Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 4, 2025, 12:44 p.m.	May 4, 2025, 12:55 p.m.

Size	415.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5757874c90b7195e09be379b05ac125f`
SHA256	`5bfafd2f7b59fcb7bbf8827cd24061a450da4db6339d94ec51b3d8f3e55057cd`
CRC32	`6FB5BC93`
ssdeep	`6144:PiUuedoV3Fd31slcPGJHpnzB4v1IkpeZfkCw3uWgGUS/T+WiU+9OTA/ngQAOVmjw:PiUuedoV3Fd6l+spzq4kCweWgB789c`
Yara	PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

amnew.exe "C:\Users\test22\AppData\Local\Temp\amnew.exe"
2544
- taren.exe "C:\Users\test22\AppData\Local\Temp\4d0ca3b476\taren.exe"
  2664
  - ea81591e2a.exe "C:\Users\test22\AppData\Local\Temp\10000510101\ea81591e2a.exe"
    2900
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
github.com	A 20.200.245.247	20.200.245.247

IP Address	Status	Action
164.124.101.2	Active	Moloch
20.200.245.247	Active	Moloch
80.64.18.219	Active	Moloch
80.64.18.63	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49173 -> 20.200.245.247:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 20.200.245.247:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 20.200.245.247:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 20.200.245.247:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 20.200.245.247:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49178 -> 20.200.245.247:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 20.200.245.247:443 -> 192.168.56.101:49179	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.200.245.247:443 -> 192.168.56.101:49175	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49181 -> 80.64.18.219:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 20.200.245.247:443 -> 192.168.56.101:49169	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 80.64.18.219:80 -> 192.168.56.101:49181	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 80.64.18.219:80 -> 192.168.56.101:49181	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 80.64.18.219:80 -> 192.168.56.101:49181	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 80.64.18.63:80 -> 192.168.56.101:49165	2060969	ET MALWARE Amadey CnC Response	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 4, 2025, 12:45 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW May 4, 2025, 12:45 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (15 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 4, 2025, 12:45 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:45 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:45 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:45 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:45 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:45 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:45 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:45 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:45 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:45 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:45 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:45 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:45 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:45 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:45 p.m.			0	0

One or more processes crashed (50 out of 701 events)

Time & API	Arguments	Status
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: ea81591e2a+0x6300b9 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 6488249 exception.address: 0xa300b9 registers.esp: 1638276 registers.edi: 0 registers.eax: 1 registers.ebp: 1638292 registers.edx: 12414976 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 53 68 e0 79 f8 7b 5b e9 1e 03 00 00 55 bd 95 exception.symbol: ea81591e2a+0x375e1f exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 3628575 exception.address: 0x775e1f registers.esp: 1638240 registers.edi: 7822680 registers.eax: 30822 registers.ebp: 3997843476 registers.edx: 4194304 registers.ebx: 1195460607 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 52 89 e2 81 c2 04 00 00 00 83 ea 04 87 14 24 exception.symbol: ea81591e2a+0x3763c0 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 3630016 exception.address: 0x7763c0 registers.esp: 1638244 registers.edi: 7853502 registers.eax: 30822 registers.ebp: 3997843476 registers.edx: 4194304 registers.ebx: 1195460607 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 57 56 e9 44 00 00 00 b8 7a 60 ad 3f 05 01 26 exception.symbol: ea81591e2a+0x376008 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 3629064 exception.address: 0x776008 registers.esp: 1638244 registers.edi: 7853502 registers.eax: 4294938992 registers.ebp: 3997843476 registers.edx: 4194304 registers.ebx: 1195460607 registers.esi: 3 registers.ecx: 237801	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 68 b3 91 85 02 89 1c 24 e9 ed