Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 7, 2025, 6:16 p.m.	March 7, 2025, 6:22 p.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f0ad59c5e3eb8da5cbbf9c731371941c`
SHA256	`cda1bd2378835d92b53fca1f433da176f25356474baddacdd3cf333189961a19`
CRC32	`C5959D5E`
ssdeep	`49152:V0I55UqcHdfLbRjLh7IDkKKBITpCl0M7xgwFbF:VF55URxBIAgCl0+x`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature IsPE32 - (no description)

ji5E4ie.exe "C:\Users\test22\AppData\Local\Temp\ji5E4ie.exe"
2548

Name	Response	Post-Analysis Lookup
dugong.ydns.eu	A 38.180.229.217	38.180.229.217

IP Address	Status	Action
164.124.101.2	Active	Moloch
38.180.229.217	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49162 -> 38.180.229.217:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.101:49162 -> 38.180.229.217:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 38.180.229.217:80 -> 192.168.56.101:49162	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49162 -> 38.180.229.217:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 38.180.229.217:80 -> 192.168.56.101:49162	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49162 -> 38.180.229.217:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.101:49162 -> 38.180.229.217:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 38.180.229.217:80 -> 192.168.56.101:49162	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 38.180.229.217:80 -> 192.168.56.101:49162	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 38.180.229.217:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 38.180.229.217:80 -> 192.168.56.101:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 38.180.229.217:80 -> 192.168.56.101:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 38.180.229.217:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 38.180.229.217:80 -> 192.168.56.101:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 38.180.229.217:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49164 -> 38.180.229.217:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49164 -> 38.180.229.217:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA March 7, 2025, 6:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 7, 2025, 6:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 7, 2025, 6:16 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 59 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 7, 2025, 6:16 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:16 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:16 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:16 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:16 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:16 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:16 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:16 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:16 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:16 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:16 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:16 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:16 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:16 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:16 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:16 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:16 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:16 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:16 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:16 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:16 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0
IsDebuggerPresent March 7, 2025, 6:17 p.m.			0	0

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 7, 2025, 6:16 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.rsrc
section	.idata
section
section	hbloxsmk
section	bicjwbqp

One or more processes crashed (50 out of 114 events)

