Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 5, 2025, 12:05 p.m.	Feb. 5, 2025, 12:07 p.m.

Size	1.7MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`f662cb18e04cc62863751b672570bd7d`
SHA256	`1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2`
CRC32	`FCE58CE0`
ssdeep	`24576:+ShI0oE/JeMqdgRvsVsV3/AvUeCgzXw2UT+9E8tftrvOHcLQgrICC1UVAmWy/IWA:+STZJPqyhWzXRU6l3rIDUmGhgscIa`
Yara	themida_packer - themida packer PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
2536

Name	Response	Post-Analysis Lookup
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	104.26.13.31

IP Address	Status	Action
103.84.89.222	Active	Moloch
104.26.13.31	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 103.84.89.222:33791 -> 192.168.56.101:49162	2045000	ET MALWARE RedLine Stealer - CheckConnect Response	Malware Command and Control Activity Detected
TCP 103.84.89.222:33791 -> 192.168.56.101:49162	2045001	ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound	Malware Command and Control Activity Detected
TCP 192.168.56.101:49164 -> 104.26.13.31:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 103.84.89.222:33791 -> 192.168.56.101:49194	2045000	ET MALWARE RedLine Stealer - CheckConnect Response	Malware Command and Control Activity Detected
TCP 103.84.89.222:33791 -> 192.168.56.101:49195	2045000	ET MALWARE RedLine Stealer - CheckConnect Response	Malware Command and Control Activity Detected
TCP 103.84.89.222:33791 -> 192.168.56.101:49162	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49164 104.26.13.31:443	C=US, O=Google Trust Services, CN=WR1	CN=api.ip.sb	18:02:cf:86:0c:f3:3a:20:66:af:18:a5:ce:77:c7:62:52:30:66:32

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW Feb. 5, 2025, 12:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 5, 2025, 12:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 5, 2025, 12:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 5, 2025, 12:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 5, 2025, 12:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 5, 2025, 12:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 5, 2025, 12:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 5, 2025, 12:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 5, 2025, 12:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 5, 2025, 12:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 5, 2025, 12:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 5, 2025, 12:05 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 5, 2025, 12:05 p.m.			0	0
IsDebuggerPresent Feb. 5, 2025, 12:05 p.m.			0	0
IsDebuggerPresent Feb. 5, 2025, 12:05 p.m.			0	0
IsDebuggerPresent Feb. 5, 2025, 12:05 p.m.			0	0
IsDebuggerPresent Feb. 5, 2025, 12:05 p.m.			0	0
IsDebuggerPresent Feb. 5, 2025, 12:05 p.m.			0	0
IsDebuggerPresent Feb. 5, 2025, 12:05 p.m.			0	0
IsDebuggerPresent Feb. 5, 2025, 12:05 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (9 events)

Time & API	Arguments	Status	Return
CryptExportKey Feb. 5, 2025, 12:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0045d0f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 5, 2025, 12:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0045d0f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 5, 2025, 12:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0045d2b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 5, 2025, 12:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00524490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 5, 2025, 12:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00524490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 5, 2025, 12:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00524250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 5, 2025, 12:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00524c90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 5, 2025, 12:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00524d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 5, 2025, 12:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00524d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 5, 2025, 12:05 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	efrqcofg
section	yqrfybbc
section	.taggant

One or more processes crashed (50 out of 131 events)

