Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 27, 2022, 9:42 a.m.	Jan. 27, 2022, 9:46 a.m.

Size	1.7MB
Type	MS-DOS executable
MD5	`2b2ec30a2bf1c7166055e754a04c6ecf`
SHA256	`74fad8e9b1a82d813dd72fce23abdc2d3819496750910c6cdcd70d7398831e2c`
CRC32	`594A16CF`
ssdeep	`24576:Zm787TsxrqnKnXDFOTDLmb/Gr5b+WkGNYgMJaWJxALO+N90HD:Zm78HsYKXxODmrih+CWfDAnNo`
Yara	Antivirus - Contains references to security software PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

file3.exe "C:\Users\test22\AppData\Local\Temp\file3.exe"
2308
- cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\test22\AppData\Local\Temp\file3.exe" & exit
  2536
  - timeout.exe timeout /t 5
    2628

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
37.252.15.126	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Jan. 27, 2022, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 27, 2022, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 27, 2022, 9:41 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (43 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 9:41 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Jan. 27, 2022, 9:41 a.m.	buffer: Waiting for 5 console_handle: 0x00000007	1	1	0
WriteConsoleW Jan. 27, 2022, 9:41 a.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 27, 2022, 9:41 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	MESSAGE
resource name	None

One or more processes crashed (50 out of 143 events)

