469888 registers.esi: 19514629 registers.ecx: 2061893632	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 29 db ff 34 13 ff 34 24 8b 04 24 52 54 8b 14 exception.symbol: rana+0x3dcd57 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4050263 exception.address: 0x129cd57 registers.esp: 3799404 registers.edi: 17995801 registers.eax: 27464 registers.ebp: 4007976980 registers.edx: 19542570 registers.ebx: 2469888 registers.esi: 19514629 registers.ecx: 2061893632	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 50 51 e9 43 00 00 00 29 c2 58 68 a1 e7 9c 06 exception.symbol: rana+0x3dcf0b exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4050699 exception.address: 0x129cf0b registers.esp: 3799404 registers.edi: 17995801 registers.eax: 210325584 registers.ebp: 4007976980 registers.edx: 19542570 registers.ebx: 4294942228 registers.esi: 19514629 registers.ecx: 2061893632	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 14 24 ba 9b 72 ef 7e 50 b8 08 5e exception.symbol: rana+0x3e23fe exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4072446 exception.address: 0x12a23fe registers.esp: 3799400 registers.edi: 17995801 registers.eax: 29981 registers.ebp: 4007976980 registers.edx: 2130566132 registers.ebx: 19537296 registers.esi: 19514629 registers.ecx: 687	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 6a f5 ec 7f 51 68 fd 11 b7 7f 59 exception.symbol: rana+0x3e263d exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4073021 exception.address: 0x12a263d registers.esp: 3799404 registers.edi: 17995801 registers.eax: 4294940012 registers.ebp: 4007976980 registers.edx: 2130566132 registers.ebx: 19567277 registers.esi: 50665 registers.ecx: 687	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 31 c0 e9 5e fd ff ff 83 c2 04 87 14 24 8b 24 exception.symbol: rana+0x3e9fe7 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4104167 exception.address: 0x12a9fe7 registers.esp: 3799404 registers.edi: 19602333 registers.eax: 32784 registers.ebp: 4007976980 registers.edx: 12254 registers.ebx: 19541982 registers.esi: 19543374 registers.ecx: 14288	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb e9 0f 00 00 00 52 51 b9 b2 81 33 76 89 ca 59 exception.symbol: rana+0x3ea545 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4105541 exception.address: 0x12aa545 registers.esp: 3799404 registers.edi: 19602333 registers.eax: 4294937524 registers.ebp: 4007976980 registers.edx: 12254 registers.ebx: 1114345 registers.esi: 19543374 registers.ecx: 14288	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 50 54 8b 04 24 81 c4 04 exception.symbol: rana+0x3f0bc9 exception.instruction: in eax, dx exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4131785 exception.address: 0x12b0bc9 registers.esp: 3799396 registers.edi: 19602333 registers.eax: 1447909480 registers.ebp: 4007976980 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 19576725 registers.ecx: 20	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: rana+0x3ee049 exception.address: 0x12ae049 exception.module: rana.exe exception.exception_code: 0xc000001d exception.offset: 4120649 registers.esp: 3799396 registers.edi: 19602333 registers.eax: 1 registers.ebp: 4007976980 registers.edx: 22104 registers.ebx: 0 registers.esi: 19576725 registers.ecx: 20	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 cc 28 2d 12 01 exception.symbol: rana+0x3f12bd exception.instruction: in eax, dx exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4133565 exception.address: 0x12b12bd registers.esp: 3799396 registers.edi: 19602333 registers.eax: 1447909480 registers.ebp: 4007976980 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 19576725 registers.ecx: 10	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 51 55 e9 db f9 ff ff 81 e1 a8 28 9d 3c 81 e9 exception.symbol: rana+0x3f4842 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4147266 exception.address: 0x12b4842 registers.esp: 3799404 registers.edi: 19602333 registers.eax: 19642682 registers.ebp: 4007976980 registers.edx: 2130566132 registers.ebx: 21660702 registers.esi: 10 registers.ecx: 2061893632	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 53 e9 00 00 00 00 51 b9 4a f2 c8 37 89 cb 59 exception.symbol: rana+0x3f4bf5 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4148213 exception.address: 0x12b4bf5 registers.esp: 3799404 registers.edi: 19602333 registers.eax: 19614974 registers.ebp: 4007976980 registers.edx: 3102903136 registers.ebx: 21660702 registers.esi: 0 registers.ecx: 2061893632	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 66 81 e9 01 e1 6a 00 53 e8 03 00 00 exception.symbol: rana+0x3f4f2f exception.instruction: int 1 exception.module: rana.exe exception.exception_code: 0xc0000005 exception.offset: 4149039 exception.address: 0x12b4f2f registers.esp: 