Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 12, 2021, 1:19 p.m.	July 12, 2021, 1:21 p.m.

Size	8.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0ed8664e0ae8bb176b6d0fc0251b608e`
SHA256	`2959cc74425b45398b7195a26a779dedba3a7cfb28387e50f5b270dda38dd665`
CRC32	`B0E44DCA`
ssdeep	`98304:STSqui3+XvGqgHV+QGcu3fs0NWBsARD+mhryFItygoLi+FTZ9ia9qzR9:/quiuXOb+D3fo+uk9iiZ9jM`
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult PE_Header_Zero - PE File Signature IsPE32 - (no description) Antivirus - Contains references to security software Generic_Malware_Zero - Generic Malware anti_vm_detect - Possibly employs anti-virtualization techniques Is_DotNET_EXE - (no description) OS_Processor_Check_Zero - OS Processor Check Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

Jople.exe "C:\Users\test22\AppData\Local\Temp\Jople.exe"
2444

Name	Response	Post-Analysis Lookup
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	172.67.75.172

IP Address	Status	Action
104.26.12.31	Active	Moloch
164.124.101.2	Active	Moloch
185.230.143.117	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (11 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 12, 2021, 1:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2021, 1:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2021, 1:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2021, 1:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2021, 1:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2021, 1:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2021, 1:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2021, 1:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2021, 1:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2021, 1:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2021, 1:19 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 12, 2021, 1:19 p.m.			0	0
IsDebuggerPresent July 12, 2021, 1:19 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey July 12, 2021, 1:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 1:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 1:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 1:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00758560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 1:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00758560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 1:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007583a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 12, 2021, 1:19 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	\xc3\xac\xc3\xa0\xc3\xb0\xc3
section	.vm_sec
section	.themida

One or more processes crashed (16 events)

