Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 16, 2024, 6:21 p.m.	Dec. 16, 2024, 7:25 p.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3b8b3018e3283830627249d26305419d`
SHA256	`258e444e78225f74d47ba4698d49a33e6d1f6ed1f3f710186be426078e2bf1cb`
CRC32	`45F0C30C`
ssdeep	`49152:P8nqKzUOChrrWci7WP+g5YQtli9T0n26vwh:PsqJJrrWviPcf6`
Yara	themida_packer - themida packer IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

3EUEYgl.exe "C:\Users\test22\AppData\Local\Temp\3EUEYgl.exe"
660

Name	Response	Post-Analysis Lookup
t.me	A 149.154.167.99	149.154.167.99
steamcommunity.com	A 104.74.170.104	104.76.74.15

IP Address	Status	Action
104.74.170.104	Active	Moloch
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch
65.109.242.111	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49170 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49170 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49163 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49175 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49175 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49169 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49169 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49176 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49176 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49176 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49173 -> 104.74.170.104:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 149.154.167.99:443 -> 192.168.56.103:49177	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49182 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49182 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49182 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.103:49183	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49161 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49161 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49161 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49179 -> 104.74.170.104:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 149.154.167.99:443 -> 192.168.56.103:49171	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49181 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.103:49164	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 104.74.170.104:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49181 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49182 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49175 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49161 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49170 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49176 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49173 104.74.170.104:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	83:75:0b:54:d5:9e:34:40:6f:c2:2c:fc:be:5f:db:00:04:0d:d6:83
TLSv1 192.168.56.103:49179 104.74.170.104:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	83:75:0b:54:d5:9e:34:40:6f:c2:2c:fc:be:5f:db:00:04:0d:d6:83
TLSv1 192.168.56.103:49166 104.74.170.104:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	83:75:0b:54:d5:9e:34:40:6f:c2:2c:fc:be:5f:db:00:04:0d:d6:83

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Dec. 16, 2024, 6:17 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (50 out of 59 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:17 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:18 p.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	xiumbxnc
section	kdqtiokw
section	.taggant

One or more processes crashed (50 out of 117 events)

