Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Feb. 11, 2025, 10:39 a.m.	Feb. 11, 2025, 10:42 a.m.

Size	4.1MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`4550b8e1193d6362b3f4d1ed2d037d99`
SHA256	`3f7bdb13f1924f0b449b67e7bcea60907b0955e88904f2817f276eafd91ee22f`
CRC32	`A71AC26E`
ssdeep	`98304:tYlOJ2JMv6EfdKVqP7RO+4WY9PXhWI/K4cYh6JNCYqkR1rn4O8:tYlOv3PNO+dYVhbS4VkYkR17R8`
Yara	themida_packer - themida packer PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
2052
- AcroRd32.exe "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744CAF070E41400\15.7.20033\AcroRd32.exe"
  2580
  - TUkPBSjq98t.exe "C:\Users\test22\AppData\Roaming\xvIpS\TUkPBSjq98t.exe"
    2704
    - TUkPBSjq98t.tmp "C:\Users\test22\AppData\Local\Temp\is-8TGGH.tmp\TUkPBSjq98t.tmp" /SL5="$5002A,5096402,56832,C:\Users\test22\AppData\Roaming\xvIpS\TUkPBSjq98t.exe"
      2792
      - dbrecovery29.exe "C:\Users\test22\AppData\Local\DataBase Recovery 1.0.5.29\dbrecovery29.exe" -i
        2884
  - R8ot56WNPt.exe "C:\Users\test22\AppData\Roaming\q8gKvYOtMv\R8ot56WNPt.exe"
    2928
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.156.73.73	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.156.73.73:80 -> 192.168.56.103:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.156.73.73:80 -> 192.168.56.103:49165	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.156.73.73:80 -> 192.168.56.103:49165	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 185.156.73.73:80 -> 192.168.56.103:49171	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.156.73.73:80 -> 192.168.56.103:49171	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.156.73.73:80 -> 192.168.56.103:49171	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 185.156.73.73:80 -> 192.168.56.103:49171	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.156.73.73:80 -> 192.168.56.103:49171	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 185.156.73.73:80 -> 192.168.56.103:49171	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.156.73.73:80 -> 192.168.56.103:49171	2014520	ET INFO EXE - Served Attached HTTP	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Feb. 11, 2025, 10:40 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (10 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 11, 2025, 10:39 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:39 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:39 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:39 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:33 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:33 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 11, 2025, 10:33 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	tkdglalw
section	kldiioqy
section	.taggant

One or more processes crashed (50 out of 125 events)