Time & API	Arguments	Status
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 8b 10 eb 02 b8 9c 64 8f 00 eb 03 dd cf 2f 83 c4 exception.symbol: file3+0x185062 exception.instruction: mov edx, dword ptr [eax] exception.module: file3.exe exception.exception_code: 0xc0000005 exception.offset: 1593442 exception.address: 0xcd5062 registers.esp: 3406156 registers.edi: 0 registers.eax: 0 registers.ebp: 3406176 registers.edx: 13455360 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 8b 00 eb 03 bd 8e 52 64 8f 00 eb 03 ea 7f 70 83 exception.symbol: file3+0x185de8 exception.instruction: mov eax, dword ptr [eax] exception.module: file3.exe exception.exception_code: 0xc0000005 exception.offset: 1596904 exception.address: 0xcd5de8 registers.esp: 3406124 registers.edi: 0 registers.eax: 0 registers.ebp: 3406176 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: exception.instruction_r: cd 01 40 40 eb 04 8c aa ba 49 85 c0 eb 02 03 81 exception.symbol: file3+0x19bf06 exception.instruction: int 1 exception.module: file3.exe exception.exception_code: 0xc0000005 exception.offset: 1687302 exception.address: 0xcebf06 registers.esp: 3406116 registers.edi: 13549176 registers.eax: 0 registers.ebp: 4288477004 registers.edx: 0 registers.ebx: 13456896 registers.esi: 13456896 registers.ecx: 13549412	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: exception.instruction_r: 8b 0a eb 02 d3 53 eb be eb 03 87 8a b0 f9 73 73 exception.symbol: file3+0x1878be exception.instruction: mov ecx, dword ptr [edx] exception.module: file3.exe exception.exception_code: 0xc0000005 exception.offset: 1603774 exception.address: 0xcd78be registers.esp: 3406124 registers.edi: 13540580 registers.eax: 0 registers.ebp: 4288482394 registers.edx: 0 registers.ebx: 10027008 registers.esi: 13456896 registers.ecx: 60957	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: exception.instruction_r: f7 f9 eb 02 20 ae eb b5 eb 03 a3 68 a2 5f eb 03 exception.symbol: file3+0x1877e1 exception.instruction: idiv ecx exception.module: file3.exe exception.exception_code: 0xc0000094 exception.offset: 1603553 exception.address: 0xcd77e1 registers.esp: 3406124 registers.edi: 3670016 registers.eax: 1622723677 registers.ebp: 4288482394 registers.edx: 3670016 registers.ebx: 10027008 registers.esi: 3670456 registers.ecx: 0	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: file3+0x18f5a6 @ 0xcdf5a6 file3+0x19c56a @ 0xcec56a file3+0x1876f5 @ 0xcd76f5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x4001000a exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 3405668 registers.edi: 10039160 registers.eax: 3405668 registers.ebp: 3405748 registers.edx: 0 registers.ebx: 3670456 registers.esi: 3683032 registers.ecx: 4	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: file3+0x1876f5 @ 0xcd76f5 exception.instruction_r: 0f 0b eb 04 d8 2d 7d 06 0f 0b eb 04 a1 93 53 ed exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x38369a registers.esp: 3405788 registers.edi: 10040800 registers.eax: 0 registers.ebp: 3406104 registers.edx: 13465029 registers.ebx: 3670456 registers.esi: 4288538120 registers.ecx: 235	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x772f6ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x772f6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x73f6482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x772c0143 file3+0x1876f5 @ 0xcd76f5 exception.instruction_r: f7 f0 eb 04 bb 88 a9 5e eb 03 1d 40 d2 eb 05 d1 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x383819 registers.esp: 3403996 registers.edi: 0 registers.eax: 0 registers.ebp: 3404012 registers.edx: 13465029 registers.ebx: 3684273 registers.esi: 0 registers.ecx: 3404664	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: file3+0x1876f5 @ 0xcd76f5 exception.instruction_r: cc eb 04 a1 36 ee 12 33 c9 78 5c 8b 43 70 eb 02 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x384c14 registers.esp: 3405784 registers.edi: 10049072 registers.eax: 0 registers.ebp: 3406104 registers.edx: 13465029 registers.ebx: 3670456 registers.esi: 3405784 registers.ecx: 8	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: 0x389b88 file3+0x1876f5 @ 0xcd76f5 exception.instruction_r: 0f 3f 07 0b c7 45 fc ff ff ff ff 33 c0 33 d2 39 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x389cf8 registers.esp: 3405764 registers.edi: 10074536 registers.eax: 1 registers.ebp: 3405776 registers.edx: 13465029 registers.ebx: 3670456 registers.esi: 4288538120 registers.ecx: 2020557398	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: file3+0x1876f5 @ 0xcd76f5 exception.instruction_r: 8b 00 90 90 f8 eb 03 21 be b1 73 48 eb 05 8d 90 exception.instruction: mov eax, dword ptr [eax] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x389bb8 registers.esp: 3405788 registers.edi: 10074536 registers.eax: 0 registers.ebp: 3406104 registers.edx: 2 registers.ebx: 3670456 registers.esi: 4288538120 registers.ecx: 2130563072	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: file3+0x1876f5 @ 0xcd76f5 exception.instruction_r: 90 f8 eb 03 21 be b1 73 48 eb 05 8d 90 70 91 2d exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x389bbb registers.esp: 3405788 registers.edi: 10074536 registers.eax: 0 registers.ebp: 3406104 registers.edx: 2 registers.ebx: 3670456 registers.esi: 4288538120 registers.ecx: 2130563072	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: file3+0x1876f5 @ 0xcd76f5 exception.instruction_r: cd 01 40 40 eb 03 e8 43 13 85 c0 eb 04 2d 4b 09 exception.instruction: int 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x389b64 registers.esp: 3405788 registers.edi: 10076112 registers.eax: 0 registers.ebp: 