Time & API	Arguments	Status
__exception__ July 12, 2021, 1:19 p.m.	stacktrace: jople+0x405db9 @ 0x1645db9 jople+0x405e56 @ 0x1645e56 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 d7 72 a7 8a 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 2555080 registers.edi: 21192704 registers.eax: 2555080 registers.ebp: 2555160 registers.edx: 2130566132 registers.ebx: 32 registers.esi: 2000778283 registers.ecx: 4092133376	1
__exception__ July 12, 2021, 1:19 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 e9 93 7c e8 ff exception.symbol: jople+0x424b90 exception.instruction: in eax, dx exception.module: Jople.exe exception.exception_code: 0xc0000096 exception.offset: 4344720 exception.address: 0x1664b90 registers.esp: 2555200 registers.edi: 21958054 registers.eax: 1750617430 registers.ebp: 21192704 registers.edx: 4294924374 registers.ebx: 0 registers.esi: 13 registers.ecx: 20	1
__exception__ July 12, 2021, 1:19 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: jople+0x424c04 exception.instruction: in eax, dx exception.module: Jople.exe exception.exception_code: 0xc0000096 exception.offset: 4344836 exception.address: 0x1664c04 registers.esp: 2555200 registers.edi: 21958054 registers.eax: 1447909480 registers.ebp: 21192704 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1
__exception__ July 12, 2021, 1:19 p.m.	stacktrace: 0x1037507 0x1037449 0x10369e6 0x103649e 0x1035042 0x1033b1f 0x1030070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 cc 83 3d 48 33 0e 04 00 74 00 c7 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x103786a registers.esp: 2551668 registers.edi: 0 registers.eax: 0 registers.ebp: 2551724 registers.edx: 17076964 registers.ebx: 52119220 registers.esi: 52119468 registers.ecx: 17077584	1
__exception__ July 12, 2021, 1:19 p.m.	stacktrace: 0x1037507 0x1037449 0x10369e6 0x103649e 0x1035042 0x1033b1f 0x1030070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 cc 83 3d 48 33 0e 04 00 74 00 c7 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x103786a registers.esp: 2551668 registers.edi: 0 registers.eax: 0 registers.ebp: 2551724 registers.edx: 17076964 registers.ebx: 53085768 registers.esi: 53086016 registers.ecx: 17077584	1
__exception__ July 12, 2021, 1:19 p.m.	stacktrace: 0x1037507 0x1037449 0x10369e6 0x103649e 0x1035042 0x1033b1f 0x1030070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 cc 83 3d 48 33 0e 04 00 74 00 c7 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x103786a registers.esp: 2551668 registers.edi: 0 registers.eax: 0 registers.ebp: 2551724 registers.edx: 17076964 registers.ebx: 54038660 registers.esi: 54038908 registers.ecx: 17077584	1
__exception__ July 12, 2021, 1:19 p.m.	stacktrace: 0x103aa26 0x103a979 0x1036a5b 0x103649e 0x1035042 0x1033b1f 0x1030070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 cc 83 3d 48 33 0e 04 00 74 00 c7 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x103786a registers.esp: 2551660 registers.edi: 0 registers.eax: 0 registers.ebp: 2551716 registers.edx: 17076964 registers.ebx: 54991316 registers.esi: 54991564 registers.ecx: 17077584	1
__exception__ July 12, 2021, 1:19 p.m.	stacktrace: 0x103aa26 0x103a979 0x1036a5b 0x103649e 0x1035042 0x1033b1f 0x1030070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 cc 83 3d 48 33 0e 04 00 74 00 c7 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x103786a registers.esp: 2551660 registers.edi: 0 registers.eax: 0 registers.ebp: 2551716 registers.edx: 17076964 registers.ebx: 55955248 registers.esi: 55955496 registers.ecx: 17077584	1
__exception__ July 12, 2021, 1:19 p.m.	stacktrace: 0x103aa26 0x103a979 0x1036a5b 0x103649e 0x1035042 0x1033b1f 0x1030070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 cc 83 3d 48 33 0e 04 00 74 00 c7 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x103786a registers.esp: 2551660 registers.edi: 0 registers.eax: 0 registers.ebp: 2551716 registers.edx: 17076964 registers.ebx: 52154428 registers.esi: 52154676 registers.ecx: 17077584	1
__exception__ July 12, 2021, 1:19 p.m.	stacktrace: 0x103afa7 0x103aef9 0x1036ad0 0x103649e 0x1035042 0x1033b1f 0x1030070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 cc 83 3d 48 33 0e 04 00 74 00 c7 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x103786a registers.esp: 2551664 registers.edi: 0 registers.eax: 0 registers.ebp: 2551720 registers.edx: 17076964 registers.ebx: 53118452 registers.esi: 53118700 registers.ecx: 17077584	1
__exception__ July 12, 2021, 1:19 p.m.	stacktrace: 0x103afa7 0x103aef9 0x1036ad0 0x103649e 0x1035042 0x1033b1f 0x1030070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 cc 83 3d 48 33 0e 04 00 74 00 c7 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x103786a registers.esp: 2551664 registers.edi: 0 registers.eax: 0 registers.ebp: 2551720 registers.edx: 17076964 registers.ebx: 54134904 registers.esi: 54135152 registers.ecx: 17077584	1
__exception__ July 12, 2021, 1:19 p.m.	stacktrace: 0x103afa7 0x103aef9 0x1036ad0 0x103649e 0x1035042 0x1033b1f 0x1030070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 cc 83 3d 48 33 0e 04 00 74 00 c7 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x103786a registers.esp: 2551664 registers.edi: 0 registers.eax: 0 registers.ebp: 2551720 registers.edx: 17076964 registers.ebx: 55151356 registers.esi: 55151604 registers.ecx: 17077584	1
__exception__ July 12, 2021, 1:19 p.m.	stacktrace: 0x103b3e9 0x103b339 0x1036b3f 0x103649e 0x1035042 0x1033b1f 0x1030070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 cc 83 3d 48 33 0e 04 00 74 00 c7 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x103786a registers.esp: 2551660 registers.edi: 0 registers.eax: 0 registers.ebp: 2551716 registers.edx: 17076964 registers.ebx: 56167888 registers.esi: 56168136 registers.ecx: 17077584	1
__exception__ July 12, 2021, 1:19 p.m.	stacktrace: 0x103b3e9 0x103b339 0x1036b3f 0x103649e 0x1035042 0x1033b1f 0x1030070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 cc 83 3d 48 33 0e 04 00 74 00 c7 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x103786a registers.esp: 2551660 registers.edi: 0 registers.eax: 0 registers.ebp: 2551716 registers.edx: 17076964 registers.ebx: 52209308 registers.esi: 52209556 registers.ecx: 17077584	1
__exception__ July 12, 2021, 1:19 p.m.	stacktrace: 0x103b3e9 0x103b339 0x1036b3f 0x103649e 0x1035042 0x1033b1f 0x1030070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 40 04 89 45 cc 83 3d 48 33 0e 04 00 74 00 c7 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x103786a registers.esp: 2551660 registers.edi: 0 registers.eax: 0 registers.ebp: 2551716 registers.edx: 17076964 registers.ebx: 53228012 registers.esi: 53228260 registers.ecx: 17077584	1
__exception__ July 12, 2021, 1:19 p.m.	stacktrace: 0x62e476d 0x62e41ff 0x1035042 0x1033b1f 0x1030070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 exception.instruction_r: 8b 01 8b 40 28 ff 10 85 c0 74 02 eb 15 33 c0 83 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x62e48c0 registers.esp: 2551852 registers.edi: 2551880 registers.eax: 0 registers.ebp: 2551892 registers.edx: 6976136 registers.ebx: 53175504 registers.esi: 53176560 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://api.ip.sb/geoip