Time & API	Arguments	Status
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: random+0x9740b9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 9912505 exception.address: 0x19240b9 registers.esp: 2620696 registers.edi: 0 registers.eax: 1 registers.ebp: 2620712 registers.edx: 28209152 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 29 db 52 89 da 50 e9 84 fc ff ff 83 c4 04 01 exception.symbol: random+0x6372dd exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 6517469 exception.address: 0x15e72dd registers.esp: 2620664 registers.edi: 1971192040 registers.eax: 22996894 registers.ebp: 4012986388 registers.edx: 16449536 registers.ebx: 17155 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 50 b8 0d 9d fd 6f 50 e9 80 fc ff ff 87 34 24 exception.symbol: random+0x637255 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 6517333 exception.address: 0x15e7255 registers.esp: 2620664 registers.edi: 1971192040 registers.eax: 22996894 registers.ebp: 4012986388 registers.edx: 16449536 registers.ebx: 4294939048 registers.esi: 3 registers.ecx: 234729	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 7e eb 4e 0e 89 1c 24 e9 7c fd ff exception.symbol: random+0x638207 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 6521351 exception.address: 0x15e8207 registers.esp: 2620660 registers.edi: 22970034 registers.eax: 29123 registers.ebp: 4012986388 registers.edx: 1304655327 registers.ebx: 1697487138 registers.esi: 3 registers.ecx: 234729	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 29 c0 e9 38 f8 ff ff 20 bc 3c 51 37 bd 29 6e exception.symbol: random+0x638819 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 6522905 exception.address: 0x15e8819 registers.esp: 2620664 registers.edi: 22999157 registers.eax: 29123 registers.ebp: 4012986388 registers.edx: 1304655327 registers.ebx: 1697487138 registers.esi: 3 registers.ecx: 234729	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 68 17 2a 4e 40 89 04 24 89 e0 05 04 00 00 00 exception.symbol: random+0x63829a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 6521498 exception.address: 0x15e829a registers.esp: 2620664 registers.edi: 22999157 registers.eax: 4294940584 registers.ebp: 4012986388 registers.edx: 1259 registers.ebx: 1697487138 registers.esi: 3 registers.ecx: 234729	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 55 68 ca 15 88 1c 89 1c 24 e9 6a fb ff ff 8b exception.symbol: random+0x7b3519 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8074521 exception.address: 0x1763519 registers.esp: 2620664 registers.edi: 24550038 registers.eax: 27173 registers.ebp: 4012986388 registers.edx: 2130566132 registers.ebx: 4294943020 registers.esi: 24506110 registers.ecx: 421865	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 52 e9 1f 00 00 00 fb 52 e9 fc 00 00 00 29 c1 exception.symbol: random+0x7b58f2 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8083698 exception.address: 0x17658f2 registers.esp: 2620660 registers.edi: 1693655813 registers.eax: 28535 registers.ebp: 4012986388 registers.edx: 4018459112 registers.ebx: 24528787 registers.esi: 24531443 registers.ecx: 1044614172	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 0c 24 e9 5d fc ff ff 81 eb 6c 99 exception.symbol: random+0x7b5a67 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8084071 exception.address: 0x1765a67 registers.esp: 2620664 registers.edi: 1693655813 registers.eax: 28535 registers.ebp: 4012986388 registers.edx: 4018459112 registers.ebx: 24528787 registers.esi: 24559978 registers.ecx: 1044614172	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 52 e9 fc 00 00 00 29 c1 e9 9f 02 00 00 01 de exception.symbol: random+0x7b58f9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8083705 exception.address: 0x17658f9 registers.esp: 2620664 registers.edi: 1693655813 registers.eax: 50665 registers.ebp: 4012986388 registers.edx: 4018459112 registers.ebx: 24528787 registers.esi: 24534486 registers.ecx: 0	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 dc fd ff ff 89 04 24 81 2c 24 ff 00 bd 5f exception.symbol: random+0x7b7067 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8089703 exception.address: 0x1767067 registers.esp: 2620664 registers.edi: 1693655813 registers.eax: 26225 registers.ebp: 4012986388 registers.edx: 4018459112 registers.ebx: 1796250373 registers.esi: 24534486 registers.ecx: 24563088	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 e7 fa ff ff ff 34 24 e9 3c 02 00 00 f7 d5 exception.symbol: random+0x7b6d65 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8088933 exception.address: 0x1766d65 registers.esp: 2620664 registers.edi: 1259 registers.eax: 4294943776 registers.ebp: 4012986388 registers.edx: 4018459112 registers.ebx: 1796250373 registers.esi: 24534486 registers.ecx: 24563088	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 55 54 ff 34 24 5d e9 f0 exception.symbol: random+0x7c2195 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8135061 exception.address: 0x1772195 registers.esp: 2620656 registers.edi: 5254776 registers.eax: 1447909480 registers.ebp: 4012986388 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 24568668 registers.ecx: 20	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: random+0x7c33f4 exception.address: 0x17733f4 exception.module: random.exe exception.exception_code: 0xc000001d exception.offset: 8139764 registers.esp: 2620656 registers.edi: 5254776 registers.eax: 1 registers.ebp: 4012986388 registers.edx: 22104 registers.ebx: 0 registers.esi: 24568668 registers.ecx: 20	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 e3 2b 2d 12 01 exception.symbol: random+0x7c2988 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8137096 exception.address: 0x1772988 registers.esp: 2620656 registers.edi: 5254776 registers.eax: 1447909480 registers.ebp: 4012986388 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 24568668 registers.ecx: 10	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 89 06 00 00 5f 4a f7 d2 e9 ab 00 00 00 f7 exception.symbol: random+0x7c7437 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8156215 exception.address: 0x1777437 registers.esp: 2620664 registers.edi: 5254776 registers.eax: 24636169 registers.ebp: 4012986388 registers.edx: 2130566132 registers.ebx: 7314749 registers.esi: 10 registers.ecx: 803602432	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 68 b2 5f f0 18 89 3c 24 50 52 exception.symbol: random+0x7c7b72 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8158066 exception.address: 0x1777b72 registers.esp: 2620664 registers.edi: 4294939040 registers.eax: 24636169 registers.ebp: 4012986388 registers.edx: 2130566132 registers.ebx: 7314749 registers.esi: 10 registers.ecx: 3504062048	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 57 e8 03 00 00 00 20 5f c3 5f exception.symbol: random+0x7c7ef0 exception.instruction: int 1 exception.module: random.exe exception.exception_code: 0xc0000005 exception.offset: 8158960 exception.address: 0x1777ef0 registers.esp: 2620624 registers.edi: 0 registers.eax: 2620624 registers.ebp: 4012986388 registers.edx: 1926350483 registers.ebx: 24608689 registers.esi: 1926350483 registers.ecx: 50835	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 53 c7 04 24 3a 82 f3 6f 89 04 24 b8 b8 52 ff exception.symbol: random+0x7d6ae2 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8219362 exception.address: 0x1786ae2 registers.esp: 2620660 registers.edi: 22959422 registers.eax: 27167 registers.ebp: 4012986388 registers.edx: 6 registers.ebx: 7315268 registers.esi: 1971262480 registers.ecx: 24667905	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 52 e9 0e 04 00 00 8f 04 24 8b 24 24 fb 53 c7 exception.symbol: random+0x7d6ad5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8219349 exception.address: 0x1786ad5 registers.esp: 2620664 registers.edi: 22959422 registers.eax: 3653911400 registers.ebp: 4012986388 registers.edx: 6 registers.ebx: 7315268 registers.esi: 4294942784 registers.ecx: 24695072	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 81 ee ce 93 fb 7f e9 22 06 00 00 81 ee a3 ad exception.symbol: random+0x7d732f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8221487 exception.address: 0x178732f registers.esp: 2620660 registers.edi: 22959422 registers.eax: 30187 registers.ebp: 4012986388 registers.edx: 1622475798 registers.ebx: 420354308 registers.esi: 24670989 registers.ecx: 1321451760	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 04 24 e9 c8 04 00 00 be 51 3c ff exception.symbol: random+0x7d792c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8223020 exception.address: 0x178792c registers.esp: 2620664 registers.edi: 22959422 registers.eax: 0 registers.ebp: 4012986388 registers.edx: 1622475798 registers.ebx: 515739240 registers.esi: 24674360 registers.ecx: 1321451760	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 50 b8 9e 29 f7 17 e9 00 00 00 00 96 4e f7 d6 exception.symbol: random+0x7dcd26 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8244518 exception.address: 0x178cd26 registers.esp: 2620656 registers.edi: 22959422 registers.eax: 30993 registers.ebp: 4012986388 registers.edx: 1622475798 registers.ebx: 501737 registers.esi: 24722258 registers.ecx: 4294939168	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 12 45 ff 7f e9 d7 02 00 00 b8 ff exception.symbol: random+0x7de5b4 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8250804 exception.address: 0x178e5b4 registers.esp: 2620656 registers.edi: 22959422 registers.eax: 84201 registers.ebp: 4012986388 registers.edx: 24730116 registers.ebx: 4294938932 registers.esi: 24722258 registers.ecx: 1622475798	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 56 be 7c 76 ba 7e 50 89 3c 24 e9 69 f6 ff ff exception.symbol: random+0x7ee09c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8315036 exception.address: 0x179e09c registers.esp: 2620652 registers.edi: 24553061 registers.eax: 24761417 registers.ebp: 4012986388 registers.edx: 0 registers.ebx: 1098758399 registers.esi: 3673943113 registers.ecx: 2155318498	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 0b c3 e2 79 89 14 24 c7 04 24 f6 exception.symbol: random+0x7ed648 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8312392 exception.address: 0x179d648 registers.esp: 2620656 registers.edi: 24553061 registers.eax: 24793504 registers.ebp: 4012986388 registers.edx: 0 registers.ebx: 1098758399 registers.esi: 3673943113 registers.ecx: 