3406104 registers.edx: 3710018 registers.ebx: 3670456 registers.esi: 4288538120 registers.ecx: 13465029	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: exception.instruction_r: 8b 0a eb 03 18 8c 72 90 eb 02 32 05 e9 d3 01 00 exception.symbol: file3+0x18a52c exception.instruction: mov ecx, dword ptr [edx] exception.module: file3.exe exception.exception_code: 0xc0000005 exception.offset: 1615148 exception.address: 0xcda52c registers.esp: 3406124 registers.edi: 10089808 registers.eax: 92 registers.ebp: 4288488420 registers.edx: 0 registers.ebx: 10027008 registers.esi: 3670456 registers.ecx: 0	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: file3+0x1897a2 @ 0xcd97a2 exception.instruction_r: 8b 11 eb 03 a1 08 86 e9 e2 05 00 00 eb 02 69 bb exception.symbol: file3+0x1897de exception.instruction: mov edx, dword ptr [ecx] exception.module: file3.exe exception.exception_code: 0xc0000005 exception.offset: 1611742 exception.address: 0xcd97de registers.esp: 3406012 registers.edi: 10089808 registers.eax: 1376260270 registers.ebp: 3406104 registers.edx: 13477327 registers.ebx: 3670456 registers.esi: 11862016 registers.ecx: 0	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: exception.instruction_r: 0f 0b eb 02 66 fe 0f 0b eb 01 eb e9 94 fe ff ff exception.symbol: file3+0x18a519 exception.instruction: ud2 exception.module: file3.exe exception.exception_code: 0xc000001d exception.offset: 1615129 exception.address: 0xcda519 registers.esp: 3406124 registers.edi: 10755016 registers.eax: 10755016 registers.ebp: 4288488420 registers.edx: 2130566132 registers.ebx: 10027008 registers.esi: 3670456 registers.ecx: 456065024	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: file3+0x19c56a @ 0xcec56a file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: 0f 0b 0f 0b eb b7 eb 01 7e eb 01 82 33 d2 72 e2 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x391f78 registers.esp: 3405776 registers.edi: 10777572 registers.eax: 0 registers.ebp: 3405800 registers.edx: 13465029 registers.ebx: 3670456 registers.esi: 3743124 registers.ecx: 10	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: file3+0x19c56a @ 0xcec56a file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: 8b 02 eb 03 81 30 38 eb 04 02 9a 87 3c 66 3d 50 exception.instruction: mov eax, dword ptr [edx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x397ae6 registers.esp: 3405772 registers.edi: 3670456 registers.eax: 0 registers.ebp: 3405800 registers.edx: 2305226485 registers.ebx: 12079256 registers.esi: 4288538120 registers.ecx: 26	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: cd 01 40 40 eb 03 e8 43 13 85 c0 eb 04 2d 4b 09 exception.instruction: int 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x397aa0 registers.esp: 3405788 registers.edi: 10796580 registers.eax: 0 registers.ebp: 3406104 registers.edx: 3767166 registers.ebx: 3670456 registers.esi: 4288538120 registers.ecx: 13465029	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: exception.instruction_r: cc eb 04 3d 69 f8 6d 3c 04 eb 03 df 87 80 75 52 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x397abb registers.esp: 3405784 registers.edi: 10797160 registers.eax: 4 registers.ebp: 1111705675 registers.edx: 13465029 registers.ebx: 3670456 registers.esi: 4288538120 registers.ecx: 88	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: 0f 0b eb 04 d8 2d 7d 06 0f 0b eb 04 a1 93 53 ed exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x397dba registers.esp: 3405788 registers.edi: 10798528 registers.eax: 0 registers.ebp: 3406104 registers.edx: 13465029 registers.ebx: 3670456 registers.esi: 4288538120 registers.ecx: 235	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x772f6ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x772f6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x73f6482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x772c0143 file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: f7 f0 eb 04 bb 88 a9 5e eb 03 1d 40 d2 eb 05 d1 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x397f39 registers.esp: 3403996 registers.edi: 0 registers.eax: 0 registers.ebp: 3404012 registers.edx: 13465029 registers.ebx: 3768017 registers.esi: 0 registers.ecx: 3404664	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: 0x397dd8 file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: 0f 3f 07 0b c7 45 fc ff ff ff ff 33 c0 33 d2 39 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x397f48 registers.esp: 3405764 registers.edi: 10806208 registers.eax: 1 registers.ebp: 3405776 registers.edx: 13465029 registers.ebx: 3670456 registers.esi: 4288538120 registers.ecx: 2020557398	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: 8b 00 90 90 f8 eb 03 21 be b1 73 48 eb 05 8d 90 exception.instruction: mov eax, dword ptr [eax] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x397e08 registers.esp: 3405788 registers.edi: 10806208 registers.eax: 0 registers.ebp: 3406104 registers.edx: 2 registers.ebx: 3670456 registers.esi: 4288538120 registers.ecx: 2130563072	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: 90 f8 eb 03 21 be b1 73 48 eb 05 8d 90 70 91 2d exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x397e0b registers.esp: 3405788 registers.edi: 10806208 registers.eax: 0 registers.ebp: 3406104 registers.edx: 2 registers.ebx: 3670456 registers.esi: 4288538120 registers.ecx: 2130563072	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: cd 68 eb 03 67 82 54 66 3d 86 f3 eb 04 f6 8d 6a exception.instruction: int 0x68 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x397db7 registers.esp: 3405788 registers.edi: 10807380 registers.eax: 17152 registers.ebp: 