Time & API	Arguments	Status
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: random+0x2c80b9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2916537 exception.address: 0xe080b9 registers.esp: 3931372 registers.edi: 0 registers.eax: 1 registers.ebp: 3931388 registers.edx: 16465920 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: 66 81 38 4d 5a 75 0e 0f b7 50 3c 01 c2 81 3a 50 exception.symbol: random+0x1f96d exception.instruction: cmp word ptr [eax], 0x5a4d exception.module: random.exe exception.exception_code: 0xc0000005 exception.offset: 129389 exception.address: 0xb5f96d registers.esp: 3931332 registers.edi: 0 registers.eax: 11800576 registers.ebp: 4001947668 registers.edx: 122880 registers.ebx: 57344 registers.esi: 0 registers.ecx: 122880	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 c7 02 00 00 01 cb 81 eb 5d 09 d6 exception.symbol: random+0x20122 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 131362 exception.address: 0xb60122 registers.esp: 3931336 registers.edi: 1968898280 registers.eax: 27056 registers.ebp: 4001947668 registers.edx: 11926892 registers.ebx: 11899350 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 53 c7 04 24 48 a0 f5 7b 81 0c 24 82 49 bf 77 exception.symbol: random+0x20548 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 132424 exception.address: 0xb60548 registers.esp: 3931340 registers.edi: 1968898280 registers.eax: 27056 registers.ebp: 4001947668 registers.edx: 11953948 registers.ebx: 11899350 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb b8 f3 fb ff 3f 05 01 00 00 00 2d cc 00 88 c2 exception.symbol: random+0x1ffa5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 130981 exception.address: 0xb5ffa5 registers.esp: 3931340 registers.edi: 1968898280 registers.eax: 233705 registers.ebp: 4001947668 registers.edx: 11929476 registers.ebx: 11899350 registers.esi: 3 registers.ecx: 0	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb e9 e8 f8 ff ff 81 c2 4a 14 50 80 01 d6 5a e9 exception.symbol: random+0x216df exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 136927 exception.address: 0xb616df registers.esp: 3931340 registers.edi: 1968898280 registers.eax: 31132 registers.ebp: 4001947668 registers.edx: 11929476 registers.ebx: 11961989 registers.esi: 3 registers.ecx: 2040085459	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 68 85 14 5f 19 89 0c 24 b9 7a a1 ee 77 f7 d9 exception.symbol: random+0x20db8 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 134584 exception.address: 0xb60db8 registers.esp: 3931340 registers.edi: 1259 registers.eax: 4294939012 registers.ebp: 4001947668 registers.edx: 11929476 registers.ebx: 11961989 registers.esi: 3 registers.ecx: 2040085459	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb e9 7f 01 00 00 ff 34 24 e9 36 02 00 00 f7 d5 exception.symbol: random+0x1a0d3b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1707323 exception.address: 0xce0d3b registers.esp: 3931336 registers.edi: 11965734 registers.eax: 30903 registers.ebp: 4001947668 registers.edx: 11924857 registers.ebx: 13501890 registers.esi: 13501481 registers.ecx: 2122317824	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb e9 0f 02 00 00 50 b8 63 23 7d 7f f7 d8 52 ba exception.symbol: random+0x1a070d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1705741 exception.address: 0xce070d registers.esp: 3931340 registers.edi: 11965734 registers.eax: 30903 registers.ebp: 4001947668 registers.edx: 604292949 registers.ebx: 13504881 registers.esi: 13501481 registers.ecx: 0	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb be 00 af db 32 c1 ee 02 e9 0f 02 00 00 89 2c exception.symbol: random+0x1a6207 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1729031 exception.address: 0xce6207 registers.esp: 3931340 registers.edi: 11965734 registers.eax: 27621 registers.ebp: 4001947668 registers.edx: 2130566132 registers.ebx: 58327930 registers.esi: 13501481 registers.ecx: 13551833	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 ae 00 00 00 89 eb 5d 81 eb a6 eb exception.symbol: random+0x1a6365 