3799364 registers.edi: 0 registers.eax: 3799364 registers.ebp: 4007976980 registers.edx: 2125325077 registers.ebx: 19615913 registers.esi: 19649425 registers.ecx: 518197721	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 0c 24 b9 dc 8b ff 2d 50 exception.symbol: rana+0x403d74 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4210036 exception.address: 0x12c3d74 registers.esp: 3799400 registers.edi: 17950998 registers.eax: 26863 registers.ebp: 4007976980 registers.edx: 6 registers.ebx: 21660939 registers.esi: 19676442 registers.ecx: 0	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 29 c9 68 5d e0 e9 1d 89 14 24 e9 e4 02 00 00 exception.symbol: rana+0x404267 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4211303 exception.address: 0x12c4267 registers.esp: 3799404 registers.edi: 17950998 registers.eax: 26863 registers.ebp: 4007976980 registers.edx: 6 registers.ebx: 21660939 registers.esi: 19703305 registers.ecx: 0	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb e9 c6 00 00 00 81 c7 b7 3c f1 64 31 fa e9 3b exception.symbol: rana+0x404029 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4210729 exception.address: 0x12c4029 registers.esp: 3799404 registers.edi: 17950998 registers.eax: 1179202795 registers.ebp: 4007976980 registers.edx: 6 registers.ebx: 21660939 registers.esi: 19703305 registers.ecx: 4294943656	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 50 54 58 05 04 00 00 00 2d 04 00 00 00 87 04 exception.symbol: rana+0x409265 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4231781 exception.address: 0x12c9265 registers.esp: 3799396 registers.edi: 17950998 registers.eax: 31550 registers.ebp: 4007976980 registers.edx: 201439569 registers.ebx: 553598575 registers.esi: 19698754 registers.ecx: 0	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 c7 04 24 13 0b 72 exception.symbol: rana+0x409d1d exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4234525 exception.address: 0x12c9d1d registers.esp: 3799396 registers.edi: 17950998 registers.eax: 1347507792 registers.ebp: 4007976980 registers.edx: 0 registers.ebx: 19702013 registers.esi: 19698754 registers.ecx: 0	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb e9 56 f9 ff ff 89 f0 50 81 34 24 a3 4f 7f 7d exception.symbol: rana+0x40f73b exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4257595 exception.address: 0x12cf73b registers.esp: 3799396 registers.edi: 17950998 registers.eax: 32319 registers.ebp: 4007976980 registers.edx: 2130566132 registers.ebx: 410127123 registers.esi: 19754646 registers.ecx: 2061893632	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb e9 c7 01 00 00 81 c7 23 25 ff 7f 5b f7 df c1 exception.symbol: rana+0x40f4ab exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4256939 exception.address: 0x12cf4ab registers.esp: 3799396 registers.edi: 4294937732 registers.eax: 84201 registers.ebp: 4007976980 registers.edx: 2130566132 registers.ebx: 410127123 registers.esi: 19754646 registers.ecx: 2061893632	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 1c 24 89 04 24 b8 9f 7b fa 77 52 exception.symbol: rana+0x419b68 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4299624 exception.address: 0x12d9b68 registers.esp: 3799396 registers.edi: 2061909918 registers.eax: 0 registers.ebp: 4007976980 registers.edx: 19766571 registers.ebx: 19754519 registers.esi: 28183 registers.ecx: 116969	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 57 83 ec 04 89 1c 24 bb 01 ae fb 7f 89 df 8b exception.symbol: rana+0x42cae4 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4377316 exception.address: 0x12ecae4 registers.esp: 3799360 registers.edi: 0 registers.eax: 26703 registers.ebp: 4007976980 registers.edx: 2130566132 registers.ebx: 2164391936 registers.esi: 19838600 registers.ecx: 19842243	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 31 ff ff 34 39 e9 9f 07 00 00 89 14 24 89 e2 exception.symbol: rana+0x42c510 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4375824 exception.address: 0x12ec510 registers.esp: 3799364 registers.edi: 0 registers.eax: 26703 registers.ebp: 4007976980 registers.edx: 2130566132 registers.ebx: 2164391936 registers.esi: 19838600 registers.ecx: 19868946	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 51 e9 b3 04 00 00 5b 81 c4 04 00 00 00 81 c3 exception.symbol: rana+0x42c6ed exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4376301 exception.address: 0x12ec6ed registers.esp: 3799364 registers.edi: 4294943152 registers.eax: 26703 registers.ebp: 4007976980 registers.edx: 2291501920 registers.ebx: 2164391936 registers.esi: 19838600 registers.ecx: 19868946	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 f7 07 76 10 89 1c 24 68 a1 59 f7 exception.symbol: rana+0x42e04b exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4382795 