3406104 registers.edx: 13465029 registers.ebx: 3670456 registers.esi: 4288538120 registers.ecx: 85	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: file3+0x19c56a @ 0xcec56a file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: cc eb 05 6b 9d 07 38 ea 5e 5b 8b e5 5d c3 eb 05 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x397f08 registers.esp: 3405776 registers.edi: 10807912 registers.eax: 13465030 registers.ebp: 3405800 registers.edx: 13465029 registers.ebx: 3670456 registers.esi: 3767632 registers.ecx: 10	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: file3+0x19c56a @ 0xcec56a file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: cc eb 05 6b 9d 07 38 ea 5e 5b 8b e5 5d c3 eb 05 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x397f08 registers.esp: 3405776 registers.edi: 10807912 registers.eax: 13465030 registers.ebp: 3405800 registers.edx: 13465029 registers.ebx: 3670456 registers.esi: 3767632 registers.ecx: 10	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: file3+0x19c56a @ 0xcec56a file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: 8b c2 eb 05 c0 82 f9 86 a9 55 8b eb 01 5a 60 83 exception.instruction: mov eax, edx exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x397fc1 registers.esp: 3405776 registers.edi: 10807912 registers.eax: 0 registers.ebp: 3405800 registers.edx: 13465029 registers.ebx: 3670456 registers.esi: 3767632 registers.ecx: 10	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: file3+0x19c56a @ 0xcec56a file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: f7 f0 eb 02 18 b1 eb 03 83 a2 6f cc eb 05 6b 9d exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x397efd registers.esp: 3405776 registers.edi: 10807912 registers.eax: 0 registers.ebp: 3405800 registers.edx: 13465029 registers.ebx: 3670456 registers.esi: 3767632 registers.ecx: 10	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: 0x397d54 file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: f7 f0 eb 01 d4 eb 1f eb 04 a3 db 4e d6 eb 05 2b exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x38eb59 registers.esp: 3405428 registers.edi: 10811744 registers.eax: 0 registers.ebp: 3405788 registers.edx: 0 registers.ebx: 3670456 registers.esi: 3730088 registers.ecx: 3670456	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: 0x397e38 file3+0x19c56a @ 0xcec56a file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: 0f 0b 0f 0b eb 03 f0 31 bd eb 01 b6 f7 f0 eb 02 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x38f7e1 registers.esp: 3405408 registers.edi: 3767888 registers.eax: 0 registers.ebp: 3405768 registers.edx: 3733310 registers.ebx: 3670456 registers.esi: 3733310 registers.ecx: 3670456	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: 0x399c31 0x399adb 0x399455 0x398aab file3+0x19c56a @ 0xcec56a file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: f7 f0 eb 01 d4 eb 1f eb 04 a3 db 4e d6 eb 05 2b exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x38eb59 registers.esp: 3405072 registers.edi: 10815128 registers.eax: 0 registers.ebp: 3405432 registers.edx: 0 registers.ebx: 3670456 registers.esi: 3730088 registers.ecx: 3670456	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: 0x399ca2 0x399adb 0x399455 0x398aab file3+0x19c56a @ 0xcec56a file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: 0f 0b 0f 0b eb 03 f0 31 bd eb 01 b6 f7 f0 eb 02 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x38f7e1 registers.esp: 3405072 registers.edi: 10815128 registers.eax: 0 registers.ebp: 3405432 registers.edx: 3733310 registers.ebx: 3670456 registers.esi: 3733310 registers.ecx: 3670456	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: 0x397d54 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: f7 f0 eb 01 d4 eb 1f eb 04 a3 db 4e d6 eb 05 2b exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x38eb59 registers.esp: 41811184 registers.edi: 1988735230 registers.eax: 0 registers.ebp: 41811544 registers.edx: 0 registers.ebx: 3670456 registers.esi: 3730088 registers.ecx: 3670456	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: 0x397e38 0x3977f0 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 0f 0b 0f 0b eb 03 f0 31 bd eb 01 b6 f7 f0 eb 02 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x38f7e1 registers.esp: 41811164 registers.edi: 3767888 registers.eax: 0 registers.ebp: 41811524 registers.edx: 3733310 registers.ebx: 3670456 registers.esi: 3733310 registers.ecx: 3670456	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: cc eb 05 fe 94 66 d0 3a eb 03 f1 75 12 eb 05 c6 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x39782e registers.esp: 41811564 registers.edi: 1988735230 registers.eax: 0 registers.ebp: 41811624 registers.edx: 3673784 registers.ebx: 3670456 registers.esi: 41811564 registers.ecx: 0	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: 0x399cc8 0x399706 0x399498 0x398aab file3+0x19c56a @ 0xcec56a file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: f7 f0 eb 01 d4 eb 1f eb 04 a3 db 4e d6 eb 05 2b exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x38eb59 registers.esp: 3404768 registers.edi: 3405302 registers.eax: 0 registers.ebp: 3405128 registers.edx: 1932784756 registers.ebx: 3670456 registers.esi: 3730088 registers.ecx: 3670456	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: 0x399dd7 0x399706 0x399498 0x398aab file3+0x19c56a @ 0xcec56a file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: 0f 0b 0f 0b eb 03 f0 31 bd eb 01 b6 f7 f0 eb 02 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x38f7e1 registers.esp: 3404768 registers.edi: 3405302 registers.eax: 0 registers.ebp: 3405128 registers.edx: 