2155318498	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 14 24 68 94 e9 ac 48 89 3c 24 e9 exception.symbol: random+0x7ed7e9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8312809 exception.address: 0x179d7e9 registers.esp: 2620656 registers.edi: 24553061 registers.eax: 24793504 registers.ebp: 4012986388 registers.edx: 4294938392 registers.ebx: 1342204512 registers.esi: 3673943113 registers.ecx: 2155318498	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 53 51 e9 aa 00 00 00 89 14 24 51 68 a2 a4 6f exception.symbol: random+0x800a97 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8391319 exception.address: 0x17b0a97 registers.esp: 2620620 registers.edi: 24840771 registers.eax: 26066 registers.ebp: 4012986388 registers.edx: 2130566132 registers.ebx: 3045015267 registers.esi: 1538935768 registers.ecx: 2155404982	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 29 db ff 34 3b 8b 0c 24 68 c1 d6 91 17 89 0c exception.symbol: random+0x800c93 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8391827 exception.address: 0x17b0c93 registers.esp: 2620624 registers.edi: 24866837 registers.eax: 26066 registers.ebp: 4012986388 registers.edx: 2130566132 registers.ebx: 3045015267 registers.esi: 1538935768 registers.ecx: 2155404982	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb b8 f9 df 05 10 68 b8 d1 c8 4a 89 1c 24 e9 32 exception.symbol: random+0x800ae3 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8391395 exception.address: 0x17b0ae3 registers.esp: 2620624 registers.edi: 24866837 registers.eax: 26066 registers.ebp: 4012986388 registers.edx: 2130566132 registers.ebx: 4294943692 registers.esi: 1538935768 registers.ecx: 518496	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 68 56 db 1c 68 89 exception.symbol: random+0x801c65 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8395877 exception.address: 0x17b1c65 registers.esp: 2620624 registers.edi: 1700061402 registers.eax: 30862 registers.ebp: 4012986388 registers.edx: 24875298 registers.ebx: 2122931909 registers.esi: 24843262 registers.ecx: 0	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 68 80 c8 f5 3d ff 34 24 e9 6d f8 ff ff 31 1c exception.symbol: random+0x802092 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8396946 exception.address: 0x17b2092 registers.esp: 2620624 registers.edi: 1700061402 registers.eax: 0 registers.ebp: 4012986388 registers.edx: 24847346 registers.ebx: 7334226 registers.esi: 24843262 registers.ecx: 0	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 81 c3 f5 9d e7 7f 55 e9 23 fd ff ff ff 34 24 exception.symbol: random+0x802c0d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8399885 exception.address: 0x17b2c0d registers.esp: 2620620 registers.edi: 1700061402 registers.eax: 26881 registers.ebp: 4012986388 registers.edx: 24847346 registers.ebx: 24847858 registers.esi: 24843262 registers.ecx: 2026618486	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 c4 02 00 00 81 2c 24 cf 3d ff 75 81 2c 24 exception.symbol: random+0x802981 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8399233 exception.address: 0x17b2981 registers.esp: 2620624 registers.edi: 1700061402 registers.eax: 26881 registers.ebp: 4012986388 registers.edx: 4294943080 registers.ebx: 24874739 registers.esi: 1442867808 registers.ecx: 2026618486	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 81 c1 2a f0 ff 32 81 c1 97 79 7b 7e 03 0c 24 exception.symbol: random+0x807d93 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8420755 exception.address: 0x17b7d93 registers.esp: 2620620 registers.edi: 1700061402 registers.eax: 27276 registers.ebp: 4012986388 registers.edx: 0 registers.ebx: 22969383 registers.esi: 1442867808 registers.ecx: 24867812	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 68 00 02 fe 45 e9 50 ff ff ff 81 c4 04 00 00 exception.symbol: random+0x807b60 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8420192 exception.address: 0x17b7b60 registers.esp: 2620624 registers.edi: 0 registers.eax: 27276 registers.ebp: 4012986388 registers.edx: 0 registers.ebx: 22969383 registers.esi: 44777 registers.ecx: 24870736	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 05 5d 45 ff 5c e9 db 01 00 00 5e 31 de ff 34 exception.symbol: random+0x809ea7 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8429223 exception.address: 0x17b9ea7 registers.esp: 2620620 registers.edi: 0 registers.eax: 24878428 registers.ebp: 4012986388 registers.edx: 1592457933 registers.ebx: 2128715242 registers.esi: 44777 registers.ecx: 24870736	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 29 ff 52 89 e2 81 c2 04 00 00 00 83 ea 04 87 exception.symbol: random+0x80a0b4 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8429748 exception.address: 0x17ba0b4 registers.esp: 2620624 registers.edi: 0 registers.eax: 24905382 registers.ebp: 4012986388 registers.edx: 1592457933 registers.ebx: 2128715242 registers.esi: 44777 registers.ecx: 24870736	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 57 52 c7 04 24 96 5d fb 3d e9 57 00 00 00 bb exception.symbol: random+0x80a5fc exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8431100 exception.address: 0x17ba5fc registers.esp: 2620624 registers.edi: 