exception.address: 0x12ee04b registers.esp: 3799364 registers.edi: 0 registers.eax: 28053 registers.ebp: 4007976980 registers.edx: 487162210 registers.ebx: 3860819 registers.esi: 19849875 registers.ecx: 1021396383	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb e9 08 01 00 00 89 24 24 83 04 24 04 5a 51 b9 exception.symbol: rana+0x42ed75 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4386165 exception.address: 0x12eed75 registers.esp: 3799364 registers.edi: 0 registers.eax: 31808 registers.ebp: 4007976980 registers.edx: 19881975 registers.ebx: 1671271384 registers.esi: 19849875 registers.ecx: 1021396383	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 52 e9 18 fd ff ff 8b 1c 24 81 c4 04 00 00 00 exception.symbol: rana+0x42eb54 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4385620 exception.address: 0x12eeb54 registers.esp: 3799364 registers.edi: 0 registers.eax: 1726985056 registers.ebp: 4007976980 registers.edx: 19853159 registers.ebx: 1671271384 registers.esi: 19849875 registers.ecx: 1021396383	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 56 be 20 f1 ee 5d e9 df f8 ff ff 5b ff 34 24 exception.symbol: rana+0x4312f8 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4395768 exception.address: 0x12f12f8 registers.esp: 3799360 registers.edi: 4022997658 registers.eax: 31020 registers.ebp: 4007976980 registers.edx: 4251971319 registers.ebx: 17959484 registers.esi: 39707156 registers.ecx: 19860397	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 68 21 a3 f5 56 e9 dc 00 00 00 be 92 f5 a7 55 exception.symbol: rana+0x430d53 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4394323 exception.address: 0x12f0d53 registers.esp: 3799364 registers.edi: 4022997658 registers.eax: 4294938932 registers.ebp: 4007976980 registers.edx: 4251971319 registers.ebx: 17959484 registers.esi: 3909414019 registers.ecx: 19891417	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 50 56 89 3c 24 51 b9 54 85 2f 55 bf 22 80 5f exception.symbol: rana+0x438cd8 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4426968 exception.address: 0x12f8cd8 registers.esp: 3799364 registers.edi: 19918760 registers.eax: 27491 registers.ebp: 4007976980 registers.edx: 4294942736 registers.ebx: 3967899218 registers.esi: 3622461093 registers.ecx: 19882168	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb e9 1b 04 00 00 81 ee 20 e6 75 7a e9 40 fc ff exception.symbol: rana+0x4396e9 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4429545 exception.address: 0x12f96e9 registers.esp: 3799360 registers.edi: 19918760 registers.eax: 29596 registers.ebp: 4007976980 registers.edx: 4294942736 registers.ebx: 1721383771 registers.esi: 3622461093 registers.ecx: 19894616	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 29 db ff 34 0b ff 34 24 ff 34 24 5e 68 06 37 exception.symbol: rana+0x439b9e exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4430750 exception.address: 0x12f9b9e registers.esp: 3799364 registers.edi: 19918760 registers.eax: 29596 registers.ebp: 4007976980 registers.edx: 4294942736 registers.ebx: 1721383771 registers.esi: 3622461093 registers.ecx: 19924212	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 56 89 e6 50 89 1c 24 e9 82 f8 ff ff c1 e1 08 exception.symbol: rana+0x4399bf exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4430271 exception.address: 0x12f99bf registers.esp: 3799364 registers.edi: 19918760 registers.eax: 29596 registers.ebp: 4007976980 registers.edx: 4294942736 registers.ebx: 4294940792 registers.esi: 157417 registers.ecx: 19924212	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 55 52 ba 42 b9 bd 69 e9 0e fc ff ff 05 67 dd exception.symbol: rana+0x43ab09 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4434697 exception.address: 0x12fab09 registers.esp: 3799360 registers.edi: 19900000 registers.eax: 27191 registers.ebp: 4007976980 registers.edx: 1300747999 registers.ebx: 202681558 registers.esi: 19899098 registers.ecx: 1481352304	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 68 03 f2 46 7a 89 3c 24 52 ba 00 b9 fb 77 52 exception.symbol: rana+0x43a808 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4433928 exception.address: 0x12fa808 registers.esp: 3799364 registers.edi: 19927191 registers.eax: 27191 registers.ebp: 4007976980 registers.edx: 1300747999 registers.ebx: 202681558 registers.esi: 19899098 registers.ecx: 1481352304	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb b8 df 4b d6 7b c1 e8 06 57 81 ec 04 00 00 00 exception.symbol: rana+0x43ae6e exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4435566 exception.address: 0x12fae6e registers.esp: 3799364 registers.edi: 19927191 registers.eax: 27191 registers.ebp: 4007976980 registers.edx: 1300747999 registers.ebx: 202681558 registers.esi: 81129 registers.ecx: 