3733310 registers.ebx: 3670456 registers.esi: 3733310 registers.ecx: 3670456	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: 0x399cc8 0x399666 0x3994fa 0x398aab file3+0x19c56a @ 0xcec56a file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: f7 f0 eb 01 d4 eb 1f eb 04 a3 db 4e d6 eb 05 2b exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x38eb59 registers.esp: 3404764 registers.edi: 3405266 registers.eax: 0 registers.ebp: 3405124 registers.edx: 0 registers.ebx: 3670456 registers.esi: 3730088 registers.ecx: 3670456	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: 0x399dd7 0x399666 0x3994fa 0x398aab file3+0x19c56a @ 0xcec56a file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: 0f 0b 0f 0b eb 03 f0 31 bd eb 01 b6 f7 f0 eb 02 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x38f7e1 registers.esp: 3404764 registers.edi: 3405266 registers.eax: 0 registers.ebp: 3405124 registers.edx: 3733310 registers.ebx: 3670456 registers.esi: 3733310 registers.ecx: 3670456	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: 0x39a0c0 file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: f7 f0 eb 01 d4 eb 1f eb 04 a3 db 4e d6 eb 05 2b exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x38eb59 registers.esp: 3405428 registers.edi: 10820860 registers.eax: 0 registers.ebp: 3405788 registers.edx: 0 registers.ebx: 3670456 registers.esi: 3730088 registers.ecx: 3670456	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: 0x39aef3 file3+0x19c56a @ 0xcec56a file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: f7 f0 eb 01 d4 eb 1f eb 04 a3 db 4e d6 eb 05 2b exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x38eb59 registers.esp: 3405344 registers.edi: 10820860 registers.eax: 0 registers.ebp: 3405704 registers.edx: 3776704 registers.ebx: 3670456 registers.esi: 3730088 registers.ecx: 3670456	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: 0x39b2a3 0x39a7a5 file3+0x19c56a @ 0xcec56a file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: 0f 0b 0f 0b eb 03 f0 31 bd eb 01 b6 f7 f0 eb 02 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x38f7e1 registers.esp: 3404936 registers.edi: 10820860 registers.eax: 0 registers.ebp: 3405296 registers.edx: 3733310 registers.ebx: 3670456 registers.esi: 3733310 registers.ecx: 3670456	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: 0x39a906 file3+0x19c56a @ 0xcec56a file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: 0f 0b 0f 0b eb 03 f0 31 bd eb 01 b6 f7 f0 eb 02 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x38f7e1 registers.esp: 3405348 registers.edi: 10820860 registers.eax: 0 registers.ebp: 3405708 registers.edx: 3733310 registers.ebx: 3670456 registers.esi: 3733310 registers.ecx: 3670456	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: 0x39d343 file3+0x19c56a @ 0xcec56a file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: 0f 0b 0f 0b eb 02 ea bc eb 05 c7 0a e8 eb 1e f7 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x38eb4a registers.esp: 3404380 registers.edi: 1988594161 registers.eax: 0 registers.ebp: 3404740 registers.edx: 1075839615 registers.ebx: 3670456 registers.esi: 3730088 registers.ecx: 3670456	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: 0x39d747 0x3a0dcb file3+0x19c56a @ 0xcec56a file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: 0f 0b 0f 0b eb 03 f0 31 bd eb 01 b6 f7 f0 eb 02 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x38f7e1 registers.esp: 3403588 registers.edi: 4279135540 registers.eax: 0 registers.ebp: 3403948 registers.edx: 3733310 registers.ebx: 3670456 registers.esi: 3733310 registers.ecx: 3670456	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: 0x39dc94 file3+0x19c56a @ 0xcec56a file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: 0f 0b 0f 0b eb 02 ea bc eb 05 c7 0a e8 eb 1e f7 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x38eb4a registers.esp: 3404372 registers.edi: 1988594161 registers.eax: 0 registers.ebp: 3404732 registers.edx: 383 registers.ebx: 3670456 registers.esi: 3730088 registers.ecx: 3670456	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: 0x39e755 0x3a0e46 file3+0x19c56a @ 0xcec56a file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: 0f 0b 0f 0b eb 02 ea bc eb 05 c7 0a e8 eb 1e f7 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x38eb4a registers.esp: 3403844 registers.edi: 1988594161 registers.eax: 0 registers.ebp: 3404204 registers.edx: 13499587 registers.ebx: 3670456 registers.esi: 3730088 registers.ecx: 3670456	1
__exception__ Jan. 27, 2022, 9:41 a.m.	stacktrace: 0x39ce23 0x39dcbd 0x3a0e46 file3+0x19c56a @ 0xcec56a file3+0x18afc9 @ 0xcdafc9 exception.instruction_r: f7 f0 eb 01 d4 eb 1f eb 04 a3 db 4e d6 eb 05 2b exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x38eb59 registers.esp: 3403820 registers.edi: 1988594161 registers.eax: 0 registers.ebp: 3404180 registers.edx: 3404204 registers.ebx: 4279135540 registers.esi: 3730088 registers.ecx: 3670456	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://37.252.15.126/dhbUc2MgYS.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://37.252.15.126/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://37.252.15.126/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://37.252.15.126/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://37.252.15.126/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://37.252.15.126/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://37.252.15.126/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://37.252.15.126/vcruntime140.dll
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://37.252.15.126/dhbUc2MgYS.php