4294943128 registers.eax: 24905382 registers.ebp: 4012986388 registers.edx: 1592457933 registers.ebx: 81129 registers.esi: 44777 registers.ecx: 24870736	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 27 05 00 00 55 89 e5 e9 94 00 00 00 f7 d0 exception.symbol: random+0x80b249 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8434249 exception.address: 0x17bb249 registers.esp: 2620624 registers.edi: 4294943128 registers.eax: 31899 registers.ebp: 4012986388 registers.edx: 2005306895 registers.ebx: 81129 registers.esi: 24915135 registers.ecx: 836907821	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 cd ff ff ff 81 c5 04 00 exception.symbol: random+0x80b2df exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8434399 exception.address: 0x17bb2df registers.esp: 2620624 registers.edi: 4294943128 registers.eax: 31899 registers.ebp: 4012986388 registers.edx: 4294937716 registers.ebx: 75395688 registers.esi: 24915135 registers.ecx: 836907821	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 50 89 3c 24 89 1c 24 68 34 96 dd 65 e9 e5 02 exception.symbol: random+0x80d6ff exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8443647 exception.address: 0x17bd6ff registers.esp: 2620620 registers.edi: 24892566 registers.eax: 30076 registers.ebp: 4012986388 registers.edx: 4294961663 registers.ebx: 4294961663 registers.esi: 24891594 registers.ecx: 24891987	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 52 e9 4c fb ff ff 01 f9 ff 34 24 5f e9 27 00 exception.symbol: random+0x80da1f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8444447 exception.address: 0x17bda1f registers.esp: 2620624 registers.edi: 24922642 registers.eax: 30076 registers.ebp: 4012986388 registers.edx: 4294961663 registers.ebx: 4294940072 registers.esi: 24891594 registers.ecx: 157417	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 52 53 e9 fe f9 ff ff f7 d1 81 c1 3e da bf 7a exception.symbol: random+0x816f98 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8482712 exception.address: 0x17c6f98 registers.esp: 2620624 registers.edi: 24922642 registers.eax: 26204 registers.ebp: 4012986388 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 24897664 registers.ecx: 24956645	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 51 b9 d8 1d c3 4f f7 d9 c1 e9 07 f7 d1 91 40 exception.symbol: random+0x816d40 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8482112 exception.address: 0x17c6d40 registers.esp: 2620624 registers.edi: 24922642 registers.eax: 881416019 registers.ebp: 4012986388 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 4294944208 registers.ecx: 24956645	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 85 fe ff ff 81 c1 f1 76 fd 50 81 e9 5b 5c exception.symbol: random+0x8177e3 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8484835 exception.address: 0x17c77e3 registers.esp: 2620620 registers.edi: 24922642 registers.eax: 28749 registers.ebp: 4012986388 registers.edx: 2130566132 registers.ebx: 586326255 registers.esi: 4294944208 registers.ecx: 24933972	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb bb 51 84 bf 43 81 eb d4 3c f7 69 e9 7a 01 00 exception.symbol: random+0x817b52 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8485714 exception.address: 0x17c7b52 registers.esp: 2620624 registers.edi: 24922642 registers.eax: 28749 registers.ebp: 4012986388 registers.edx: 4294941288 registers.ebx: 3924003155 registers.esi: 4294944208 registers.ecx: 24962721	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 53 bb 5c 47 ff 5b 68 13 55 1d 69 89 3c 24 e9 exception.symbol: random+0x830ecf exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8589007 exception.address: 0x17e0ecf registers.esp: 2620624 registers.edi: 25014677 registers.eax: 27966 registers.ebp: 4012986388 registers.edx: 25063401 registers.ebx: 1969225702 registers.esi: 4294942488 registers.ecx: 604292944	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 53 e9 a0 00 00 00 89 e8 5d 89 c7 e9 52 04 00 exception.symbol: random+0x83dcc1 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8641729 exception.address: 0x17edcc1 registers.esp: 2620620 registers.edi: 4245455270 registers.eax: 25090123 registers.ebp: 4012986388 registers.edx: 1969270367 registers.ebx: 25067942 registers.esi: 4898796 registers.ecx: 1969282399	1
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 57 e9 03 04 00 00 31 db ff 34 18 53 bb 89 c4 exception.symbol: random+0x83dcde exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8641758 exception.address: 0x17edcde registers.esp: 2620624 registers.edi: 4245455270 registers.eax: 25116842 registers.ebp: 4012986388 registers.edx: 1969270367 registers.ebx: 4294943512 registers.esi: 4898796 registers.ecx: 3923872081	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://185.156.73.73/success?substr=mixtwo&s=three&sub=non
suspicious_features	Connection to IP address	suspicious_request	GET http://185.156.73.73/info
suspicious_features	Connection to IP address	suspicious_request	GET http://185.156.73.73/update
suspicious_features	Connection to IP address	suspicious_request	GET http://185.156.73.73/service
suspicious_features	Connection to IP address	suspicious_request	GET http://185.156.73.73/ycl