4294942992	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 29 d2 ff 34 1a e9 62 01 00 00 56 be 18 bf ff exception.symbol: rana+0x44fb53 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4520787 exception.address: 0x130fb53 registers.esp: 3799364 registers.edi: 19964392 registers.eax: 30879 registers.ebp: 4007976980 registers.edx: 2130566132 registers.ebx: 20017093 registers.esi: 19926131 registers.ecx: 0	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 52 89 e2 e9 e5 fb ff ff 29 fa exception.symbol: rana+0x4500be exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4522174 exception.address: 0x13100be registers.esp: 3799364 registers.edi: 19964392 registers.eax: 30879 registers.ebp: 4007976980 registers.edx: 4294939008 registers.ebx: 20017093 registers.esi: 2298801283 registers.ecx: 0	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 50 b8 61 d3 ff 53 29 c2 ff 34 24 e9 88 03 00 exception.symbol: rana+0x453069 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4534377 exception.address: 0x1313069 registers.esp: 3799360 registers.edi: 19964392 registers.eax: 27317 registers.ebp: 4007976980 registers.edx: 20000794 registers.ebx: 20017093 registers.esi: 2298801283 registers.ecx: 0	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 55 89 3c 24 e9 6f 02 00 00 81 c7 04 00 00 00 exception.symbol: rana+0x4534d4 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4535508 exception.address: 0x13134d4 registers.esp: 3799364 registers.edi: 3109113939 registers.eax: 27317 registers.ebp: 4007976980 registers.edx: 20028111 registers.ebx: 4294942296 registers.esi: 2298801283 registers.ecx: 0	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 e9 44 ff ff ff 31 exception.symbol: rana+0x45deab exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4578987 exception.address: 0x131deab registers.esp: 3799364 registers.edi: 20032847 registers.eax: 26771 registers.ebp: 4007976980 registers.edx: 2130566132 registers.ebx: 20004546 registers.esi: 4636936 registers.ecx: 20070754	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 56 89 04 24 e9 37 01 00 00 83 c4 04 e9 0c 07 exception.symbol: rana+0x45d91c exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4577564 exception.address: 0x131d91c registers.esp: 3799364 registers.edi: 0 registers.eax: 15290448 registers.ebp: 4007976980 registers.edx: 2130566132 registers.ebx: 20004546 registers.esi: 4636936 registers.ecx: 20046902	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 81 ea bc b8 ff 7f 53 bb ff 37 f7 7b 81 f3 38 exception.symbol: rana+0x4689cf exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4622799 exception.address: 0x13289cf registers.esp: 3799360 registers.edi: 344522752 registers.eax: 30032 registers.ebp: 4007976980 registers.edx: 20087315 registers.ebx: 20064538 registers.esi: 4636936 registers.ecx: 19763235	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 31 f6 ff 34 16 8b 1c 24 68 6b 75 cd 1b 89 14 exception.symbol: rana+0x468d2a exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4623658 exception.address: 0x1328d2a registers.esp: 3799364 registers.edi: 344522752 registers.eax: 30032 registers.ebp: 4007976980 registers.edx: 20117347 registers.ebx: 20064538 registers.esi: 4636936 registers.ecx: 19763235	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 c5 f2 4d 7a ff 34 24 8b 1c 24 68 exception.symbol: rana+0x4687b3 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4622259 exception.address: 0x13287b3 registers.esp: 3799364 registers.edi: 344522752 registers.eax: 30032 registers.ebp: 4007976980 registers.edx: 20117347 registers.ebx: 32434519 registers.esi: 4294940164 registers.ecx: 19763235	1
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: fb 68 ef 34 c5 6b 89 2c 24 53 bb 51 1a cf 7f 89 exception.symbol: rana+0x46bfe6 exception.instruction: sti exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4636646 exception.address: 0x132bfe6 registers.esp: 3799364 registers.edi: 344522752 registers.eax: 20135466 registers.ebp: 4007976980 registers.edx: 2130566132 registers.ebx: 2051928773 registers.esi: 4294940164 registers.ecx: 2061893632	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.37/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.37/e2b1563c6670f193.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.37/0d60be0de163924d/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.37/0d60be0de163924d/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.37/0d60be0de163924d/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.37/0d60be0de163924d/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.37/0d60be0de163924d/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.37/0d60be0de163924d/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.37/0d60be0de163924d/vcruntime140.dll