Time & API	Arguments	Status
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: 3eueygl+0x4f40b9 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 5193913 exception.address: 0x8f40b9 registers.esp: 1638276 registers.edi: 0 registers.eax: 1 registers.ebp: 1638292 registers.edx: 11112448 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 52 e9 99 02 00 00 52 ba 04 00 00 00 81 c5 24 exception.symbol: 3eueygl+0x24b45b exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 2405467 exception.address: 0x64b45b registers.esp: 1638240 registers.edi: 1971192040 registers.eax: 27365 registers.ebp: 3972042772 registers.edx: 4194304 registers.ebx: 266759789 registers.esi: 3 registers.ecx: 6598111	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 68 45 f0 8d 38 e9 c8 05 00 00 51 56 be 2a 30 exception.symbol: 3eueygl+0x24ae06 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 2403846 exception.address: 0x64ae06 registers.esp: 1638244 registers.edi: 0 registers.eax: 27365 registers.ebp: 3972042772 registers.edx: 4194304 registers.ebx: 242921 registers.esi: 3 registers.ecx: 6601048	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb e9 e8 f8 ff ff 52 ba 86 ef ff 7e e9 00 00 00 exception.symbol: 3eueygl+0x24c77e exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 2410366 exception.address: 0x64c77e registers.esp: 1638240 registers.edi: 0 registers.eax: 26355 registers.ebp: 3972042772 registers.edx: 4194304 registers.ebx: 242921 registers.esi: 3 registers.ecx: 6602345	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 00 1f 9b 0b 89 2c 24 89 3c 24 e9 exception.symbol: 3eueygl+0x24c573 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 2409843 exception.address: 0x64c573 registers.esp: 1638244 registers.edi: 0 registers.eax: 1259 registers.ebp: 3972042772 registers.edx: 4294943464 registers.ebx: 242921 registers.esi: 3 registers.ecx: 6628700	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 2d 5e 2f eb 53 68 17 cd 21 45 89 14 24 ba c6 exception.symbol: 3eueygl+0x3c8f3f exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 3968831 exception.address: 0x7c8f3f registers.esp: 1638240 registers.edi: 6637450 registers.eax: 8161597 registers.ebp: 3972042772 registers.edx: 6593109 registers.ebx: 2383872 registers.esi: 8161122 registers.ecx: 753664000	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb e9 3c 01 00 00 5d e9 fd 05 00 00 4d f7 dd 81 exception.symbol: 3eueygl+0x3c8a3e exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 3967550 exception.address: 0x7c8a3e registers.esp: 1638244 registers.edi: 7006546 registers.eax: 8164591 registers.ebp: 3972042772 registers.edx: 6593109 registers.ebx: 2383872 registers.esi: 8161122 registers.ecx: 0	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 29 ff ff 34 1f ff 34 24 ff 34 24 5a e9 70 03 exception.symbol: 3eueygl+0x3cea0c exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 3992076 exception.address: 0x7cea0c registers.esp: 1638244 registers.edi: 42336 registers.eax: 26986 registers.ebp: 3972042772 registers.edx: 8185637 registers.ebx: 8213183 registers.esi: 0 registers.ecx: 42336	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 55 89 e5 81 c5 04 00 00 00 83 ed 04 87 2c 24 exception.symbol: 3eueygl+0x3cecae exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 3992750 exception.address: 0x7cecae registers.esp: 1638244 registers.edi: 4294942900 registers.eax: 26986 registers.ebp: 3972042772 registers.edx: 50665 registers.ebx: 8213183 registers.esi: 0 registers.ecx: 42336	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 50 53 c7 04 24 fd 68 26 48 89 1c 24 bb a6 b8 exception.symbol: 3eueygl+0x3d5f97 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4022167 exception.address: 0x7d5f97 registers.esp: 1638240 registers.edi: 8214017 registers.eax: 30427 registers.ebp: 3972042772 registers.edx: 307429250 registers.ebx: 560931072 registers.esi: 0 registers.ecx: 560931072	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 0c 24 56 89 3c 24 89 14 exception.symbol: 3eueygl+0x3d5dee exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4021742 exception.address: 0x7d5dee registers.esp: 1638244 registers.edi: 8217204 registers.eax: 202985 registers.ebp: 3972042772 registers.edx: 307429250 registers.ebx: 560931072 registers.esi: 0 registers.ecx: 560931072	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 53 55 89 24 24 83 04 24 exception.symbol: 3eueygl+0x3dc6e7 exception.instruction: in eax, dx exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4048615 exception.address: 0x7dc6e7 registers.esp: 1638236 registers.edi: 12463745 registers.eax: 1447909480 registers.ebp: 3972042772 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 8223566 registers.ecx: 20	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: 3eueygl+0x3db94b exception.address: 0x7db94b exception.module: 3EUEYgl.exe exception.exception_code: 0xc000001d exception.offset: 4045131 registers.esp: 1638236 registers.edi: 12463745 registers.eax: 1 registers.ebp: 3972042772 registers.edx: 22104 registers.ebx: 0 registers.esi: 8223566 registers.ecx: 20	