Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 21, 2021, 12:38 p.m.	June 21, 2021, 12:44 p.m.

Size	2.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`350d120fa10b2400fd108dbb87577d3c`
SHA256	`a43aeebdf142d982d97157178d0b190e386b39d532c8782a7767f84f2a88e97b`
CRC32	`05542669`
ssdeep	`49152:QiI0MRZ2deU2IGq/jipDDyyGQIwMq6M9/4pSCegrxkmD9khBS4xJRqX/:Ql0Mz2dew/upnylFwMq6M9/QSCesxkmb`
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description) themida_packer - themida packer

file20.exe "C:\Users\test22\AppData\Local\Temp\file20.exe"
2948

Name	Response	Post-Analysis Lookup
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	172.67.75.172

IP Address	Status	Action
104.26.13.31	Active	Moloch
164.124.101.2	Active	Moloch
185.215.113.107	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.107:47059 -> 192.168.56.101:49201	2400025	ET DROP Spamhaus DROP Listed Traffic Inbound group 26	Misc Attack
TCP 192.168.56.101:49202 -> 104.26.13.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.215.113.107:47059 -> 192.168.56.101:49201	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49202 104.26.13.31:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	5e:7d:19:2d:d7:66:0c:63:45:a5:24:8f:b7:db:35:a7:61:6d:89:0e

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 21, 2021, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:38 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 21, 2021, 12:38 p.m.			0	0
IsDebuggerPresent June 21, 2021, 12:38 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey June 21, 2021, 12:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00473c88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00473c88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2021, 12:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00473ac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 21, 2021, 12:38 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section
section	.imports
section	.themida
section	.boot

One or more processes crashed (16 events)