Time & API	Arguments	Status
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: ji5e4ie+0x5420b9 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 5513401 exception.address: 0x6220b9 registers.esp: 10943780 registers.edi: 0 registers.eax: 1 registers.ebp: 10943796 registers.edx: 8245248 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb e9 91 f7 ff ff 57 e9 2b 00 00 00 81 ca 14 99 exception.symbol: ji5e4ie+0x24e5fa exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 2418170 exception.address: 0x32e5fa registers.esp: 10943744 registers.edi: 1968898280 registers.eax: 30492 registers.ebp: 3876241428 registers.edx: 917504 registers.ebx: 927596776 registers.esi: 3333491 registers.ecx: 1969094656	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 68 83 f4 ca 7b e9 30 00 00 00 f7 d5 87 2c 24 exception.symbol: ji5e4ie+0x24e80c exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 2418700 exception.address: 0x32e80c registers.esp: 10943748 registers.edi: 693757288 registers.eax: 4294939872 registers.ebp: 3876241428 registers.edx: 917504 registers.ebx: 927596776 registers.esi: 3363983 registers.ecx: 1969094656	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 51 89 2c 24 c7 04 24 78 f4 ea 5e 57 89 34 24 exception.symbol: ji5e4ie+0x24f351 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 2421585 exception.address: 0x32f351 registers.esp: 10943748 registers.edi: 693757288 registers.eax: 3366941 registers.ebp: 3876241428 registers.edx: 1187849216 registers.ebx: 927596776 registers.esi: 3363983 registers.ecx: 1969094656	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 68 a1 86 60 16 ff 34 24 ff 34 24 e9 df 00 00 exception.symbol: ji5e4ie+0x24f2fc exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 2421500 exception.address: 0x32f2fc registers.esp: 10943748 registers.edi: 693757288 registers.eax: 3366941 registers.ebp: 3876241428 registers.edx: 1187849216 registers.ebx: 927596776 registers.esi: 4294939924 registers.ecx: 236777	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb e9 2b 01 00 00 03 1c 24 e9 81 01 00 00 c1 e1 exception.symbol: ji5e4ie+0x41f2f6 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4322038 exception.address: 0x4ff2f6 registers.esp: 10943748 registers.edi: 3372874 registers.eax: 26854 registers.ebp: 3876241428 registers.edx: 2396160 registers.ebx: 5264530 registers.esi: 5237147 registers.ecx: 2140536832	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 68 71 db 6b 16 89 34 24 c7 04 24 00 18 fa 3f exception.symbol: ji5e4ie+0x41efac exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4321196 exception.address: 0x4fefac registers.esp: 10943748 registers.edi: 3372874 registers.eax: 26854 registers.ebp: 3876241428 registers.edx: 4294943648 registers.ebx: 5264530 registers.esi: 604277075 registers.ecx: 2140536832	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 50 e9 6d ff ff ff 29 de 5b 68 38 9f 79 1a 89 exception.symbol: ji5e4ie+0x425265 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4346469 exception.address: 0x505265 registers.esp: 10943748 registers.edi: 5292164 registers.eax: 30315 registers.ebp: 3876241428 registers.edx: 2130566132 registers.ebx: 1549541099 registers.esi: 604277075 registers.ecx: 4294939960	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 81 ef c2 f3 df 7c 03 3c 24 50 b8 00 b6 d9 15 exception.symbol: ji5e4ie+0x42c38c exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4375436 exception.address: 0x50c38c registers.esp: 10943744 registers.edi: 5291884 registers.eax: 25748 registers.ebp: 3876241428 registers.edx: 39360 registers.ebx: 5264854 registers.esi: 4249721280 registers.ecx: 1969148396	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb e9 da 01 00 00 81 e2 97 a9 f5 7e 81 c2 aa 1b exception.symbol: ji5e4ie+0x42c8e6 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4376806 exception.address: 0x50c8e6 registers.esp: 10943748 registers.edi: 5317632 registers.eax: 25748 registers.ebp: 3876241428 registers.edx: 1114345 registers.ebx: 5264854 registers.esi: 4294944776 registers.ecx: 1969148396	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 8b 20 00 00 81 34 24 exception.symbol: ji5e4ie+0x42f4de exception.instruction: in eax, dx exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4388062 exception.address: 0x50f4de registers.esp: 10943740 registers.edi: 5317632 registers.eax: 1447909480 registers.ebp: 3876241428 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 5299276 registers.ecx: 20	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: ji5e4ie+0x431542 exception.address: 0x511542 exception.module: ji5E4ie.exe exception.exception_code: 0xc000001d exception.offset: 4396354 registers.esp: 10943740 registers.edi: 5317632 registers.eax: 1 registers.ebp: 3876241428 registers.edx: 22104 registers.ebx: 0 registers.esi: 5299276 registers.ecx: 20	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 1a 38 28 19 01 exception.symbol: ji5e4ie+0x42fead exception.instruction: in eax, dx exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4390573 exception.address: 0x50fead registers.esp: 10943740 registers.edi: 5317632 registers.eax: 1447909480 registers.ebp: 3876241428 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 5299276 registers.ecx: 10	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 50 89 14 24 56 e9 cd 01 00 00 5f 