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1729381 exception.address: 0xce6365 registers.esp: 3931340 registers.edi: 1549541099 registers.eax: 27621 registers.ebp: 4001947668 registers.edx: 2130566132 registers.ebx: 58327930 registers.esi: 0 registers.ecx: 13527273	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 a4 4b a9 1e 89 14 24 e9 7d 00 00 exception.symbol: random+0x1ae032 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1761330 exception.address: 0xcee032 registers.esp: 3931336 registers.edi: 4402592 registers.eax: 13556410 registers.ebp: 4001947668 registers.edx: 95 registers.ebx: 13527299 registers.esi: 3154116600 registers.ecx: 13527299	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 51 89 04 24 50 b8 18 9c e9 7f 89 44 24 04 8b exception.symbol: random+0x1adc22 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1760290 exception.address: 0xcedc22 registers.esp: 3931340 registers.edi: 4402592 registers.eax: 13589273 registers.ebp: 4001947668 registers.edx: 95 registers.ebx: 13527299 registers.esi: 3154116600 registers.ecx: 13527299	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 57 55 50 b8 f2 26 f7 5b 05 82 2e cf 7e 0d e7 exception.symbol: random+0x1add60 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1760608 exception.address: 0xcedd60 registers.esp: 3931340 registers.edi: 1114345 registers.eax: 13559273 registers.ebp: 4001947668 registers.edx: 95 registers.ebx: 13527299 registers.esi: 3154116600 registers.ecx: 0	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 68 bb 4f ed 68 e9 14 fa exception.symbol: random+0x1b1e5c exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1777244 exception.address: 0xcf1e5c registers.esp: 3931332 registers.edi: 1114345 registers.eax: 1447909480 registers.ebp: 4001947668 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 13563437 registers.ecx: 20	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: random+0x1b0fee exception.address: 0xcf0fee exception.module: random.exe exception.exception_code: 0xc000001d exception.offset: 1773550 registers.esp: 3931332 registers.edi: 1114345 registers.eax: 1 registers.ebp: 4001947668 registers.edx: 22104 registers.ebx: 0 registers.esi: 13563437 registers.ecx: 20	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 e5 2a 2d 12 01 exception.symbol: random+0x1b4502 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1787138 exception.address: 0xcf4502 registers.esp: 3931332 registers.edi: 1114345 registers.eax: 1447909480 registers.ebp: 4001947668 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13563437 registers.ecx: 10	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 50 e8 03 00 00 00 20 58 c3 58 exception.symbol: random+0x1b8026 exception.instruction: int 1 exception.module: random.exe exception.exception_code: 0xc0000005 exception.offset: 1802278 exception.address: 0xcf8026 registers.esp: 3931300 registers.edi: 0 registers.eax: 3931300 registers.ebp: 4001947668 registers.edx: 13598665 registers.ebx: 13599012 registers.esi: 13598729 registers.ecx: 2127337687	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 68 5c ed 88 56 89 04 24 89 14 24 89 3c 24 e9 exception.symbol: random+0x1b8c63 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1805411 exception.address: 0xcf8c63 registers.esp: 3931336 registers.edi: 1114345 registers.eax: 31580 registers.ebp: 4001947668 registers.edx: 2130541812 registers.ebx: 52861671 registers.esi: 3621718414 registers.ecx: 13599764	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 31 f6 e9 ff 00 00 00 05 8a f8 df 7e e9 cf fc exception.symbol: random+0x1b8ceb exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1805547 exception.address: 0xcf8ceb registers.esp: 3931340 registers.edi: 1114345 registers.eax: 31580 registers.ebp: 4001947668 registers.edx: 2130541812 registers.ebx: 52861671 registers.esi: 3621718414 registers.ecx: 13631344	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 56 89 1c 24 57 57 c7 04 24 4a aa e0 7b 5f 81 exception.symbol: random+0x1b864a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1803850 