Performs some HTTP requests (5 events)

request	GET http://185.156.73.73/success?substr=mixtwo&s=three&sub=non
request	GET http://185.156.73.73/info
request	GET http://185.156.73.73/update
request	GET http://185.156.73.73/service
request	GET http://185.156.73.73/ycl

Allocates read-write-execute memory (usually to unpack itself) (49 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 2469888 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fb1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2052 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2052 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2052 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:40 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:40 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:40 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:40 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000740000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000008a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2491000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b2b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000740000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2494000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2494000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2494000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2494000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92dcc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92df6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92dd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:33 a.m.	process_identifier: 2928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92e40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Feb. 11, 2025, 10:33 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 9909653504 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Creates executable files on the filesystem (8 events)

file	C:\Users\test22\AppData\Local\DataBase Recovery 1.0.5.29\dbrecovery29.exe
file	C:\Users\test22\AppData\Local\Temp\is-J5134.tmp\_isetup\_iscrypt.dll
file	C:\Users\test22\AppData\Roaming\xvIpS\TUkPBSjq98t.exe
file	C:\Users\test22\AppData\Local\Temp\s0d7Edv2FGKES7AF5\Bunifu_UI_v1.5.3.dll
file	C:\Users\test22\Desktop\YCL.lnk
file	C:\Users\test22\AppData\Roaming\q8gKvYOtMv\R8ot56WNPt.exe
file	C:\Users\test22\AppData\Local\Temp\is-J5134.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\s0d7Edv2FGKES7AF5\Y-Cleaner.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\Desktop\YCL.lnk

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Roaming\xvIpS\TUkPBSjq98t.exe
file	C:\Users\test22\AppData\Roaming\q8gKvYOtMv\R8ot56WNPt.exe

Drops an executable to the user AppData folder (7 events)

file	C:\Users\test22\AppData\Local\Temp\s0d7Edv2FGKES7AF5\Y-Cleaner.exe
file	C:\Users\test22\AppData\Roaming\q8gKvYOtMv\R8ot56WNPt.exe
file	C:\Users\test22\AppData\Local\Temp\is-8TGGH.tmp\TUkPBSjq98t.tmp
file	C:\Users\test22\AppData\Roaming\xvIpS\TUkPBSjq98t.exe
file	C:\Users\test22\AppData\Local\Temp\is-J5134.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-J5134.tmp\_isetup\_iscrypt.dll
file	C:\Users\test22\AppData\Local\Temp\s0d7Edv2FGKES7AF5\Bunifu_UI_v1.5.3.dll

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Feb. 11, 2025, 10:40 a.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x0025a400', u'virtual_address': u'0x00001000', u'entropy': 7.985495311310284, u'name': u' \\x00 ', u'virtual_size': u'0x00622000'}

entropy

7.98549531131

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00002000', u'virtual_address': u'0x00623000', u'entropy': 7.820760192757654, u'name': u'.rsrc', u'virtual_size': u'0x00010b7c'}

entropy

7.82076019276

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001c1600', u'virtual_address': u'0x00974000', u'entropy': 7.920529440835939, u'name': u'tkdglalw', u'virtual_size': u'0x001c2000'}

entropy

7.92052944084

description

A section with a high entropy has been found

entropy

0.997514792899

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Feb. 11, 2025, 10:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://ns.adobe.com/xap/1.0/mm/
url	http://ns.adobe.com/xap/1.0/sType/ResourceRef
url	http://ns.adobe.com/xap/1.0/