81 ee 56 e6 exception.symbol: ji5e4ie+0x43680a exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4417546 exception.address: 0x51680a registers.esp: 10943748 registers.edi: 6379 registers.eax: 33158 registers.ebp: 3876241428 registers.edx: 2130566132 registers.ebx: 62461390 registers.esi: 5367182 registers.ecx: 4294937696	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 0f 8d 02 00 00 00 8b f0 81 d2 46 f6 exception.symbol: ji5e4ie+0x437669 exception.instruction: int 1 exception.module: ji5E4ie.exe exception.exception_code: 0xc0000005 exception.offset: 4421225 exception.address: 0x517669 registers.esp: 10943708 registers.edi: 0 registers.eax: 10943708 registers.ebp: 3876241428 registers.edx: 1504816926 registers.ebx: 5339063 registers.esi: 5339063 registers.ecx: 1157353761	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 81 c1 5b 74 f7 77 e9 5f 03 00 00 5a f7 db 81 exception.symbol: ji5e4ie+0x43e48d exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4449421 exception.address: 0x51e48d registers.esp: 10943744 registers.edi: 6379 registers.eax: 32200 registers.ebp: 3876241428 registers.edx: 5350649 registers.ebx: 62461390 registers.esi: 5314795 registers.ecx: 5366135	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb e9 8c fb ff ff 5b 89 ca 59 50 b8 20 58 ef 57 exception.symbol: ji5e4ie+0x43e617 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4449815 exception.address: 0x51e617 registers.esp: 10943748 registers.edi: 6379 registers.eax: 4294937904 registers.ebp: 3876241428 registers.edx: 5350649 registers.ebx: 3924003155 registers.esi: 5314795 registers.ecx: 5398335	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 81 c1 db 26 dd 7f 03 0c 24 e9 e6 03 00 00 89 exception.symbol: ji5e4ie+0x449349 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4494153 exception.address: 0x529349 registers.esp: 10943736 registers.edi: 3326182 registers.eax: 30923 registers.ebp: 3876241428 registers.edx: 6 registers.ebx: 62461612 registers.esi: 1968968720 registers.ecx: 5410156	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 52 e9 68 00 00 00 81 ce a2 16 fe 5f 55 bd 25 exception.symbol: ji5e4ie+0x44949e exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4494494 exception.address: 0x52949e registers.esp: 10943740 registers.edi: 3326182 registers.eax: 0 registers.ebp: 3876241428 registers.edx: 6 registers.ebx: 1179202795 registers.esi: 1968968720 registers.ecx: 5413087	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 52 89 0c 24 68 86 15 16 70 89 14 24 89 0c 24 exception.symbol: ji5e4ie+0x44baf1 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4504305 exception.address: 0x52baf1 registers.esp: 10943740 registers.edi: 3326182 registers.eax: 31570 registers.ebp: 3876241428 registers.edx: 6 registers.ebx: 5452566 registers.esi: 1968968720 registers.ecx: 1869928576	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 3c 24 83 ec 04 89 34 24 exception.symbol: ji5e4ie+0x44b7f5 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4503541 exception.address: 0x52b7f5 registers.esp: 10943740 registers.edi: 1109225 registers.eax: 31570 registers.ebp: 3876241428 registers.edx: 0 registers.ebx: 5424042 registers.esi: 1968968720 registers.ecx: 1869928576	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 31 db 50 52 89 da e9 3c 00 00 00 68 0d bf f7 exception.symbol: ji5e4ie+0x44d98a exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4512138 exception.address: 0x52d98a registers.esp: 10943740 registers.edi: 1109225 registers.eax: 29121 registers.ebp: 3876241428 registers.edx: 5458134 registers.ebx: 5424042 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 53 e9 1f 01 00 00 ff 0c 24 f7 1c 24 f7 14 24 exception.symbol: ji5e4ie+0x44ddbc exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4513212 exception.address: 0x52ddbc registers.esp: 10943740 registers.edi: 604277079 registers.eax: 29121 registers.ebp: 3876241428 registers.edx: 5458134 registers.ebx: 4294940688 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 57 52 89 24 24 81 04 24 04 00 00 00 5f 56 53 exception.symbol: ji5e4ie+0x45bb74 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4569972 exception.address: 0x53bb74 registers.esp: 10943740 registers.edi: 2325972464 registers.eax: 28838 registers.ebp: 3876241428 registers.edx: 2130546808 registers.ebx: 5514361 registers.esi: 1970012160 registers.ecx: 5484980	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 94 01 00 00 52 89 3c 24 83 ec 04 exception.symbol: ji5e4ie+0x45bc64 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4570212 exception.address: 0x53bc64 registers.esp: 10943740 registers.edi: 2325972464 registers.eax: 4294941484 registers.ebp: 3876241428 registers.edx: 116969 registers.ebx: 5514361 registers.esi: 1970012160 registers.ecx: 5484980	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 81 c3 e7 62 db 7e 51 68 22 4a eb 79 e9 6f 00 exception.symbol: ji5e4ie+0x470dfa exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4656634 exception.address: 0x550dfa registers.esp: 10943704 registers.edi: 4523016 registers.eax: 28048 registers.ebp: 3876241428 registers.edx: 263168 registers.ebx: 5572230 registers.esi: 5570908 registers.ecx: 0	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 50 52 e9 bf 06 00 00 5a 81 2c 24 cb e6 00 2d exception.symbol: ji5e4ie+0x470888 