Performs some HTTP requests (1 event)

request

GET https://api.ip.sb/geoip

Allocates read-write-execute memory (usually to unpack itself) (50 out of 243 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00390000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75733000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a8b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75735000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a8b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75734000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a88000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a88000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7575c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a88000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75735000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a88000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75734000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7574c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75733000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7574c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a84000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7574a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7575c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7575d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75734000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75734000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7574c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75733000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75735000 process_handle: 0xffffffff	1

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies

Foreign language identified in PE resource (1 event)

name

RT_MANIFEST

language

LANG_GEORGIAN

filetype

XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

sublanguage

SUBLANG_NEUTRAL

offset

0x0088889c

size

0x0003533f

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 12, 2021, 1:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00330000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 12, 2021, 1:19 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x001a9000', u'virtual_address': u'0x00034000', u'entropy': 7.825385803491586, u'name': u' \\xc3\\xac\\xc3\\xa0\\xc3\\xb0\\xc3', u'virtual_size': u'0x001a8ff0'}

entropy

7.82538580349

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0020b000', u'virtual_address': u'0x00480000', u'entropy': 7.792924983397711, u'name': u' \\xc3\\xac\\xc3\\xa0\\xc3\\xb0\\xc3', u'virtual_size': u'0x0020af88'}

entropy

7.7929249834

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001e4c00', u'virtual_address': u'0x0068c000', u'entropy': 7.698758661268486, u'name': u' \\xc3\\xac\\xc3\\xa0\\xc3\\xb0\\xc3', u'virtual_size': u'0x001e4b60'}

entropy

7.69875866127

description

A section with a high entropy has been found

entropy

0.643498764878

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 12, 2021, 1:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: AddressBook base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: Connection Manager base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: DirectDrawEx base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: EditPlus base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: ENTERPRISE base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: Fontcore base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: Google Chrome base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: IE40 base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: IE4Data base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: IE5BAKEX base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: IEData base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: MobileOptionPack base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: SchedulingAgent base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: WIC base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW July 12, 2021, 1:19 p.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x000005c8 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Communicates with host for which no DNS query was performed (1 event)

host

185.230.143.117

Checks for the presence of known windows from debuggers and forensic tools (50 out of 51 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA July 12, 2021, 1:19 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 12, 2021, 1:19 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 12, 2021, 1:20 p.m.	class_name: Filemonclass window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW July 12, 2021, 1:19 p.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation July 12, 2021, 1:19 p.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 12, 2021, 1:19 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: jople+0x424c04 exception.instruction: in eax, dx exception.module: Jople.exe exception.exception_code: 0xc0000096 exception.offset: 4344836 exception.address: 0x1664c04 registers.esp: 2555200 registers.edi: 21958054 registers.eax: 1447909480 registers.ebp: 21192704 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1	0	0

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.MSIL.Reline.i!c
Elastic	malicious (high confidence)
DrWeb	Trojan.PWS.Stealer.30741
MicroWorld-eScan	Trojan.GenericKD.46608971
FireEye	Generic.mg.0ed8664e0ae8bb17
ALYac	Trojan.GenericKD.46608971
Sangfor	Infostealer.MSIL.Reline.dlm
Alibaba	TrojanPSW:MSIL/Reline.03dbdf00
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.d15661
BitDefenderTheta	Gen:NN.ZexaF.34790.@R0@aClW0bmG
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Generik.HIDJCSG
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan-PSW.MSIL.Reline.dlm
BitDefender	Trojan.GenericKD.46608971
Avast	Win32:Malware-gen
Rising	Trojan.Generic@ML.100 (RDML:SECSbvnvss6Jkqp6JU91fQ)
Ad-Aware	Trojan.GenericKD.46608971
Sophos	Mal/Generic-S
McAfee-GW-Edition	BehavesLike.Win32.Drixed.rc
Emsisoft	Trojan.GenericKD.46608971 (B)
Ikarus	Trojan-Spy.MSIL.Agent
Webroot	W32.Trojan.Gen
Avira	TR/PSW.Stealer.egipp
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)
Microsoft	Trojan:Win32/Tnega!ml
Gridinsoft	Trojan.Heur!.03014201
GData	Trojan.GenericKD.46608971
Cynet	Malicious (score: 99)
McAfee	Artemis!0ED8664E0AE8
MAX	malware (ai score=83)
VBA32	BScope.Trojan.Wacatac
Malwarebytes	Trojan.MalPack.Themida
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	PossibleThreat.PALLASNET.H
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:Malware-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_90% (W)
Qihoo-360	Win32/Heur.Generic.HxMBensA

Jople.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All