Yara rule detected in process memory (16 events)

description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Communications over HTTP	rule	Network_HTTP
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Run a KeyLogger	rule	KeyLogger

Queries for potentially installed applications (4 events)

Time & API	Arguments	Return
RegOpenKeyExA Feb. 11, 2025, 10:40 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\DataBase Recovery_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\DataBase Recovery_is1	2
RegOpenKeyExA Feb. 11, 2025, 10:40 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\DataBase Recovery_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DataBase Recovery_is1	2
RegOpenKeyExA Feb. 11, 2025, 10:40 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\DataBase Recovery_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\DataBase Recovery_is1	2
RegOpenKeyExA Feb. 11, 2025, 10:40 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\DataBase Recovery_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DataBase Recovery_is1	2

Communicates with host for which no DNS query was performed (1 event)

host

185.156.73.73

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Feb. 11, 2025, 10:40 a.m.	process_identifier: 2580 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000214	1	0	0

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (47 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 11, 2025, 10:39 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: pediy06 window_name:		0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Feb. 11, 2025, 10:39 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Network activity contains more than one unique useragent (4 events)

process	AcroRd32.exe	useragent	1
process	AcroRd32.exe	useragent	C
process	AcroRd32.exe	useragent	d
process	AcroRd32.exe	useragent	s

An executable file was downloaded by the process acrord32.exe (4 events)

Time & API	Arguments	Status	Return
InternetReadFile Feb. 11, 2025, 10:40 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àFø¥°@@@@ÐP ,ðCODE0 `DATAP°¢@ÀBSSÀ¦À.idataP Ð ¦@À.tlsà°À.rdatað°@P.relocÄ@P.rsrc,,²@P@è@P request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 11, 2025, 10:40 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÙÈÞà"0Þ& @@ @&O@¼`ì%8 H.textä `.rsrc¼@ @@.reloc`@BÀ&H\ ( BSJBv4.0.30319lÀ#~,H#Stringst#USx#GUID#BlobG ú3xíZ!Ú,I¶Ð¶±¶A¶ ¶&¶`¶5íí¶{@ª¢ÈAP ±#R Ô; ÔÔÔ )Ô1Ô9ÔAÔIÔQÔYÔ request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 11, 2025, 10:40 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELJlïXà!¨.Æ à @ÔÅWà H.text4¦ ¨ `.rsrcàª@@.reloc°@BÆH `4eU}Yy={Xx=rpo2 o(3 o2 }:s(2rßp(; &Vr¨pr¨p( >þ} ¾(C Öo(D (E } (F (E (G &>þ}ª(C Öo(D }(F (E (H &"þ>þ }R} { oo { "}!{!ê}{#{op {, { oo {!oo {Bsu (v {#{# request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 11, 2025, 10:40 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÁ°à"0Zy @ À`ØxOl ¼x H.text0Y Z `.rsrcl\@@.reloc l@ByH}lATl¾Pº ( ( ®~-rpÐ( o s ~~*j(r3p~o tj(rCp~o tj(rp~o tj(rÁp~o tj(rÏp~o tj(ráp~o tj(rp~o t~( Vs( tN( ((0f( 8M o 9: o o -a{=% o ¢% request_handle: 0x00cc000c	1	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2052 called NtSetContextThread to modify thread in remote process 2580
NtSetContextThread Feb. 11, 2025, 10:40 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4233272 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000218 process_identifier: 2580	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	acrord32.exe				martian_process	C:\Users\test22\AppData\Roaming\q8gKvYOtMv\R8ot56WNPt.exe
parent_process	acrord32.exe				martian_process	C:\Users\test22\AppData\Roaming\xvIpS\TUkPBSjq98t.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2052 resumed a thread in remote process 2580
NtResumeThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 2580	1	0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Feb. 11, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 55 54 ff 34 24 5d e9 f0 exception.symbol: random+0x7c2195 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 8135061 exception.address: 0x1772195 registers.esp: 2620656 registers.edi: 5254776 registers.eax: 1447909480 registers.ebp: 4012986388 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 24568668 registers.ecx: 20	1	0	0