Time & API	Arguments	Status
__exception__ June 21, 2021, 12:38 p.m.	stacktrace: file20+0x3a35be @ 0x11a35be file20+0x418909 @ 0x1218909 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 5b 24 4b 8a 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 2227632 registers.edi: 14868480 registers.eax: 2227632 registers.ebp: 2227712 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 2000778283 registers.ecx: 3467444224	1
__exception__ June 21, 2021, 12:38 p.m.	stacktrace: exception.instruction_r: ed e9 ba 9e 03 00 c3 e9 00 59 07 00 64 89 1b ab exception.symbol: file20+0x3e01f9 exception.instruction: in eax, dx exception.module: file20.exe exception.exception_code: 0xc0000096 exception.offset: 4063737 exception.address: 0x11e01f9 registers.esp: 2227752 registers.edi: 16103604 registers.eax: 1750617430 registers.ebp: 14868480 registers.edx: 22614 registers.ebx: 2147483650 registers.esi: 15634979 registers.ecx: 20	1
__exception__ June 21, 2021, 12:38 p.m.	stacktrace: exception.instruction_r: ed e9 4b 21 09 00 9b 00 b7 d2 a1 00 5e 95 ff ff exception.symbol: file20+0x3d4f59 exception.instruction: in eax, dx exception.module: file20.exe exception.exception_code: 0xc0000096 exception.offset: 4018009 exception.address: 0x11d4f59 registers.esp: 2227752 registers.edi: 16103604 registers.eax: 1447909480 registers.ebp: 14868480 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 15634979 registers.ecx: 10	1
__exception__ June 21, 2021, 12:38 p.m.	stacktrace: 0x28fa322 0x28fa29f 0x28f1502 0x28f0392 0x28f00d8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x28fa3b1 registers.esp: 2224508 registers.edi: 53356184 registers.eax: 0 registers.ebp: 2224532 registers.edx: 3901496 registers.ebx: 51005164 registers.esi: 53356364 registers.ecx: 0	1
__exception__ June 21, 2021, 12:38 p.m.	stacktrace: 0x28fb8a7 0x28fb7e9 0x28fb515 0x28fafd7 0x28f1502 0x28f0392 0x28f00d8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x28fbc43 registers.esp: 2224304 registers.edi: 51695756 registers.eax: 0 registers.ebp: 2224348 registers.edx: 43048956 registers.ebx: 51695560 registers.esi: 0 registers.ecx: 43049480	1
__exception__ June 21, 2021, 12:38 p.m.	stacktrace: 0x28fb8a7 0x28fb7e9 0x28fb515 0x28fafd7 0x28f1502 0x28f0392 0x28f00d8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x28fbc43 registers.esp: 2224304 registers.edi: 52661280 registers.eax: 0 registers.ebp: 2224348 registers.edx: 43048956 registers.ebx: 52661084 registers.esi: 0 registers.ecx: 43049480	1
__exception__ June 21, 2021, 12:38 p.m.	stacktrace: 0x28fb8a7 0x28fb7e9 0x28fb515 0x28fafd7 0x28f1502 0x28f0392 0x28f00d8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x28fbc43 registers.esp: 2224304 registers.edi: 53613296 registers.eax: 0 registers.ebp: 2224348 registers.edx: 43048956 registers.ebx: 53613100 registers.esi: 0 registers.ecx: 43049480	1
__exception__ June 21, 2021, 12:38 p.m.	stacktrace: 0x28fd3d6 0x28fd329 0x28fb58a 0x28fafd7 0x28f1502 0x28f0392 0x28f00d8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x28fbc43 registers.esp: 2224296 registers.edi: 54565076 registers.eax: 0 registers.ebp: 2224340 registers.edx: 43048956 registers.ebx: 54564880 registers.esi: 0 registers.ecx: 43049480	1
__exception__ June 21, 2021, 12:38 p.m.	stacktrace: 0x28fd3d6 0x28fd329 0x28fb58a 0x28fafd7 0x28f1502 0x28f0392 0x28f00d8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x28fbc43 registers.esp: 2224296 registers.edi: 55528496 registers.eax: 0 registers.ebp: 2224340 registers.edx: 43048956 registers.ebx: 55528300 registers.esi: 0 registers.ecx: 43049480	1
__exception__ June 21, 2021, 12:38 p.m.	stacktrace: 0x28fd3d6 0x28fd329 0x28fb58a 0x28fafd7 0x28f1502 0x28f0392 0x28f00d8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x28fbc43 registers.esp: 2224296 registers.edi: 56491916 registers.eax: 0 registers.ebp: 2224340 registers.edx: 43048956 registers.ebx: 56491720 registers.esi: 0 registers.ecx: 43049480	1
__exception__ June 21, 2021, 12:38 p.m.	stacktrace: 0x28fd937 0x28fd889 0x28fb5ff 0x28fafd7 0x28f1502 0x28f0392 0x28f00d8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x28fbc43 registers.esp: 2224300 registers.edi: 51961080 registers.eax: 0 registers.ebp: 2224344 registers.edx: 43048956 registers.ebx: 51960884 registers.esi: 0 registers.ecx: 43049480	1
__exception__ June 21, 2021, 12:38 p.m.	stacktrace: 0x28fd937 0x28fd889 0x28fb5ff 0x28fafd7 0x28f1502 0x28f0392 0x28f00d8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x28fbc43 registers.esp: 2224300 registers.edi: 52977188 registers.eax: 0 registers.ebp: 2224344 registers.edx: 43048956 registers.ebx: 52976992 registers.esi: 0 registers.ecx: 43049480	1
__exception__ June 21, 2021, 12:38 p.m.	stacktrace: 0x28fd937 0x28fd889 0x28fb5ff 0x28fafd7 0x28f1502 0x28f0392 0x28f00d8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x28fbc43 registers.esp: 2224300 registers.edi: 53993296 registers.eax: 0 registers.ebp: 2224344 registers.edx: 43048956 registers.ebx: 53993100 registers.esi: 0 registers.ecx: 43049480	1
__exception__ June 21, 2021, 12:38 p.m.	stacktrace: 0x28fdd79 0x28fdcc9 0x28fb66e 0x28fafd7 0x28f1502 0x28f0392 0x28f00d8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x28fbc43 registers.esp: 2224296 registers.edi: 55009584 registers.eax: 0 registers.ebp: 2224340 registers.edx: 43048956 registers.ebx: 55009388 registers.esi: 0 registers.ecx: 43049480	1
__exception__ June 21, 2021, 12:38 p.m.	stacktrace: 0x28fdd79 0x28fdcc9 0x28fb66e 0x28fafd7 0x28f1502 0x28f0392 0x28f00d8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x28fbc43 registers.esp: 2224296 registers.edi: 56027812 registers.eax: 0 registers.ebp: 2224340 registers.edx: 43048956 registers.ebx: 56027616 registers.esi: 0 registers.ecx: 43049480	1
__exception__ June 21, 2021, 12:38 p.m.	stacktrace: 0x28fdd79 0x28fdcc9 0x28fb66e 0x28fafd7 0x28f1502 0x28f0392 0x28f00d8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x28fbc43 registers.esp: 2224296 registers.edi: 52258884 registers.eax: 0 registers.ebp: 2224340 registers.edx: 43048956 registers.ebx: 52258688 registers.esi: 0 registers.ecx: 43049480	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://api.ip.sb/geoip