fb ff ff 50 b8 exception.symbol: ea81591e2a+0x37727c exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 3633788 exception.address: 0x77727c registers.esp: 1638240 registers.edi: 7853502 registers.eax: 7826572 registers.ebp: 3997843476 registers.edx: 1987311553 registers.ebx: 1195460607 registers.esi: 3 registers.ecx: 237801	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 53 c7 04 24 22 fd fe 3e c1 24 24 05 81 2c 24 exception.symbol: ea81591e2a+0x3772f0 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 3633904 exception.address: 0x7772f0 registers.esp: 1638244 registers.edi: 7853502 registers.eax: 7857731 registers.ebp: 3997843476 registers.edx: 1987311553 registers.ebx: 1195460607 registers.esi: 4294938724 registers.ecx: 1259	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 57 68 fa fa 17 37 8b 3c 24 e9 7c 00 00 00 53 exception.symbol: ea81591e2a+0x4ebf27 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5160743 exception.address: 0x8ebf27 registers.esp: 1638244 registers.edi: 7861743 registers.eax: 31908 registers.ebp: 3997843476 registers.edx: 2345 registers.ebx: 9384495 registers.esi: 9352106 registers.ecx: 3355967488	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 56 68 52 60 f3 7c e9 13 05 00 00 89 3c 24 54 exception.symbol: ea81591e2a+0x4eb90d exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5159181 exception.address: 0x8eb90d registers.esp: 1638244 registers.edi: 7861743 registers.eax: 0 registers.ebp: 3997843476 registers.edx: 2345 registers.ebx: 9355971 registers.esi: 9352106 registers.ecx: 15067472	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 53 bb 6c af db 79 ba 75 90 db de 29 da 5b 81 exception.symbol: ea81591e2a+0x4f23e0 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5186528 exception.address: 0x8f23e0 registers.esp: 1638244 registers.edi: 9409660 registers.eax: 29848 registers.ebp: 3997843476 registers.edx: 95 registers.ebx: 9375410 registers.esi: 96 registers.ecx: 96	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 57 68 94 41 ed 7a e9 00 00 00 00 5f 57 bf c5 exception.symbol: ea81591e2a+0x4f220a exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5186058 exception.address: 0x8f220a registers.esp: 1638244 registers.edi: 9382512 registers.eax: 29848 registers.ebp: 3997843476 registers.edx: 0 registers.ebx: 202985 registers.esi: 96 registers.ecx: 96	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 68 4b d0 c1 4e 89 34 24 81 ec 04 00 00 00 89 exception.symbol: ea81591e2a+0x4f917a exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5214586 exception.address: 0x8f917a registers.esp: 1638244 registers.edi: 9411211 registers.eax: 0 registers.ebp: 3997843476 registers.edx: 1114345 registers.ebx: 586449778 registers.esi: 96 registers.ecx: 586449778	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 68 82 2b 97 2a 89 14 24 exception.symbol: ea81591e2a+0x4ff451 exception.instruction: in eax, dx exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5239889 exception.address: 0x8ff451 registers.esp: 1638236 registers.edi: 9411211 registers.eax: 1447909480 registers.ebp: 3997843476 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 9415375 registers.ecx: 20	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: ea81591e2a+0x4fd439 exception.address: 0x8fd439 exception.module: ea81591e2a.exe exception.exception_code: 0xc000001d exception.offset: 5231673 registers.esp: 1638236 registers.edi: 9411211 registers.eax: 1 registers.ebp: 3997843476 registers.edx: 22104 registers.ebx: 0 registers.esi: 9415375 registers.ecx: 20	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 f3 27 2d 12 01 exception.symbol: ea81591e2a+0x4ff6e8 exception.instruction: in eax, dx exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5240552 exception.address: 0x8ff6e8 registers.esp: 1638236 registers.edi: 9411211 registers.eax: 1447909480 registers.ebp: 3997843476 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 9415375 registers.ecx: 10	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 51 54 ff 34 24 e9 7b fd ff ff 81 ed 01 98 57 exception.symbol: ea81591e2a+0x504041 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5259329 exception.address: 0x904041 registers.esp: 1638244 registers.edi: 9481800 registers.eax: 30779 registers.ebp: 3997843476 registers.edx: 2130566132 registers.ebx: 50488640 registers.esi: 10 registers.ecx: 3355967488	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 ba 00 16 df 7f 81 exception.symbol: ea81591e2a+0x5040e1 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5259489 exception.address: 0x9040e1 registers.esp: 1638244 registers.edi: 9454304 registers.eax: 6379 registers.ebp: 3997843476 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 10 registers.ecx: 3355967488	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 