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Feb. 11, 2025, 10:39 a.m.	ordinal: 0 function_address: 0x0027f9a9 function_name: wine_get_version module: ntdll module_address: 0x778a0000		3221225785	0

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Bkav	W32.AIDetectMalware
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Corrupt.rc
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_90% (D)
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
Avast	Win32:Evo-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
F-Secure	Heuristic.HEUR/AGEN.1314794
McAfeeD	ti!3F7BDB13F192
Trapmine	malicious.high.ml.score
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.4550b8e1193d6362
Google	Detected
Avira	HEUR/AGEN.1314794
Kingsoft	malware.kb.b.981
Gridinsoft	Trojan.Heur!.038121A1
Microsoft	Trojan:Win32/Sabsik.EN.B!ml
AhnLab-V3	Trojan/Win.Evo-gen.C5728871
DeepInstinct	MALICIOUS
VBA32	BScope.TrojanPSW.Agent
Malwarebytes	Malware.AI.8302081
Ikarus	Trojan-PSW.Agent
Zoner	Probably Heur.ExeHeaderL
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:Evo-gen [Trj]

Executed a process and injected code into it, probably while unpacking (20 events)

Time & API	Arguments	Status	Return
NtGetContextThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x0000020c	1	0
NtResumeThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 2052	1	0
CreateProcessInternalW Feb. 11, 2025, 10:40 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: C:\Windows\Boot\PCAT\memtest.exe track: 0 command_line: filepath_r: C:\Windows\Boot\PCAT\memtest.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000		0
NtGetContextThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000210	1	0
NtResumeThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 2052	1	0
NtGetContextThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x0000020c	1	0
NtResumeThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 2052	1	0
CreateProcessInternalW Feb. 11, 2025, 10:40 a.m.	thread_identifier: 2584 thread_handle: 0x00000218 process_identifier: 2580 current_directory: filepath: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744CAF070E41400\15.7.20033\AcroRd32.exe track: 1 command_line: filepath_r: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744CAF070E41400\15.7.20033\AcroRd32.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000214	1	1
NtGetContextThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000218	1	0
NtAllocateVirtualMemory Feb. 11, 2025, 10:40 a.m.	process_identifier: 2580 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000214	1	0
NtSetContextThread Feb. 11, 2025, 10:40 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4233272 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000218 process_identifier: 2580	1	0
NtResumeThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 2580	1	0
CreateProcessInternalW Feb. 11, 2025, 10:40 a.m.	thread_identifier: 2708 thread_handle: 0x00000294 process_identifier: 2704 current_directory: filepath: C:\Users\test22\AppData\Roaming\xvIpS\TUkPBSjq98t.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Roaming\xvIpS\TUkPBSjq98t.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000029c	1	1
CreateProcessInternalW Feb. 11, 2025, 10:40 a.m.	thread_identifier: 2932 thread_handle: 0x000002a4 process_identifier: 2928 current_directory: filepath: C:\Users\test22\AppData\Roaming\q8gKvYOtMv\R8ot56WNPt.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Roaming\q8gKvYOtMv\R8ot56WNPt.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000298	1	1
CreateProcessInternalW Feb. 11, 2025, 10:40 a.m.	thread_identifier: 2796 thread_handle: 0x000000d0 process_identifier: 2792 current_directory: filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\is-8TGGH.tmp\TUkPBSjq98t.tmp" /SL5="$5002A,5096402,56832,C:\Users\test22\AppData\Roaming\xvIpS\TUkPBSjq98t.exe" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000d4	1	1
NtResumeThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x000001d0 suspend_count: 1 process_identifier: 2792	1	0
CreateProcessInternalW Feb. 11, 2025, 10:40 a.m.	thread_identifier: 2888 thread_handle: 0x00000218 process_identifier: 2884 current_directory: C:\Users\test22\AppData\Local\DataBase Recovery 1.0.5.29 filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\DataBase Recovery 1.0.5.29\dbrecovery29.exe" -i filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x000001f4	1	1
NtResumeThread Feb. 11, 2025, 10:33 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2928	1	0
NtResumeThread Feb. 11, 2025, 10:33 a.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 2928	1	0
NtResumeThread Feb. 11, 2025, 10:33 a.m.	thread_handle: 0x0000000000000178 suspend_count: 1 process_identifier: 2928	1	0

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All