Performs some HTTP requests (1 event)

request

GET https://api.ip.sb/geoip

Allocates read-write-execute memory (usually to unpack itself) (50 out of 144 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75483000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75735000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75735000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75733000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755bf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75737000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75734000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75734000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7574c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a84000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7574a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7574a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75735000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7574c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75733000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75734000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a80000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75734000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7574c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75733000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75735000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75734000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a88000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2021, 12:38 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a88000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

file20.exe tried to sleep 181 seconds, actually delayed analysis time by 181 seconds

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 21, 2021, 12:38 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x00009d8f', u'virtual_address': u'0x00002000', u'entropy': 7.965472877704168, u'name': u' ', u'virtual_size': u'0x00018000'}

entropy

7.9654728777

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001213', u'virtual_address': u'0x0001a000', u'entropy': 7.918011694357333, u'name': u' ', u'virtual_size': u'0x00006652'}

entropy

7.91801169436

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0021f52c', u'virtual_address': u'0x004ac000', u'entropy': 7.963815441989735, u'name': u'.boot', u'virtual_size': u'0x0021f800'}

entropy

7.96381544199

description

A section with a high entropy has been found

entropy

0.987962544336

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 21, 2021, 12:38 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000006a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: AddressBook base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: Connection Manager base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: DirectDrawEx base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: EditPlus base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: ENTERPRISE base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: Fontcore base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: Google Chrome base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: IE40 base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: IE4Data base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: IE5BAKEX base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: IEData base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: MobileOptionPack base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: SchedulingAgent base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: WIC base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW June 21, 2021, 12:38 p.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x000006a8 key_handle: 0x000006a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Communicates with host for which no DNS query was performed (1 event)

host

185.215.113.107

Checks for the presence of known windows from debuggers and forensic tools (50 out of 159 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA June 21, 2021, 12:38 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 21, 2021, 12:38 p.m.	class_name: Filemonclass window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW June 21, 2021, 12:38 p.m.	key_handle: 0x000006a4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 21, 2021, 12:38 p.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 21, 2021, 12:38 p.m.	stacktrace: exception.instruction_r: ed e9 4b 21 09 00 9b 00 b7 d2 a1 00 5e 95 ff ff exception.symbol: file20+0x3d4f59 exception.instruction: in eax, dx exception.module: file20.exe exception.exception_code: 0xc0000096 exception.offset: 4018009 exception.address: 0x11d4f59 registers.esp: 2227752 registers.edi: 16103604 registers.eax: 1447909480 registers.ebp: 14868480 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 15634979 registers.ecx: 10	1	0	0

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
FireEye	Generic.mg.350d120fa10b2400
Cylance	Unsafe
Cybereason	malicious.f40de4
Cyren	W32/Themida.F.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.Themida.HVA
APEX	Malicious
Kaspersky	HEUR:Trojan-PSW.MSIL.Reline.pef
Rising	Malware.Heuristic!ET#93% (RDMK:cmRtazppPaVg+hPcMO+bgsjRRX/Q)
Sophos	ML/PE-A
SentinelOne	Static AI - Malicious PE
eGambit	PE.Heur.InvalidSig
Microsoft	Trojan:Win32/Wacatac.B!ml
Gridinsoft	Trojan.Heur!.012120B1
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Gen.RL_Reputation.R365609
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.34758.mE1@aiRWqBpi
Malwarebytes	Trojan.MalPack.Themida.Generic
Ikarus	Trojan.Win32.Themida
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PackedThemida.HVA!tr
Panda	Trj/Genetic.gen
CrowdStrike	win/malicious_confidence_90% (W)

file20.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All