Performs some HTTP requests (9 events)

request	GET http://185.215.113.37/
request	POST http://185.215.113.37/e2b1563c6670f193.php
request	GET http://185.215.113.37/0d60be0de163924d/sqlite3.dll
request	GET http://185.215.113.37/0d60be0de163924d/freebl3.dll
request	GET http://185.215.113.37/0d60be0de163924d/mozglue.dll
request	GET http://185.215.113.37/0d60be0de163924d/msvcp140.dll
request	GET http://185.215.113.37/0d60be0de163924d/nss3.dll
request	GET http://185.215.113.37/0d60be0de163924d/softokn3.dll
request	GET http://185.215.113.37/0d60be0de163924d/vcruntime140.dll

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.37/e2b1563c6670f193.php

Allocates read-write-execute memory (usually to unpack itself) (16 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 26, 2024, 10:26 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 10:26 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 10:26 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 143360 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ec1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2024, 10:26 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2024, 10:26 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2024, 10:26 a.m.	process_identifier: 2544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2024, 10:26 a.m.	process_identifier: 2544 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2024, 10:26 a.m.	process_identifier: 2544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2024, 10:26 a.m.	process_identifier: 2544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2024, 10:26 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2024, 10:26 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2024, 10:26 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2024, 10:26 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2024, 10:26 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2024, 10:26 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2024, 10:26 a.m.	process_identifier: 2544 region_size: 995328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x61e00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rana.exe tried to sleep 1043 seconds, actually delayed analysis time by 1043 seconds