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4655240 exception.address: 0x550888 registers.esp: 10943708 registers.edi: 4523016 registers.eax: 3779701352 registers.ebp: 3876241428 registers.edx: 263168 registers.ebx: 5600278 registers.esi: 5570908 registers.ecx: 4294942140	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb e9 5d fc ff ff 29 ce 59 bb d3 84 59 52 01 f3 exception.symbol: ji5e4ie+0x471f72 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4661106 exception.address: 0x551f72 registers.esp: 10943708 registers.edi: 4523016 registers.eax: 30653 registers.ebp: 3876241428 registers.edx: 5606172 registers.ebx: 1657032929 registers.esi: 5570908 registers.ecx: 4294942140	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 57 89 34 24 53 89 0c 24 b9 ba 8e 9f 26 53 e9 exception.symbol: ji5e4ie+0x47175a exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4659034 exception.address: 0x55175a registers.esp: 10943708 registers.edi: 4523016 registers.eax: 9300306 registers.ebp: 3876241428 registers.edx: 5606172 registers.ebx: 4294939756 registers.esi: 5570908 registers.ecx: 4294942140	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb e9 59 fc ff ff 68 1c be 96 72 89 14 24 ba c5 exception.symbol: ji5e4ie+0x472682 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4662914 exception.address: 0x552682 registers.esp: 10943704 registers.edi: 4523016 registers.eax: 26344 registers.ebp: 3876241428 registers.edx: 5579027 registers.ebx: 4294939756 registers.esi: 5570908 registers.ecx: 953834524	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 55 e9 30 ff ff ff 81 ef 04 00 00 00 87 3c 24 exception.symbol: ji5e4ie+0x4727ff exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4663295 exception.address: 0x5527ff registers.esp: 10943708 registers.edi: 4523016 registers.eax: 26344 registers.ebp: 3876241428 registers.edx: 5605371 registers.ebx: 4294939756 registers.esi: 5570908 registers.ecx: 953834524	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 55 81 ec 04 00 00 00 89 2c 24 57 bf e0 68 bb exception.symbol: ji5e4ie+0x472235 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4661813 exception.address: 0x552235 registers.esp: 10943708 registers.edi: 4294943784 registers.eax: 26344 registers.ebp: 3876241428 registers.edx: 5605371 registers.ebx: 4294939756 registers.esi: 938384781 registers.ecx: 953834524	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb e9 42 04 00 00 89 e6 57 bf 04 00 00 00 e9 c6 exception.symbol: ji5e4ie+0x476796 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4679574 exception.address: 0x556796 registers.esp: 10943704 registers.edi: 4294943784 registers.eax: 25983 registers.ebp: 3876241428 registers.edx: 0 registers.ebx: 65786 registers.esi: 5596595 registers.ecx: 1971716238	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 56 e9 67 ff ff ff 55 ff 74 24 04 8b 2c 24 81 exception.symbol: ji5e4ie+0x476fc8 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4681672 exception.address: 0x556fc8 registers.esp: 10943708 registers.edi: 4294943784 registers.eax: 25983 registers.ebp: 3876241428 registers.edx: 0 registers.ebx: 65786 registers.esi: 5622578 registers.ecx: 1971716238	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 57 68 17 84 72 62 89 04 24 e9 07 fe ff ff c7 exception.symbol: ji5e4ie+0x476d89 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4681097 exception.address: 0x556d89 registers.esp: 10943708 registers.edi: 4294943784 registers.eax: 0 registers.ebp: 3876241428 registers.edx: 2298801283 registers.ebx: 65786 registers.esi: 5599306 registers.ecx: 1971716238	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 52 ba 27 b0 7d 5f 4a 81 c2 1a a2 3d f8 e9 a3 exception.symbol: ji5e4ie+0x47af3d exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4697917 exception.address: 0x55af3d registers.esp: 10943704 registers.edi: 418735164 registers.eax: 5613370 registers.ebp: 3876241428 registers.edx: 1507321530 registers.ebx: 418768381 registers.esi: 5575794 registers.ecx: 1508698211	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 68 69 17 ac 67 89 1c 24 89 14 24 e9 b6 00 00 exception.symbol: ji5e4ie+0x47a9ed exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4696557 exception.address: 0x55a9ed registers.esp: 10943708 registers.edi: 4294942456 registers.eax: 5641416 registers.ebp: 3876241428 registers.edx: 1507321530 registers.ebx: 418768381 registers.esi: 81129 registers.ecx: 1508698211	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 31 db 51 52 e9 00 00 00 00 89 da e9 95 f9 ff exception.symbol: ji5e4ie+0x47e2f8 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4711160 exception.address: 0x55e2f8 registers.esp: 10943708 registers.edi: 5618941 registers.eax: 29051 registers.ebp: 3876241428 registers.edx: 5655396 registers.ebx: 1644822528 registers.esi: 1786785001 registers.ecx: 2009995274	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 53 bb 31 d4 dd 62 50 c7 04 24 14 51 6e 5f 81 exception.symbol: ji5e4ie+0x47dc43 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4709443 exception.address: 0x55dc43 registers.esp: 10943708 registers.edi: 5618941 registers.eax: 29051 registers.ebp: 3876241428 registers.edx: 5655396 registers.ebx: 4294940628 registers.esi: 869243240 registers.ecx: 2009995274	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 81 c7 1e 20 d5 7f 03 3c 