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 b5 2a a4 13 01 exception.symbol: 3eueygl+0x3db290 exception.instruction: in eax, dx exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4043408 exception.address: 0x7db290 registers.esp: 1638236 registers.edi: 12463745 registers.eax: 1447909480 registers.ebp: 3972042772 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 8223566 registers.ecx: 10	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 80 ed a7 6a 00 53 e8 03 00 00 00 20 exception.symbol: 3eueygl+0x3e0541 exception.instruction: int 1 exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000005 exception.offset: 4064577 exception.address: 0x7e0541 registers.esp: 1638204 registers.edi: 0 registers.eax: 1638204 registers.ebp: 3972042772 registers.edx: 210856061 registers.ebx: 8259294 registers.esi: 8258856 registers.ecx: 210856061	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 55 89 04 24 b8 74 81 e7 59 51 e9 1c f9 ff ff exception.symbol: 3eueygl+0x3e1188 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4067720 exception.address: 0x7e1188 registers.esp: 1638240 registers.edi: 12463745 registers.eax: 32918 registers.ebp: 3972042772 registers.edx: 8259927 registers.ebx: 48114468 registers.esi: 3031652311 registers.ecx: 753674752	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 53 57 89 14 24 e9 4f fa ff ff 81 ec 04 00 00 exception.symbol: 3eueygl+0x3e1340 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4068160 exception.address: 0x7e1340 registers.esp: 1638244 registers.edi: 12463745 registers.eax: 32918 registers.ebp: 3972042772 registers.edx: 8292845 registers.ebx: 48114468 registers.esi: 6379 registers.ecx: 4294937780	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 57 89 2c 24 bd e1 3d df 5e 50 68 72 b6 7d 50 exception.symbol: 3eueygl+0x3f0b94 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4131732 exception.address: 0x7f0b94 registers.esp: 1638240 registers.edi: 6594190 registers.eax: 31813 registers.ebp: 3972042772 registers.edx: 8323486 registers.ebx: 48114690 registers.esi: 1971262480 registers.ecx: 0	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb e9 d0 07 00 00 5e 8b 0c 24 81 c4 04 00 00 00 exception.symbol: 3eueygl+0x3f030b exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4129547 exception.address: 0x7f030b registers.esp: 1638244 registers.edi: 6594190 registers.eax: 31813 registers.ebp: 3972042772 registers.edx: 8355299 registers.ebx: 48114690 registers.esi: 1971262480 registers.ecx: 0	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 68 65 8c 95 49 89 0c 24 50 68 32 e6 41 21 89 exception.symbol: 3eueygl+0x3f0a7d exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4131453 exception.address: 0x7f0a7d registers.esp: 1638244 registers.edi: 604292945 registers.eax: 31813 registers.ebp: 3972042772 registers.edx: 8355299 registers.ebx: 48114690 registers.esi: 1971262480 registers.ecx: 4294938188	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 68 ad 24 95 35 89 04 24 55 bd eb 6f b9 35 52 exception.symbol: 3eueygl+0x3f45bd exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4146621 exception.address: 0x7f45bd registers.esp: 1638240 registers.edi: 3368310597 registers.eax: 29487 registers.ebp: 3972042772 registers.edx: 1697460317 registers.ebx: 629172993 registers.esi: 2575555425 registers.ecx: 8339953	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb bb f2 42 ee 75 56 53 e9 18 f5 ff ff 54 e9 c3 exception.symbol: 3eueygl+0x3f4d01 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4148481 exception.address: 0x7f4d01 registers.esp: 1638244 registers.edi: 3368310597 registers.eax: 262633 registers.ebp: 3972042772 registers.edx: 1697460317 registers.ebx: 629172993 registers.esi: 0 registers.ecx: 8342888	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 51 b9 23 81 ab 7b 55 bd b1 24 8f 69 e9 00 00 exception.symbol: 3eueygl+0x3f79e4 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4159972 exception.address: 0x7f79e4 registers.esp: 1638236 registers.edi: 3368310597 registers.eax: 809705 registers.ebp: 3972042772 registers.edx: 0 registers.ebx: 8354847 registers.esi: 0 registers.ecx: 8342888	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb e9 0c fe ff ff 01 cd e9 30 00 00 00 81 f6 36 exception.symbol: 3eueygl+0x3fd877 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4184183 exception.address: 0x7fd877 registers.esp: 1638232 registers.edi: 3368310597 registers.eax: 8376298 registers.ebp: 3972042772 registers.edx: 2130566132 registers.ebx: 280151713 registers.esi: 0 registers.ecx: 753664000	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 57 68 20 a7 67 73 89 24 24 81 04 24 04 00 00 exception.symbol: 3eueygl+0x3fd74c exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4183884 exception.address: 0x7fd74c registers.esp: 1638236 registers.edi: 3368310597 registers.eax: 8402835 registers.ebp: 3972042772 registers.edx: 2130566132 registers.ebx: 280151713 registers.esi: 0 registers.ecx: 753664000	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 2c 24 89 14 24 83 ec 04 89 04 24 exception.symbol: 