Performs some HTTP requests (9 events)

request	GET http://37.252.15.126/dhbUc2MgYS.php
request	GET http://37.252.15.126/sqlite3.dll
request	GET http://37.252.15.126/freebl3.dll
request	GET http://37.252.15.126/mozglue.dll
request	GET http://37.252.15.126/msvcp140.dll
request	GET http://37.252.15.126/nss3.dll
request	GET http://37.252.15.126/softokn3.dll
request	GET http://37.252.15.126/vcruntime140.dll
request	POST http://37.252.15.126/dhbUc2MgYS.php

Sends data using the HTTP POST Method (1 event)

request

POST http://37.252.15.126/dhbUc2MgYS.php

Allocates read-write-execute memory (usually to unpack itself) (11 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 27, 2022, 9:41 a.m.	process_identifier: 2308 region_size: 827392 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00990000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 9:41 a.m.	process_identifier: 2308 region_size: 286720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:41 a.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7734f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:41 a.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x772c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:41 a.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 77824 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:41 a.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b64000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:41 a.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b6a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:41 a.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 565248 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b7c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:41 a.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 651264 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x749d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:41 a.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 258048 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x766f1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 9:41 a.m.	process_identifier: 2308 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (50 out of 7301 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies\IndexedDB\chrome-extension_hcflpincpppdclinealmandijcmnkbgn_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\IndexedDB\chrome-extension_fihkakfobkmkjojpchpfgcmhfjnmnfpi_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run\Sync Extension Settings\hcflpincpppdclinealmandijcmnkbgn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\IndexedDB\chrome-extension_ffnbelfdoeiohenkjibnmadjiehjhajb_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\_locales\hi\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Module Info Cache\IndexedDB\chrome-extension_hpglfhgfnhbgpjdenjgmdgoeiappafln_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\IndexedDB\chrome-extension_ffnbelfdoeiohenkjibnmadjiehjhajb_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Sync Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Sync Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\IndexedDB\chrome-extension_hpglfhgfnhbgpjdenjgmdgoeiappafln_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Module Info Cache\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Sync Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\IndexedDB\chrome-extension_dkdedlpgdmmkkfjabffeganieamfklkm_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt\Sync Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\IndexedDB\chrome-extension_cphhlgmgameodnhkjdmkpanlelnlohao_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\manifest.fingerprint\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\IndexedDB\chrome-extension_kpfopkelmapcoipemfendmdcghnegimn_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies\IndexedDB\chrome-extension_bcopgchhojmggmffilplmbdicgaihlkp_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\IndexedDB\chrome-extension_nknhiehlklippafakaeklbeglecifhad_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Browser\Sync Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Sync Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Browser\IndexedDB\chrome-extension_aiifbnbfobpmeekipheeijimdpnlpgpp_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\IndexedDB\chrome-extension_aiifbnbfobpmeekipheeijimdpnlpgpp_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\5cdc4392fee6ab4544b15e9ad456e61037fbd5fa47dca17394b25ee6f6c70eca.sth\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\IndexedDB\chrome-extension_bcopgchhojmggmffilplmbdicgaihlkp_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\IndexedDB\chrome-extension_ookjlbkiijinhpmnjffcofjonbfbgaoc_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Browser\Sync Extension Settings\cihmoadaighcejopammfbmddcmdekcje\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_TRADITIONAL