24 81 ec 04 00 00 00 exception.symbol: ji5e4ie+0x47ea00 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4712960 exception.address: 0x55ea00 registers.esp: 10943704 registers.edi: 5629239 registers.eax: 25930 registers.ebp: 3876241428 registers.edx: 5655396 registers.ebx: 987506210 registers.esi: 869243240 registers.ecx: 2009995274	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 53 bb a6 dc ea 17 e9 40 00 00 00 81 c5 fe 3b exception.symbol: ji5e4ie+0x47eaa1 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4713121 exception.address: 0x55eaa1 registers.esp: 10943708 registers.edi: 5655169 registers.eax: 25930 registers.ebp: 3876241428 registers.edx: 4294944656 registers.ebx: 987506210 registers.esi: 869243240 registers.ecx: 607422801	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 68 b4 4b a2 41 89 2c 24 51 b9 4e 7e 54 6d 81 exception.symbol: ji5e4ie+0x483ef7 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4734711 exception.address: 0x563ef7 registers.esp: 10943704 registers.edi: 5655169 registers.eax: 5650689 registers.ebp: 3876241428 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 5634050 registers.ecx: 2140536832	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb e9 50 00 00 00 33 0c 24 8b 24 24 50 89 14 24 exception.symbol: ji5e4ie+0x483ccc exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4734156 exception.address: 0x563ccc registers.esp: 10943708 registers.edi: 5655169 registers.eax: 5683461 registers.ebp: 3876241428 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 5634050 registers.ecx: 2140536832	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 55 89 0c 24 55 89 14 24 81 ec 04 00 00 00 89 exception.symbol: ji5e4ie+0x483dd7 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4734423 exception.address: 0x563dd7 registers.esp: 10943708 registers.edi: 0 registers.eax: 5653485 registers.ebp: 3876241428 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 3923806544 registers.ecx: 2140536832	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 c1 13 be 04 89 14 24 e9 95 f8 ff exception.symbol: ji5e4ie+0x48664d exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4744781 exception.address: 0x56664d registers.esp: 10943704 registers.edi: 5659816 registers.eax: 25977 registers.ebp: 3876241428 registers.edx: 59247448 registers.ebx: 3921075302 registers.esi: 3929464454 registers.ecx: 64905358	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 51 51 c7 04 24 80 a6 df 6b 59 56 e9 40 03 00 exception.symbol: ji5e4ie+0x485ea2 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4742818 exception.address: 0x565ea2 registers.esp: 10943708 registers.edi: 5662705 registers.eax: 0 registers.ebp: 3876241428 registers.edx: 3245638248 registers.ebx: 3921075302 registers.esi: 3929464454 registers.ecx: 64905358	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 57 53 e9 00 00 00 00 51 b9 e8 46 af 5a e9 00 exception.symbol: ji5e4ie+0x4a02ea exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4850410 exception.address: 0x5802ea registers.esp: 10943708 registers.edi: 5795798 registers.eax: 30247 registers.ebp: 3876241428 registers.edx: 8708840 registers.ebx: 5720785 registers.esi: 5720781 registers.ecx: 2140536832	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 51 b9 91 cc ef 7f 50 89 34 24 be b7 a8 75 5f exception.symbol: ji5e4ie+0x49ff77 exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4849527 exception.address: 0x57ff77 registers.esp: 10943708 registers.edi: 5767946 registers.eax: 30247 registers.ebp: 3876241428 registers.edx: 8708840 registers.ebx: 0 registers.esi: 604277079 registers.ecx: 2140536832	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb 57 e9 fd fa ff ff 89 34 24 57 68 30 58 3d 6a exception.symbol: ji5e4ie+0x4aaaec exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4893420 exception.address: 0x58aaec registers.esp: 10943708 registers.edi: 3135588628 registers.eax: 5839005 registers.ebp: 3876241428 registers.edx: 0 registers.ebx: 3137198871 registers.esi: 1587104264 registers.ecx: 5806867	1
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: fb ba 22 d6 ff 7f 81 f2 61 0b 7f 1f c1 ea 07 c1 exception.symbol: ji5e4ie+0x4aa59d exception.instruction: sti exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4892061 exception.address: 0x58a59d registers.esp: 10943708 registers.edi: 3135588628 registers.eax: 5811497 registers.ebp: 3876241428 registers.edx: 0 registers.ebx: 3137198871 registers.esi: 21293394 registers.ecx: 0	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://dugong.ydns.eu/
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://dugong.ydns.eu//gtthfbsb2h.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://dugong.ydns.eu//kj2h34kj23h4/sqlite3.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET http://dugong.ydns.eu//kj2h34kj23h4/freebl3.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET http://dugong.ydns.eu//kj2h34kj23h4/mozglue.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET http://dugong.ydns.eu//kj2h34kj23h4/msvcp140.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET http://dugong.ydns.eu//kj2h34kj23h4/nss3.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET http://dugong.ydns.eu//kj2h34kj23h4/softokn3.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET http://dugong.ydns.eu//kj2h34kj23h4/vcruntime140.dll