3eueygl+0x3fd153 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4182355 exception.address: 0x7fd153 registers.esp: 1638236 registers.edi: 3368310597 registers.eax: 8378915 registers.ebp: 3972042772 registers.edx: 14827 registers.ebx: 0 registers.esi: 0 registers.ecx: 753664000	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 68 64 89 02 5c 89 1c 24 55 bd c5 91 ea 7d bb exception.symbol: 3eueygl+0x41bee5 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4308709 exception.address: 0x81bee5 registers.esp: 1638204 registers.edi: 8190167 registers.eax: 32505 registers.ebp: 3972042772 registers.edx: 2130566132 registers.ebx: 8534789 registers.esi: 8498054 registers.ecx: 753664000	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 50 89 14 24 ba 33 93 fb 1f 89 d3 e9 5e ff ff exception.symbol: 3eueygl+0x41be76 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4308598 exception.address: 0x81be76 registers.esp: 1638204 registers.edi: 116969 registers.eax: 32505 registers.ebp: 3972042772 registers.edx: 2130566132 registers.ebx: 8505101 registers.esi: 0 registers.ecx: 753664000	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 55 c7 04 24 f2 50 2e 32 89 04 24 57 e9 71 06 exception.symbol: 3eueygl+0x41ce39 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4312633 exception.address: 0x81ce39 registers.esp: 1638200 registers.edi: 116969 registers.eax: 31800 registers.ebp: 3972042772 registers.edx: 1994026684 registers.ebx: 1436959685 registers.esi: 0 registers.ecx: 8506904	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 58 4f 4c 1d e9 f3 07 00 00 01 d1 exception.symbol: 3eueygl+0x41cf17 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4312855 exception.address: 0x81cf17 registers.esp: 1638204 registers.edi: 116969 registers.eax: 4294938268 registers.ebp: 3972042772 registers.edx: 1994026684 registers.ebx: 1436959685 registers.esi: 3498049640 registers.ecx: 8538704	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb e9 de f9 ff ff 89 04 24 89 2c 24 bd c6 b0 df exception.symbol: 3eueygl+0x41e1de exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4317662 exception.address: 0x81e1de registers.esp: 1638200 registers.edi: 116969 registers.eax: 26136 registers.ebp: 3972042772 registers.edx: 1994026684 registers.ebx: 1073623658 registers.esi: 8510139 registers.ecx: 8538704	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 50 89 0c 24 e9 42 00 00 00 21 d1 8b 14 24 e9 exception.symbol: 3eueygl+0x41e2cc exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4317900 exception.address: 0x81e2cc registers.esp: 1638204 registers.edi: 116969 registers.eax: 26136 registers.ebp: 3972042772 registers.edx: 1994026684 registers.ebx: 1073623658 registers.esi: 8536275 registers.ecx: 8538704	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 52 e9 d7 fe ff ff 87 14 24 81 2c 24 05 e4 1a exception.symbol: 3eueygl+0x41e021 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4317217 exception.address: 0x81e021 registers.esp: 1638204 registers.edi: 445483360 registers.eax: 26136 registers.ebp: 3972042772 registers.edx: 0 registers.ebx: 1073623658 registers.esi: 8512787 registers.ecx: 8538704	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 53 e9 8d ff ff ff 5e 81 04 24 1d ec 2a c2 89 exception.symbol: 3eueygl+0x41f14a exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4321610 exception.address: 0x81f14a registers.esp: 1638204 registers.edi: 4294942720 registers.eax: 27358 registers.ebp: 3972042772 registers.edx: 0 registers.ebx: 8542015 registers.esi: 1426090592 registers.ecx: 8538704	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 81 c7 9c ab f3 1d 57 c7 04 24 ce 66 73 04 89 exception.symbol: 3eueygl+0x41fd99 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4324761 exception.address: 0x81fd99 registers.esp: 1638200 registers.edi: 8518848 registers.eax: 28744 registers.ebp: 3972042772 registers.edx: 19024 registers.ebx: 8563671 registers.esi: 8517467 registers.ecx: 0	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 56 e9 88 fb ff ff 81 c4 04 00 00 00 e9 2b 00 exception.symbol: 3eueygl+0x42028a exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4326026 exception.address: 0x82028a registers.esp: 1638204 registers.edi: 8547592 registers.eax: 4294941096 registers.ebp: 3972042772 registers.edx: 19024 registers.ebx: 8563671 registers.esi: 8517467 registers.ecx: 3472580968	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 29 ff ff 34 39 8b 1c 24 57 89 04 24 e9 99 f6 exception.symbol: 3eueygl+0x427cc0 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4357312 exception.address: 0x827cc0 registers.esp: 1638204 registers.edi: 8547592 registers.eax: 31630 registers.ebp: 3972042772 registers.edx: 0 registers.ebx: 3090 registers.esi: 8549183 registers.ecx: 8580754	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 57 89 1c 24 57 89 04 24 e9 b4 fd ff ff 50 56 exception.symbol: 3eueygl+0x427773 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4355955 exception.address: 0x827773 registers.esp: 1638204 registers.edi: 4294938664 registers.eax: 31630 registers.ebp: 3972042772 