Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 10, 2021, 6:07 p.m.	Nov. 10, 2021, 6:09 p.m.

Size	2.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`62e48160bc502c948c21e9574c8d9aa6`
SHA256	`1c031533f2717560f8bc0cb2019ec55ae7423490e51c811e30b85d382cbff5ec`
CRC32	`9E062EA3`
ssdeep	`49152:KWaFOzqkt33lUd0kLprNlZgHD5NUaQH2TXoxqEYfsYJgnUyLX+kNf1e1KIczgVQz:KBQlUd0k1hg1NlKakqls6ayMe1/Mtn`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) anti_vm_detect - Possibly employs anti-virtualization techniques Is_DotNET_EXE - (no description) themida_packer - themida packer

4486_1636398307_3671.exe "C:\Users\test22\AppData\Local\Temp\4486_1636398307_3671.exe"
2316

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
65.108.20.184	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 10, 2021, 6:07 p.m.			0	0
IsDebuggerPresent Nov. 10, 2021, 6:07 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 10, 2021, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00f79f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00f79f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00f79fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 10, 2021, 6:07 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section
section	.imports
section	.themida
section	.boot

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Nov. 10, 2021, 6:07 p.m.	stacktrace: 4486_1636398307_3671+0x457568 @ 0x487568 4486_1636398307_3671+0x420efa @ 0x450efa exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 aa 3a a4 89 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 11729260 registers.edi: 589824 registers.eax: 11729260 registers.ebp: 11729340 registers.edx: 2130566132 registers.ebx: 1562542 registers.esi: 1999795243 registers.ecx: 417333248	1
__exception__ Nov. 10, 2021, 6:07 p.m.	stacktrace: exception.instruction_r: ed e9 39 41 fe ff 31 77 12 23 4d ed 4a e5 a5 6c exception.symbol: 4486_1636398307_3671+0x4a3412 exception.instruction: in eax, dx exception.module: 4486_1636398307_3671.exe exception.exception_code: 0xc0000096 exception.offset: 4862994 exception.address: 0x4d3412 registers.esp: 11729380 registers.edi: 2029758 registers.eax: 1750617430 registers.ebp: 589824 registers.edx: 2130532438 registers.ebx: 0 registers.esi: 13549548 registers.ecx: 20	1
__exception__ Nov. 10, 2021, 6:07 p.m.	stacktrace: exception.instruction_r: ed e9 1d ab 28 00 c3 e9 c1 64 27 00 1a 00 33 06 exception.symbol: 4486_1636398307_3671+0x210c29 exception.instruction: in eax, dx exception.module: 4486_1636398307_3671.exe exception.exception_code: 0xc0000096 exception.offset: 2165801 exception.address: 0x240c29 registers.esp: 11729380 registers.edi: 2029758 registers.eax: 1447909480 registers.ebp: 589824 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13549548 registers.ecx: 10	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 124 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76873000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76701000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76874000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76701000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76874000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76874000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76701000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76874000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76874000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x766fd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76871000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x766fd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7689c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x766fb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7689d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x766fc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76871000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76701000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7688a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76875000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76874000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76701000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7688c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76701000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76873000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76701000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76871000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76701000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76871000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x766fb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76873000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x766fc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76873000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7670b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76875000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7670b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76874000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76708000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76871000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76708000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7689c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76708000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76875000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76708000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74ac3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76875000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x768ef000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 6:07 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76874000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

4486_1636398307_3671.exe tried to sleep 195 seconds, actually delayed analysis time by 195 seconds

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x0000a8a9', u'virtual_address': u'0x00002000', u'entropy': 7.973237433162985, u'name': u' ', u'virtual_size': u'0x0001a000'}

entropy

7.97323743316

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0000a9a1', u'virtual_address': u'0x0001c000', u'entropy': 7.962835880598338, u'name': u' ', u'virtual_size': u'0x0001ec2c'}

entropy

7.9628358806

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00271031', u'virtual_address': u'0x004de000', u'entropy': 7.938994129471118, u'name': u'.boot', u'virtual_size': u'0x00271400'}

entropy

7.93899412947

description

A section with a high entropy has been found

entropy

0.953862915392

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

65.108.20.184

Checks for the presence of known windows from debuggers and forensic tools (50 out of 159 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 10, 2021, 6:07 p.m.	class_name: Filemonclass window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Nov. 10, 2021, 6:07 p.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 10, 2021, 6:07 p.m.	stacktrace: exception.instruction_r: ed e9 1d ab 28 00 c3 e9 c1 64 27 00 1a 00 33 06 exception.symbol: 4486_1636398307_3671+0x210c29 exception.instruction: in eax, dx exception.module: 4486_1636398307_3671.exe exception.exception_code: 0xc0000096 exception.offset: 2165801 exception.address: 0x240c29 registers.esp: 11729380 registers.edi: 2029758 registers.eax: 1447909480 registers.ebp: 589824 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13549548 registers.ecx: 10	1	0	0

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.62e48160bc502c94
McAfee	Artemis!62E48160BC50
Cylance	Unsafe
K7AntiVirus	Trojan ( 0057cf861 )
K7GW	Trojan ( 0057cf861 )
CrowdStrike	win/malicious_confidence_90% (W)
BitDefenderTheta	Gen:NN.ZexaF.34266.QE2@amAte1ii
Cyren	W32/Themida.N.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.Themida.HVA
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-PSW.MSIL.Reline.pef
Avast	FileRepMalware
McAfee-GW-Edition	Artemis!Trojan
Sophos	ML/PE-A
MaxSecure	Trojan.Malware.300983.susgen
Avira	HEUR/AGEN.1143444
Gridinsoft	Trojan.Heur!.012120B1
Microsoft	Trojan:Script/Phonzy.C!ml
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Reline.pef
GData	Win32.Trojan.Agent.V7BJFA
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Gen.RL_Reputation.R365609
Acronis	suspicious
Malwarebytes	Trojan.MalPack.Themida
Rising	Malware.Heuristic!ET#96% (RDMK:cmRtazrF1k6Vw21oe/pF2OLi78xi)
SentinelOne	Static AI - Malicious PE
eGambit	PE.Heur.InvalidSig
AVG	FileRepMalware
Cybereason	malicious.483490
Panda	Trj/Genetic.gen

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (18 events)

dead_host	192.168.56.103:49171
dead_host	192.168.56.103:49170
dead_host	192.168.56.103:49163
dead_host	192.168.56.103:49162
dead_host	192.168.56.103:49174
dead_host	192.168.56.103:49173
dead_host	192.168.56.103:49172
dead_host	192.168.56.103:49177
dead_host	192.168.56.103:49175
dead_host	192.168.56.103:49176
dead_host	192.168.56.103:49165
dead_host	65.108.20.184:13650
dead_host	192.168.56.103:49164
dead_host	192.168.56.103:49169
dead_host	192.168.56.103:49178
dead_host	192.168.56.103:49167
dead_host	192.168.56.103:49168
dead_host	192.168.56.103:49166

4486_1636398307_3671.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All