Performs some HTTP requests (9 events)

request	GET http://dugong.ydns.eu/
request	POST http://dugong.ydns.eu//gtthfbsb2h.php
request	GET http://dugong.ydns.eu//kj2h34kj23h4/sqlite3.dll
request	GET http://dugong.ydns.eu//kj2h34kj23h4/freebl3.dll
request	GET http://dugong.ydns.eu//kj2h34kj23h4/mozglue.dll
request	GET http://dugong.ydns.eu//kj2h34kj23h4/msvcp140.dll
request	GET http://dugong.ydns.eu//kj2h34kj23h4/nss3.dll
request	GET http://dugong.ydns.eu//kj2h34kj23h4/softokn3.dll
request	GET http://dugong.ydns.eu//kj2h34kj23h4/vcruntime140.dll

Sends data using the HTTP POST Method (1 event)

request

POST http://dugong.ydns.eu//gtthfbsb2h.php

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 7, 2025, 6:16 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2025, 6:16 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2025, 6:16 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 94208 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2025, 6:16 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2025, 6:16 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2025, 6:16 p.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2025, 6:16 p.m.	process_identifier: 2548 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2025, 6:16 p.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2025, 6:16 p.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2025, 6:16 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2025, 6:16 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2025, 6:16 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2025, 6:16 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2025, 6:16 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2025, 6:16 p.m.	process_identifier: 2548 region_size: 995328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x61e00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

ji5E4ie.exe tried to sleep 1043 seconds, actually delayed analysis time by 1043 seconds