registers.edx: 0 registers.ebx: 24811 registers.esi: 8549183 registers.ecx: 8580754	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb e9 55 fe ff ff 5e e9 5c fe ff ff 83 c4 04 83 exception.symbol: 3eueygl+0x42a3dc exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4367324 exception.address: 0x82a3dc registers.esp: 1638200 registers.edi: 8560480 registers.eax: 28673 registers.ebp: 3972042772 registers.edx: 663063529 registers.ebx: 24812 registers.esi: 8560215 registers.ecx: 8561017	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 57 89 e7 81 c7 04 00 00 00 81 ef 04 00 00 00 exception.symbol: 3eueygl+0x42a905 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4368645 exception.address: 0x82a905 registers.esp: 1638204 registers.edi: 8560480 registers.eax: 0 registers.ebp: 3972042772 registers.edx: 81129 registers.ebx: 24812 registers.esi: 8560215 registers.ecx: 8563826	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 50 89 e0 05 04 00 00 00 e9 57 04 00 00 ff 34 exception.symbol: 3eueygl+0x42b51e exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4371742 exception.address: 0x82b51e registers.esp: 1638200 registers.edi: 8560480 registers.eax: 27579 registers.ebp: 3972042772 registers.edx: 8565946 registers.ebx: 24812 registers.esi: 8560215 registers.ecx: 977435011	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb e9 33 00 00 00 ff 34 24 59 e9 ff 02 00 00 68 exception.symbol: 3eueygl+0x42ba62 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4373090 exception.address: 0x82ba62 registers.esp: 1638204 registers.edi: 8560480 registers.eax: 27579 registers.ebp: 3972042772 registers.edx: 8593525 registers.ebx: 24812 registers.esi: 8560215 registers.ecx: 977435011	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb e9 60 01 00 00 5f c1 e7 06 c1 e7 04 83 ec 04 exception.symbol: 3eueygl+0x42b6c6 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4372166 exception.address: 0x82b6c6 registers.esp: 1638204 registers.edi: 8560480 registers.eax: 1015763031 registers.ebp: 3972042772 registers.edx: 8569097 registers.ebx: 24812 registers.esi: 8560215 registers.ecx: 0	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 56 51 b9 00 f4 fe 3f e9 5d 01 00 00 89 14 24 exception.symbol: 3eueygl+0x436d79 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4418937 exception.address: 0x836d79 registers.esp: 1638204 registers.edi: 8591527 registers.eax: 8615748 registers.ebp: 3972042772 registers.edx: 604277073 registers.ebx: 1969225702 registers.esi: 0 registers.ecx: 0	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 51 53 bb c8 6f f9 4e 81 f3 17 e5 af 69 e9 cb exception.symbol: 3eueygl+0x437ed2 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4423378 exception.address: 0x837ed2 registers.esp: 1638204 registers.edi: 8591527 registers.eax: 8643351 registers.ebp: 3972042772 registers.edx: 604277073 registers.ebx: 813856655 registers.esi: 0 registers.ecx: 1577701360	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb b9 64 78 b7 6a 68 90 43 b8 10 89 14 24 ba 8f exception.symbol: 3eueygl+0x437d8b exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4423051 exception.address: 0x837d8b registers.esp: 1638204 registers.edi: 0 registers.eax: 8619511 registers.ebp: 3972042772 registers.edx: 604277073 registers.ebx: 813856655 registers.esi: 889147479 registers.ecx: 1577701360	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 50 68 a2 12 6d 6e 58 e9 39 fe ff ff 81 e9 23 exception.symbol: 3eueygl+0x44e95c exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4516188 exception.address: 0x84e95c registers.esp: 1638200 registers.edi: 8688691 registers.eax: 31568 registers.ebp: 3972042772 registers.edx: 8709661 registers.ebx: 8651072 registers.esi: 8651068 registers.ecx: 753664000	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 51 b9 1c cf 80 6e 53 e9 87 fb ff ff c7 04 24 exception.symbol: 3eueygl+0x44eac7 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4516551 exception.address: 0x84eac7 registers.esp: 1638204 registers.edi: 8688691 registers.eax: 0 registers.ebp: 3972042772 registers.edx: 8712369 registers.ebx: 8651072 registers.esi: 8651068 registers.ecx: 604292950	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 89 2c 24 53 bb 44 exception.symbol: 3eueygl+0x452484 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4531332 exception.address: 0x852484 registers.esp: 1638204 registers.edi: 8688691 registers.eax: 29654 registers.ebp: 3972042772 registers.edx: 3915076691 registers.ebx: 8728133 registers.esi: 8651068 registers.ecx: 0	1
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: fb 50 56 56 c7 04 24 71 41 ff 67 5e 81 ce c5 10 exception.symbol: 3eueygl+0x45d301 exception.instruction: sti exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4576001 exception.address: 0x85d301 registers.esp: 1638200 registers.edi: 0 registers.eax: 28186 registers.ebp: 3972042772 registers.edx: 8768566 registers.ebx: 1891411197 registers.esi: 4140504946 registers.ecx: 109	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://steamcommunity.com/profiles/76561199807592927