exception.address: 0xcf864a registers.esp: 3931340 registers.edi: 1114345 registers.eax: 31580 registers.ebp: 4001947668 registers.edx: 6379 registers.ebx: 52861671 registers.esi: 4294938632 registers.ecx: 13631344	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 51 89 e1 81 c1 04 00 00 00 81 e9 04 00 00 00 exception.symbol: random+0x1c744f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1864783 exception.address: 0xd0744f registers.esp: 3931340 registers.edi: 262633 registers.eax: 25740 registers.ebp: 4001947668 registers.edx: 4294944320 registers.ebx: 52861893 registers.esi: 13686206 registers.ecx: 0	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 55 c7 04 24 57 75 34 41 89 14 24 83 ec 04 89 exception.symbol: random+0x1cce35 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1887797 exception.address: 0xd0ce35 registers.esp: 3931328 registers.edi: 262633 registers.eax: 32520 registers.ebp: 4001947668 registers.edx: 4294944320 registers.ebx: 52861893 registers.esi: 13686206 registers.ecx: 13682692	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 57 52 89 e2 81 c2 04 00 00 00 81 ea 04 00 00 exception.symbol: random+0x1ccd6a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1887594 exception.address: 0xd0cd6a registers.esp: 3931332 registers.edi: 8184168 registers.eax: 4294937296 registers.ebp: 4001947668 registers.edx: 4294944320 registers.ebx: 52861893 registers.esi: 13686206 registers.ecx: 13715212	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 29 ff ff 34 3a ff 34 24 59 52 c7 04 24 81 79 exception.symbol: random+0x1cd9ca exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1890762 exception.address: 0xd0d9ca registers.esp: 3931332 registers.edi: 8184168 registers.eax: 31969 registers.ebp: 4001947668 registers.edx: 13717516 registers.ebx: 52861893 registers.esi: 13686206 registers.ecx: 13715212	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb e9 c4 01 00 00 89 0c 24 8f 04 3a e9 98 02 00 exception.symbol: random+0x1cd555 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1889621 exception.address: 0xd0d555 registers.esp: 3931332 registers.edi: 4294938120 registers.eax: 31969 registers.ebp: 4001947668 registers.edx: 13717516 registers.ebx: 52861893 registers.esi: 13686206 registers.ecx: 2179434839	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 52 53 bb 0e b6 79 36 ba 26 08 eb 06 01 da 5b exception.symbol: random+0x1d41b6 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1917366 exception.address: 0xd141b6 registers.esp: 3931328 registers.edi: 13712460 registers.eax: 29634 registers.ebp: 4001947668 registers.edx: 2130566132 registers.ebx: 4294963178 registers.esi: 14760 registers.ecx: 2122317824	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb e9 04 fb ff ff 43 81 eb 36 19 c7 3b 81 f3 7c exception.symbol: random+0x1d443d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1918013 exception.address: 0xd1443d registers.esp: 3931332 registers.edi: 13742094 registers.eax: 29634 registers.ebp: 4001947668 registers.edx: 4294940092 registers.ebx: 4294963178 registers.esi: 1783979243 registers.ecx: 2122317824	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb e9 2b fc ff ff ee 56 b1 7b 66 2d b1 ac 8e 0c exception.symbol: random+0x1de4a2 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1959074 exception.address: 0xd1e4a2 registers.esp: 3931328 registers.edi: 2130566132 registers.eax: 32394 registers.ebp: 4001947668 registers.edx: 19574 registers.ebx: 13752530 registers.esi: 19574 registers.ecx: 2122317824	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb e9 d0 f5 ff ff 87 ce e9 24 f5 ff ff 83 c3 04 exception.symbol: random+0x1de48c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1959052 exception.address: 0xd1e48c registers.esp: 3931332 registers.edi: 1358981728 registers.eax: 32394 registers.ebp: 4001947668 registers.edx: 4294937928 registers.ebx: 13784924 registers.esi: 19574 registers.ecx: 2122317824	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 57 83 ec 04 89 14 24 57 bf bb b2 f5 41 ba c6 exception.symbol: random+0x1f2e49 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2043465 exception.address: 0xd32e49 registers.esp: 3931296 registers.edi: 4001947668 registers.eax: 26161 registers.ebp: 4001947668 registers.edx: 2130566132 registers.ebx: 1845493787 registers.esi: 13837942 registers.ecx: 2144400987	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 52 89 e2 81 c2 04 00 00 00 53 exception.symbol: random+0x1f2d88 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2043272 exception.address: 0xd32d88 registers.esp: 3931300 registers.edi: 4001947668 registers.eax: 26161 registers.ebp: 4001947668 registers.edx: 2130566132 registers.ebx: 4294943476 registers.esi: 13864103 registers.ecx: 3091440056	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 51 57 c7 04 24 c4 3c e4 60 e9 7c 04 00 00 83 exception.symbol: random+0x1f3719 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2045721 exception.address: 0xd33719 registers.esp: 3931300 registers.edi: 0 registers.eax: 2179369302 registers.ebp: 4001947668 registers.edx: 1252846333 registers.ebx: 4294943476 registers.esi: 13864103 registers.ecx: 13843463	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb bb 47 d3 7f 7c 51 b9 39 3f fe 7f c1 e1 02 e9 exception.symbol: random+0x1f4aa9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2050729 exception.address: 0xd34aa9 registers.esp: 3931300 registers.edi: 0 registers.eax: 1392536160 registers.ebp: 4001947668 registers.edx: 13847556 registers.ebx: 4294943476 registers.esi: 0 registers.ecx: 755245268	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb e9 2f fa ff ff 52 81 ec 04 00 00 00 e9 63 fa exception.symbol: random+0x1f75a3 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2061731 exception.address: 0xd375a3 registers.esp: 3931296 registers.edi: 3998986124 registers.eax: 25130 registers.ebp: 4001947668 registers.edx: 1576792021 registers.ebx: 4007391167 registers.esi: 13856512 registers.ecx: 1590646800	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 68 b2 4d ca 38 89 3c 24 c7 04 24 5c f4 c7 72 exception.symbol: random+0x1f7427 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2061351 exception.address: 0xd37427 registers.esp: 3931300 registers.edi: 3998986124 registers.eax: 25130 registers.ebp: 4001947668 registers.edx: 1576792021 registers.ebx: 4007391167 registers.esi: 13881642 registers.ecx: 1590646800	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 2c 24 e9 df 00 00 00 8b 14 24 83 exception.symbol: random+0x1f750f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2061583 exception.address: 0xd3750f registers.esp: 3931300 registers.edi: 3998986124 registers.eax: 0 registers.ebp: 4001947668 registers.edx: 765161 registers.ebx: 4007391167 registers.esi: 13859034 registers.ecx: 1590646800	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 51 68 88 78 ff 7f ff 34 24 59 81 c4 04 00 00 exception.symbol: random+0x203548 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2110792 exception.address: 0xd43548 registers.esp: 3931300 registers.edi: 0 registers.eax: 27535 registers.ebp: 4001947668 registers.edx: 13909422 registers.ebx: 11930169 registers.esi: 24811 registers.ecx: 1971716238	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb b8 58 5d 6f 5e 57 54 e9 17 f5 ff ff 81 eb c6 exception.symbol: random+0x208c7b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2133115 exception.address: 0xd48c7b registers.esp: 3931300 registers.edi: 0 registers.eax: 26378 registers.ebp: 4001947668 registers.edx: 202 registers.ebx: 13953182 registers.esi: 24811 registers.ecx: 203	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 57 50 68 d9 b1 bf 13 e9 ed f7 ff ff 50 e9 13 exception.symbol: random+0x208a99 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2132633 exception.address: 0xd48a99 registers.esp: 3931300 registers.edi: 604801360 registers.eax: 4294944036 registers.ebp: 4001947668 registers.edx: 202 registers.ebx: 13953182 registers.esi: 24811 registers.ecx: 203	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 55 bd 36 a2 ba 6e 01 e9 5d 03 0c 24 