Steals private information from local Internet browsers (50 out of 4437 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\fldfpgipfncgndfolcbkdeeknbbbnhcc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\te\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\am\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\fr\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\uk\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\fr\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliob\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\nb\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\zh_CN\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\es_419\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Current Tabs\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\topbar_floating_button_close.png\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es_419\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\manifest.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\lo\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\03019df3fd85a69a8ebd1facc6da9ba73e469774fe77f579fc5a08b8328c1d6b.sth\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\cs\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\ar\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\fr_CA\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\52\manifest.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\ka\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT

Creates executable files on the filesystem (6 events)

file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 26, 2024, 10:26 a.m.	snapshot_handle: 0x0000037c process_name: mobsync.exe process_identifier: 2276	1	1
Process32NextW Sept. 26, 2024, 10:26 a.m.	snapshot_handle: 0x0000037c process_name: pw.exe process_identifier: 2320	1	1
Process32NextW Sept. 26, 2024, 10:26 a.m.	snapshot_handle: 0x0000037c process_name: taskhost.exe process_identifier: 2368	1	1
Process32NextW Sept. 26, 2024, 10:26 a.m.	snapshot_handle: 0x0000037c process_name: rana.exe process_identifier: 2544	1	1

An executable file was downloaded by the process rana.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile Sept. 26, 2024, 10:26 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 26, 2024, 10:26 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 26, 2024, 10:26 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 26, 2024, 10:26 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 26, 2024, 10:26 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 26, 2024, 10:26 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 26, 2024, 10:26 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00022800', u'virtual_address': u'0x00001000', u'entropy': 7.9795252521358, u'name': u' \\x00 ', u'virtual_size': u'0x0025b000'}

entropy

7.97952525214

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0019e400', u'virtual_address': u'0x004fd000', u'entropy': 7.953344026869935, u'name': u'exbnbhbd', u'virtual_size': u'0x0019f000'}

entropy

7.95334402687

description

A section with a high entropy has been found

entropy

0.993909191584

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Queries for potentially installed applications (40 events)

Time & API	Arguments	Status	Return
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1	0
RegOpenKeyExA Sept. 26, 2024, 10:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall		2

Communicates with host for which no DNS query was performed (1 event)

host

185.215.113.37

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 341 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 26, 2024, 10:26 a.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Sept. 26, 2024, 10:26 a.m.	key_handle: 0x00000380 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 26, 2024, 10:26 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 50 54 8b 04 24 81 c4 04 exception.symbol: rana+0x3f0bc9 exception.instruction: in eax, dx exception.module: rana.exe exception.exception_code: 0xc0000096 exception.offset: 4131785 exception.address: 0x12b0bc9 registers.esp: 3799396 registers.edi: 19602333 registers.eax: 1447909480 registers.ebp: 4007976980 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 19576725 registers.ecx: 20	1	0	0

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Bkav	W32.AIDetectMalware
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_100% (D)
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.Win32.Miner.vho
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!EF4D942F4436
Trapmine	malicious.high.ml.score
Sophos	ML/PE-A
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.ef4d942f44362d48
Avira	TR/Crypt.TPM.Gen
Kingsoft	malware.kb.b.991
Gridinsoft	Trojan.Heur!.03A120A1
ZoneAlarm	HEUR:Trojan.Win32.Miner.vho
Microsoft	Trojan:Win32/Wacatac.B!ml
AhnLab-V3	Trojan/Win.Generic.R668215
DeepInstinct	MALICIOUS
Zoner	Probably Heur.ExeHeaderL
Fortinet	W32/Themida.HZB!tr

rana.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All