offset

0x00183f60

size

0x00000354

Creates executable files on the filesystem (7 events)

file	C:\ProgramData\sqlite3.dll
file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Creates a suspicious process (2 events)

cmdline	C:\Windows\System32\cmd.exe /c timeout /t 5 & del /f /q "C:\Users\test22\AppData\Local\Temp\file3.exe" & exit
cmdline	"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\test22\AppData\Local\Temp\file3.exe" & exit

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 27, 2022, 9:41 a.m.	show_type: 0 filepath_r: C:\Windows\System32\cmd.exe parameters: /c timeout /t 5 & del /f /q "C:\Users\test22\AppData\Local\Temp\file3.exe" & exit filepath: C:\Windows\System32\cmd.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 27, 2022, 9:41 a.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003d0000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process file3.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile Jan. 27, 2022, 9:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELê=Sv?à!ÐàXà` 8Ã °ÐL ü'ð¬Ñp.textÀÎÐ`0`.data°àÖ@@À.rdata$ð®æ@@@.bss @À.edata°@0@.idataL Ð®@0À.CRTàº@0À.tls ð¼@0À.relocü'(¾@0B/4`0æ@@B/19È@è@B/35MPì@B/51`C`Dô@B/63 °8@B/77ÀF@B/89ÐR@0B/102 request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 27, 2022, 9:41 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Àð/AVAVAVéÒVAV]ó@WAV1VAV]óBWAV]óDWAV]óEWAV¦ñ@WAVOò@WAV@VÖAVOòBWAVOòEWÀAVOòAWAVOò¾VAVOòCWAVRichAVPELØbë[à"!Øf)Ýðp£s@pæPÀæÈ@xüÐPà0âTâ@ð8.texttÖØ `.rdataüþðÜ@@.data,HðÜ@À.rsrcx@à@@.relocàPä@B request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 27, 2022, 9:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÂU±É£;âÉ£;âÉ£;âÀÛ¨âÙ£;âWüâË£;âÁ8ãÇ£;âÁ?ãÂ£;âÁ:ãÍ£;âÁ>ãÛ£;âëÃ:ãÀ£;âÉ£:âw£;âÀ?ãÈ£;âÀ>ãÝ£;âÀ;ãÈ£;âÀÄâÈ£;âÀ9ãÈ£;âRichÉ£;âPELÄ_ë[à"!zà@3@A@Àt´Þ, xúÐ0h¹TT¹h¸@ôl¾.textÊxz `.rdata^ef~@@.data¼ä@À.didat8æ@À.rsrcx è@@.reloch0ì@B request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 27, 2022, 9:41 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $¦È¼Aâ©Òâ©Òâ©ÒV5=à©ÒëÑAú©Ò;ËÓá©Òâ©Ó"©Ò;ËÑë©Ò;ËÖî©Ò;Ë×ô©Ò;ËÚ©Ò;ËÒã©Ò;Ë-ã©Ò;ËÐã©ÒRichâ©ÒPEL8'Yà"!P± Ðaz@AðCÏôR,øx8?4:ðf8È(@Pð@@.textr `.data( @À.idata6P @@.didat4p6@À.rsrcø8@@.reloc4:<<@B request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 27, 2022, 9:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $#4gâZßgâZßgâZßnÉßsâZß¾[ÞeâZßùBßcâZß¾YÞjâZß¾_ÞmâZß¾^ÞlâZßE[ÞoâZß¬[ÞdâZßgâ[ßâZß¬^ÞmãZß¬ZÞfâZß¬¥ßfâZß¬XÞfâZßRichgâZßPELbë[à"!êwð@·»@ =T°pæÐÀ}pTÈ@ø.textèê `.rdataRTî@@.datatG`"B@À.rsrcp°d@@.reloc}À~h@B request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 27, 2022, 9:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¢l$æ JOæ JOæ JOïuÙOê JO?oKNä JO?oINä JO?oONì JO?oNNí JOÄmKNä JO-nKNå JOæ KO~ JO-nNNò JO-nJNç JO-nµOç JO-nHNç JORichæ JOPEL¿bë[à"!¶b¼ÐP ±@¨¸È0xÐ@`ÐþT(ÿ@Ðl.textË´¶ `.rdata DÐFº@@.data @À.rsrcx0@@.reloc`@@B request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 27, 2022, 9:41 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ù£NEÍEÍEÍñ"GÍLà^NÍEÌlÍúÉUÍúÎVÍúÈAÍúÅ_ÍúÍDÍú2DÍúÏDÍRichEÍPEL8'Yà"!ê ® @¼@A°ð À H?0 °8è@¼.textÄéê `.dataDî@À.idata¸ð@@.rsrc ö@@.reloc 0ü@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00017a00', u'virtual_address': u'0x00185000', u'entropy': 7.996780870158532, u'name': u'.text', u'virtual_size': u'0x00018000'}