52 e8 03 00 00 00 20 5a c3 5a exception.symbol: ea81591e2a+0x5047da exception.instruction: int 1 exception.module: ea81591e2a.exe exception.exception_code: 0xc0000005 exception.offset: 5261274 exception.address: 0x9047da registers.esp: 1638204 registers.edi: 0 registers.eax: 1638204 registers.ebp: 3997843476 registers.edx: 17903 registers.ebx: 9455959 registers.esi: 979672899 registers.ecx: 322437120	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 51 55 68 f2 f0 ed 7f 8b 2c 24 83 c4 04 e9 2e exception.symbol: ea81591e2a+0x5140ed exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5325037 exception.address: 0x9140ed registers.esp: 1638240 registers.edi: 7819222 registers.eax: 9517205 registers.ebp: 3997843476 registers.edx: 6 registers.ebx: 50488859 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 31 db e9 2e 03 00 00 8b 04 24 83 c4 04 e9 b0 exception.symbol: ea81591e2a+0x513aea exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5323498 exception.address: 0x913aea registers.esp: 1638244 registers.edi: 7819222 registers.eax: 9548743 registers.ebp: 3997843476 registers.edx: 6 registers.ebx: 50488859 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb e9 2d 07 00 00 2d 27 10 fe 7f 29 f8 05 27 10 exception.symbol: ea81591e2a+0x513a32 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5323314 exception.address: 0x913a32 registers.esp: 1638244 registers.edi: 1179202795 registers.eax: 9548743 registers.ebp: 3997843476 registers.edx: 6 registers.ebx: 4294938244 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb e9 2b fb ff ff b8 21 53 fd 7b c1 e8 07 e9 37 exception.symbol: ea81591e2a+0x515528 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5330216 exception.address: 0x915528 registers.esp: 1638240 registers.edi: 9521887 registers.eax: 26620 registers.ebp: 3997843476 registers.edx: 391512609 registers.ebx: 1492361093 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb e9 de f7 ff ff 89 2c 24 e9 cf fe ff ff 5e 81 exception.symbol: ea81591e2a+0x5155fa exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5330426 exception.address: 0x9155fa registers.esp: 1638244 registers.edi: 9525035 registers.eax: 26620 registers.ebp: 3997843476 registers.edx: 391512609 registers.ebx: 1492361093 registers.esi: 0 registers.ecx: 605325654	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 04 24 e9 97 01 00 00 be exception.symbol: ea81591e2a+0x517020 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5337120 exception.address: 0x917020 registers.esp: 1638244 registers.edi: 9560515 registers.eax: 29763 registers.ebp: 3997843476 registers.edx: 230453408 registers.ebx: 699230766 registers.esi: 0 registers.ecx: 605325654	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 14 24 e9 5f f9 ff ff 81 ec 04 00 exception.symbol: ea81591e2a+0x517684 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5338756 exception.address: 0x917684 registers.esp: 1638244 registers.edi: 9560515 registers.eax: 29763 registers.ebp: 3997843476 registers.edx: 4294940620 registers.ebx: 1015764055 registers.esi: 0 registers.ecx: 605325654	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 68 c0 0f b0 1c e9 fe f8 ff ff 5f 35 85 1c 41 exception.symbol: ea81591e2a+0x522347 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5382983 exception.address: 0x922347 registers.esp: 1638236 registers.edi: 4294942152 registers.eax: 28084 registers.ebp: 3997843476 registers.edx: 2867226704 registers.ebx: 9565175 registers.esi: 9602820 registers.ecx: 3355967488	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 52 ba d3 b5 d5 26 4a 68 f9 a1 f2 71 89 14 24 exception.symbol: ea81591e2a+0x52eb01 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5434113 exception.address: 0x92eb01 registers.esp: 1638236 registers.edi: 9595463 registers.eax: 0 registers.ebp: 3997843476 registers.edx: 2130566132 registers.ebx: 9629823 registers.esi: 1888698704 registers.ecx: 2947910496	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 68 22 79 a7 3a 89 04 24 89 34 24 81 ec 04 00 exception.symbol: ea81591e2a+0x54088a exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5507210 exception.address: 0x94088a registers.esp: 1638204 registers.edi: 56308 registers.eax: 30261 registers.ebp: 3997843476 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 9730801 registers.ecx: 3355967488	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 68 9c 10 b0 75 89 0c 24 e9 1a ff ff ff ba de exception.symbol: ea81591e2a+0x5407fd exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5507069 exception.address: 0x9407fd registers.esp: 1638204 registers.edi: 4294939500 registers.eax: 30261 registers.ebp: 3997843476 registers.edx: 2130566132 registers.ebx: 1375758944 registers.esi: 9730801 registers.ecx: 3355967488	