68 00 c6 exception.symbol: random+0x20914e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2134350 exception.address: 0xd4914e registers.esp: 3931296 registers.edi: 604801360 registers.eax: 27766 registers.ebp: 4001947668 registers.edx: 933130170 registers.ebx: 1245335656 registers.esi: 24811 registers.ecx: 13930348	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 31 ff e9 21 ff ff ff 89 e2 81 c2 04 00 00 00 exception.symbol: random+0x209779 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2135929 exception.address: 0xd49779 registers.esp: 3931300 registers.edi: 604801360 registers.eax: 27766 registers.ebp: 4001947668 registers.edx: 933130170 registers.ebx: 1245335656 registers.esi: 24811 registers.ecx: 13958114	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 52 e9 3e fe ff ff 81 34 24 56 c6 f6 66 81 34 exception.symbol: random+0x20993c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2136380 exception.address: 0xd4993c registers.esp: 3931300 registers.edi: 4294942096 registers.eax: 33001 registers.ebp: 4001947668 registers.edx: 933130170 registers.ebx: 1245335656 registers.esi: 24811 registers.ecx: 13958114	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb e9 89 05 00 00 c1 ef 08 81 f7 51 79 b0 77 e9 exception.symbol: random+0x220d1d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2231581 exception.address: 0xd60d1d registers.esp: 3931300 registers.edi: 14006336 registers.eax: 30153 registers.ebp: 4001947668 registers.edx: 2130566132 registers.ebx: 1971716070 registers.esi: 14057427 registers.ecx: 0	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 56 54 5e e9 44 03 00 00 ff 34 24 58 52 89 e2 exception.symbol: random+0x220bdf exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2231263 exception.address: 0xd60bdf registers.esp: 3931300 registers.edi: 578191464 registers.eax: 30153 registers.ebp: 4001947668 registers.edx: 2130566132 registers.ebx: 1971716070 registers.esi: 14030343 registers.ecx: 0	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 81 c2 8f 57 be 79 03 14 24 51 e9 54 01 00 00 exception.symbol: random+0x221945 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2234693 exception.address: 0xd61945 registers.esp: 3931296 registers.edi: 578191464 registers.eax: 26954 registers.ebp: 4001947668 registers.edx: 14030719 registers.ebx: 2104137798 registers.esi: 14030343 registers.ecx: 0	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 60 d3 7b 67 89 0c 24 50 68 41 29 exception.symbol: random+0x22218f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2236815 exception.address: 0xd6218f registers.esp: 3931300 registers.edi: 578191464 registers.eax: 4294942956 registers.ebp: 4001947668 registers.edx: 14057673 registers.ebx: 322689 registers.esi: 14030343 registers.ecx: 0	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 55 89 34 24 53 c7 04 24 f5 0e 16 3c 89 0c 24 exception.symbol: random+0x22bdc4 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2276804 exception.address: 0xd6bdc4 registers.esp: 3931300 registers.edi: 14061797 registers.eax: 14101163 registers.ebp: 4001947668 registers.edx: 2130566132 registers.ebx: 14034778 registers.esi: 10469640 registers.ecx: 2122317824	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb e9 67 01 00 00 c1 e8 02 05 19 02 03 07 21 c5 exception.symbol: random+0x22bd39 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2276665 exception.address: 0xd6bd39 registers.esp: 3931300 registers.edi: 0 registers.eax: 14076279 registers.ebp: 4001947668 registers.edx: 3297929302 registers.ebx: 14034778 registers.esi: 10469640 registers.ecx: 2122317824	1
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 dd 01 00 00 81 c1 74 b6 exception.symbol: random+0x22cf4d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2281293 exception.address: 0xd6cf4d registers.esp: 3931300 registers.edi: 0 registers.eax: 30522 registers.ebp: 4001947668 registers.edx: 14107162 registers.ebx: 14034778 registers.esi: 10469640 registers.ecx: 519446519	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://api.ip.sb/geoip