Steals private information from local Internet browsers (50 out of 4437 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\fldfpgipfncgndfolcbkdeeknbbbnhcc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\te\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\am\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\fr\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\uk\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\fr\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliob\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\nb\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\zh_CN\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\es_419\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Current Tabs\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\topbar_floating_button_close.png\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es_419\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\manifest.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\lo\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\03019df3fd85a69a8ebd1facc6da9ba73e469774fe77f579fc5a08b8328c1d6b.sth\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\cs\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\ar\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\fr_CA\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\52\manifest.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\ka\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT

Creates executable files on the filesystem (6 events)

file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW March 7, 2025, 6:16 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: C:\Program Files\Google\Chrome\Application\chrome.exe --remote-debugging-port=9229 --profile-directory="Default" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000000		0	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 event)

Time & API	Arguments	Status	Return	Repeated
Process32NextW March 7, 2025, 6:16 p.m.	snapshot_handle: 0x000003a8 process_name: pw.exe process_identifier: 2324	1	1	0

An executable file was downloaded by the process ji5e4ie.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile March 7, 2025, 6:16 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile March 7, 2025, 6:16 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile March 7, 2025, 6:16 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile March 7, 2025, 6:16 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile March 7, 2025, 6:16 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile March 7, 2025, 6:16 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile March 7, 2025, 6:16 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00016800', u'virtual_address': u'0x00001000', u'entropy': 7.972973254287661, u'name': u' \\x00 ', u'virtual_size': u'0x00249000'}

entropy

7.97297325429

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001ba600', u'virtual_address': u'0x00542000', u'entropy': 7.954850446877664, u'name': u'hbloxsmk', u'virtual_size': u'0x001bb000'}

entropy

7.95485044688

description

A section with a high entropy has been found

entropy

0.99919398173

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Queries for potentially installed applications (40 events)

Time & API	Arguments	Status	Return
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1	0
RegOpenKeyExA March 7, 2025, 6:16 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall		2

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 341 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA March 7, 2025, 6:16 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA March 7, 2025, 6:16 p.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA March 7, 2025, 6:16 p.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 7, 2025, 6:16 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 8b 20 00 00 81 34 24 exception.symbol: ji5e4ie+0x42f4de exception.instruction: in eax, dx exception.module: ji5E4ie.exe exception.exception_code: 0xc0000096 exception.offset: 4388062 exception.address: 0x50f4de registers.esp: 10943740 registers.edi: 5317632 registers.eax: 1447909480 registers.ebp: 3876241428 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 5299276 registers.ecx: 20	1	0	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Lionic	Trojan.Win32.Stealc.4!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Generic
ALYac	Gen:Variant.Zusy.270953
Cylance	Unsafe
VIPRE	Gen:Variant.Zusy.270953
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Zusy.270953
K7GW	Trojan ( 0040f4ef1 )
K7AntiVirus	Trojan ( 0040f4ef1 )
Arcabit	Trojan.Zusy.D42269
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.FME
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Packed:Win32/Themida.8e124d89
MicroWorld-eScan	Gen:Variant.Zusy.270953
Rising	Trojan.Generic!8.C3 (CLOUD)
Emsisoft	Gen:Variant.Zusy.270953 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
DrWeb	Trojan.DownLoader48.16163
TrendMicro	Trojan.Win32.AMADEY.YXFCFZ
McAfeeD	Real Protect-LS!F0AD59C5E3EB
Trapmine	malicious.high.ml.score
CTX	exe.trojan.stealc
Sophos	Mal/Stealc-A
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.f0ad59c5e3eb8da5
Google	Detected
Avira	TR/Crypt.TPM.Gen
Kingsoft	Win32.Trojan-PSW.Stealerc.pef
Gridinsoft	Malware.Win32.Stealc.tr
Microsoft	Trojan:Win32/StealC
ViRobot	Trojan.Win.Z.Zusy.1909760.B
GData	Gen:Variant.Zusy.270953
Varist	W32/ABTrojan.TWVG-1802
AhnLab-V3	Trojan/Win.Generic.R694440
VBA32	BScope.TrojanRansom.Stealc
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.MalPack
Zoner	Probably Heur.ExeHeaderL
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXFCFZ
Tencent	Win32.Trojan.Generic.Mcnw
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:PWSX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan:Win/StealC.Gen

ji5E4ie.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All