Performs some HTTP requests (1 event)

request

GET https://steamcommunity.com/profiles/76561199807592927

Allocates read-write-execute memory (usually to unpack itself) (21 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 16, 2024, 6:17 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 16, 2024, 6:17 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 16, 2024, 6:17 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 118784 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:17 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:17 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:17 p.m.	process_identifier: 660 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:17 p.m.	process_identifier: 660 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:17 p.m.	process_identifier: 660 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:17 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:17 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:17 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:17 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:17 p.m.	process_identifier: 660 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:17 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:17 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:17 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:17 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:17 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:17 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:17 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:17 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044e0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

3EUEYgl.exe tried to sleep 1043 seconds, actually delayed analysis time by 1043 seconds

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0001ce00', u'virtual_address': u'0x00001000', u'entropy': 7.956161787318511, u'name': u' \\x00 ', u'virtual_size': u'0x00246000'}

entropy

7.95616178732

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001a3200', u'virtual_address': u'0x004f4000', u'entropy': 7.9539409852764, u'name': u'xiumbxnc', u'virtual_size': u'0x001a4000'}

entropy

7.95394098528

description

A section with a high entropy has been found

entropy

0.993623509842

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Communicates with host for which no DNS query was performed (1 event)

host

65.109.242.111

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 341 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Dec. 16, 2024, 6:17 p.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	3EUEYgl.exe				useragent
process	3EUEYgl.exe				useragent	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 16, 2024, 6:17 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 53 55 89 24 24 83 04 24 exception.symbol: 3eueygl+0x3dc6e7 exception.instruction: in eax, dx exception.module: 3EUEYgl.exe exception.exception_code: 0xc0000096 exception.offset: 4048615 exception.address: 0x7dc6e7 registers.esp: 1638236 registers.edi: 12463745 registers.eax: 1447909480 registers.ebp: 3972042772 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 8223566 registers.ecx: 20	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

65.109.242.111:443

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Stealerc.1m!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojanspy.Convagent
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Trojan.GenericKD.75150574
Cylance	Unsafe
VIPRE	Trojan.GenericKD.75150574
Sangfor	Infostealer.Win32.Stealerc.Vm3b
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.75150574
K7GW	Trojan ( 00587f0f1 )
K7AntiVirus	Trojan ( 00587f0f1 )
Arcabit	Trojan.Generic.D47AB4EE
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	Trojan-PSW.Win32.Stealerc.oym
Alibaba	TrojanPSW:Win32/Stealerc.64ff1a44
NANO-Antivirus	Trojan.Win32.Crypted.ktyssw
MicroWorld-eScan	Trojan.GenericKD.75150574
Rising	Spyware.Convagent!8.12330 (CLOUD)
Emsisoft	Trojan.GenericKD.75150574 (B)
F-Secure	Trojan.TR/Crypt.XPACK.Gen
DrWeb	Trojan.PWS.Vidar.66
Zillya	Trojan.Stealerc.Win32.36817
McAfeeD	Real Protect-LS!3B8B3018E328
Trapmine	malicious.high.ml.score
CTX	exe.trojan.stealerc
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.3b8b3018e3283830
Google	Detected
Avira	TR/Crypt.XPACK.Gen
Antiy-AVL	Trojan[PSW]/Win32.StealerC
Kingsoft	malware.kb.b.998
Gridinsoft	Trojan.Heur!.038120A1
Xcitium	Malware@#y3tvqdubqono
Microsoft	Spyware:Win32/Multiverze
ViRobot	Trojan.Win.Z.Symmi.1850880.B
GData	Trojan.GenericKD.75150574
Varist	W32/ABTrojan.DBCO-0267
AhnLab-V3	Trojan/Win.Generic.C5701603
McAfee	Artemis!3B8B3018E328
DeepInstinct	MALICIOUS
VBA32	TScope.Malware-Cryptor.SB
Malwarebytes	Trojan.MalPack
Ikarus	Trojan.Win32.Themida

3EUEYgl.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All