Performs some HTTP requests (1 event)

request

GET https://api.ip.sb/geoip

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1029 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741e1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746c1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74822000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75471000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756c1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76430000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x765d1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741e1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741e12d0 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746c1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746c19a8 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74822000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7482224c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756c1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756c17d0 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75850000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x759d0000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75a81000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76430000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76430070 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x765d1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x765d1014 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746c1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746c1394 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74821000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75c40000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x760b1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741e1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741e1188 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75471000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x754710e4 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756c1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756c180c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75850000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7585035c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75a81000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75a810ec process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x765d1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x765d11c8 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746c1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746c13a8 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74821000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7482124c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75c40000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75c40270 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x760b1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x760b1198 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741e1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741e1274 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Feb. 5, 2025, 12:05 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756c1000 process_handle: 0xffffffff	1	0

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Feb. 5, 2025, 12:05 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0000a400', u'virtual_address': u'0x00002000', u'entropy': 7.966652808119381, u'name': u' \\x00 ', u'virtual_size': u'0x00018000'}

entropy

7.96665280812

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001a9c00', u'virtual_address': u'0x002c8000', u'entropy': 7.953268361224683, u'name': u'efrqcofg', u'virtual_size': u'0x001aa000'}

entropy

7.95326836122

description

A section with a high entropy has been found

entropy

0.993449159784

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Feb. 5, 2025, 12:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

system

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000006c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: AddressBook base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: Connection Manager base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: DirectDrawEx base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: EditPlus base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: ENTERPRISE base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: Fontcore base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: Google Chrome base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: IE40 base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: IE4Data base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: IE5BAKEX base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: IEData base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: MobileOptionPack base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: SchedulingAgent base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: WIC base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Feb. 5, 2025, 12:05 p.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x000006c4 key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Communicates with host for which no DNS query was performed (1 event)

host

103.84.89.222

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (44 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 5, 2025, 12:05 p.m.	class_name: pediy06 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Feb. 5, 2025, 12:05 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Feb. 5, 2025, 12:05 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 68 bb 4f ed 68 e9 14 fa exception.symbol: random+0x1b1e5c exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1777244 exception.address: 0xcf1e5c registers.esp: 3931332 registers.edi: 1114345 registers.eax: 1447909480 registers.ebp: 4001947668 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 13563437 registers.ecx: 20	1	0	0

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Stealer.12!c
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Ghanarava.173865748770bd7d
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Gen:Variant.Zusy.579130
Cylance	Unsafe
VIPRE	Gen:Variant.Zusy.579130
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Zusy.579130
K7GW	Trojan ( 00563e691 )
K7AntiVirus	Trojan ( 00563e691 )
Arcabit	Trojan.Zusy.D8D63A
VirIT	Trojan.Win32.Themida.HPJ
Symantec	Trojan Horse
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
Kaspersky	Trojan-Spy.Win32.Stealer.fktn
Alibaba	TrojanSpy:Win32/Stealer.e7d8e01d
MicroWorld-eScan	Gen:Variant.Zusy.579130
Rising	Trojan.Agent!1.1279C (CLASSIC)
Emsisoft	Gen:Variant.Zusy.579130 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
DrWeb	Trojan.Siggen30.55646
TrendMicro	Trojan.Win32.AMADEY.YXFA5Z
McAfeeD	Real Protect-LS!F662CB18E04C
Trapmine	malicious.high.ml.score
CTX	exe.trojan.stealer
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.f662cb18e04cc628
Google	Detected
Avira	TR/Crypt.TPM.Gen
Antiy-AVL	Trojan[Spy]/Win32.Phpw
Kingsoft	Win32.Trojan-Spy.Stealer.fktn
Gridinsoft	Malware.Win32.RedLine.tr
Xcitium	Malware@#1bgk2xbptsili
Microsoft	Trojan:MSIL/Redline!rfn
GData	Gen:Variant.Zusy.579130
Varist	W32/MSIL_Agent.CRG.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.C5724614
McAfee	Artemis!F662CB18E04C
DeepInstinct	MALICIOUS
VBA32	TScope.Malware-Cryptor.SB
Malwarebytes	Spyware.PasswordStealer
Ikarus	Trojan.Win32.Themida
Panda	Trj/Chgt.AD

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All