entropy

7.99678087016

description

A section with a high entropy has been found

Expresses interest in specific running processes (1 event)

process

file3.exe

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 51 events)

Time & API	Arguments	Status
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000310 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExA Jan. 27, 2022, 9:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x00000314 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	C:\Windows\System32\cmd.exe /c timeout /t 5 & del /f /q "C:\Users\test22\AppData\Local\Temp\file3.exe" & exit
cmdline	"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\test22\AppData\Local\Temp\file3.exe" & exit

Communicates with host for which no DNS query was performed (1 event)

host

37.252.15.126

Checks for the presence of known devices from debuggers and forensic tools (2 events)

file	\??\SICE
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (2 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowW Jan. 27, 2022, 9:41 a.m.	class_name: WinDbgFrameClass window_name:		0	0
FindWindowExW Jan. 27, 2022, 9:41 a.m.	class_name: OLLYDBG child_after_hwnd: 0x00000000 parent_hwnd: 0x00000000 window_name: OllyDBg	1	196652	0

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets\

Creates an executable file in a user folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\file3.exe

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA Jan. 27, 2022, 9:41 a.m.	key_handle: 0x00000314 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (1 event)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2308 resumed a thread in remote process 2536
NtResumeThread Jan. 27, 2022, 9:41 a.m.	thread_handle: 0x00000374 suspend_count: 1 process_identifier: 2536	1	0	0

Detects VirtualBox through the presence of a device (1 event)

file	\??\VBoxGuest

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Lionic	Trojan.Multi.Generic.4!c
FireEye	Generic.mg.2b2ec30a2bf1c716
Cylance	Unsafe
Cybereason	malicious.eab134
BitDefenderTheta	Gen:NN.ZexaF.34182.Rr3@a09ASZcj
Cyren	W32/Obsidium.A.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	FileRepMalware
McAfee-GW-Edition	Artemis!Trojan
SentinelOne	Static AI - Malicious PE
Sophos	Generic ML PUA (PUA)
Kingsoft	Win32.Heur.KVMH015.a.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Cynet	Malicious (score: 100)
McAfee	Artemis!2B2EC30A2BF1
VBA32	BScope.Trojan.Tiggre
Malwarebytes	Trojan.MalPack.Obsidium
APEX	Malicious
Rising	Trojan.Vidar!8.114A8 (CLOUD)
MaxSecure	Trojan.Malware.300983.susgen
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_70% (W)

file3.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All