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb e9 00 ff ff ff 81 c2 20 07 fb b1 89 d6 5a 56 exception.symbol: ea81591e2a+0x541aa3 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5511843 exception.address: 0x941aa3 registers.esp: 1638204 registers.edi: 4053109088 registers.eax: 4294938656 registers.ebp: 3997843476 registers.edx: 744547102 registers.ebx: 9736406 registers.esi: 9730801 registers.ecx: 1583484598	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 56 c7 04 24 92 ed a3 5f 89 04 24 e9 b4 f7 ff exception.symbol: ea81591e2a+0x543176 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5517686 exception.address: 0x943176 registers.esp: 1638204 registers.edi: 1683054102 registers.eax: 35252565 registers.ebp: 3997843476 registers.edx: 2097448083 registers.ebx: 9736406 registers.esi: 0 registers.ecx: 9712216	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 50 89 14 24 56 e9 bd f8 ff ff 89 04 24 68 00 exception.symbol: ea81591e2a+0x54736e exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5534574 exception.address: 0x94736e registers.esp: 1638204 registers.edi: 3927472744 registers.eax: 32461 registers.ebp: 3997843476 registers.edx: 0 registers.ebx: 65786 registers.esi: 0 registers.ecx: 9729752	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 e0 00 00 00 81 c4 04 00 00 00 52 exception.symbol: ea81591e2a+0x54b8ac exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5552300 exception.address: 0x94b8ac registers.esp: 1638204 registers.edi: 3927472744 registers.eax: 9776431 registers.ebp: 3997843476 registers.edx: 9735599 registers.ebx: 7825855 registers.esi: 3935105580 registers.ecx: 9734212	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 68 a1 ab f6 3f ff 34 24 59 e9 1a ff ff ff 55 exception.symbol: ea81591e2a+0x54b21e exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5550622 exception.address: 0x94b21e registers.esp: 1638204 registers.edi: 3927472744 registers.eax: 9746979 registers.ebp: 3997843476 registers.edx: 9735599 registers.ebx: 0 registers.esi: 3935105580 registers.ecx: 157417	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 3d f8 ff ff 35 25 66 ff 5f 05 72 exception.symbol: ea81591e2a+0x54ca7c exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5556860 exception.address: 0x94ca7c registers.esp: 1638200 registers.edi: 9748446 registers.eax: 31958 registers.ebp: 3997843476 registers.edx: 9749020 registers.ebx: 1 registers.esi: 3925038791 registers.ecx: 39372	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 50 89 14 24 53 89 0c 24 52 c7 04 24 07 f0 f7 exception.symbol: ea81591e2a+0x54c8f2 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5556466 exception.address: 0x94c8f2 registers.esp: 1638204 registers.edi: 4294938008 registers.eax: 31958 registers.ebp: 3997843476 registers.edx: 9780978 registers.ebx: 1 registers.esi: 3925038791 registers.ecx: 3533137	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb e9 0b 00 00 00 81 c1 c6 82 2c 4f e9 33 07 00 exception.symbol: ea81591e2a+0x54d2c6 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5558982 exception.address: 0x94d2c6 registers.esp: 1638200 registers.edi: 4294938008 registers.eax: 9752124 registers.ebp: 3997843476 registers.edx: 2135759101 registers.ebx: 1 registers.esi: 3925038791 registers.ecx: 2042373986	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 55 bd a6 d8 ef 7f 56 51 e9 96 03 00 00 81 c5 exception.symbol: ea81591e2a+0x54d36a exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5559146 exception.address: 0x94d36a registers.esp: 1638204 registers.edi: 81129 registers.eax: 9781696 registers.ebp: 3997843476 registers.edx: 2135759101 registers.ebx: 1 registers.esi: 3925038791 registers.ecx: 4294941040	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 55 c7 04 24 c7 3d 60 68 89 14 24 56 e9 41 09 exception.symbol: ea81591e2a+0x556d26 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5598502 exception.address: 0x956d26 registers.esp: 1638200 registers.edi: 81129 registers.eax: 29909 registers.ebp: 3997843476 registers.edx: 2130566132 registers.ebx: 9792238 registers.esi: 9758752 registers.ecx: 3355967488	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 52 89 1c 24 c7 04 24 fd 7d ca 03 e9 00 fb ff exception.symbol: ea81591e2a+0x5573ee exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5600238 exception.address: 0x9573ee registers.esp: 1638204 registers.edi: 81129 registers.eax: 29909 registers.ebp: 3997843476 registers.edx: 2130566132 registers.ebx: 9822147 registers.esi: 9758752 registers.ecx: 3355967488	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 56 be 2a d4 fe 73 68 00 00 00 00 29 34 24 5e exception.symbol: ea81591e2a+0x5573c0 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5600192 exception.address: 0x9573c0 registers.esp: 1638204 registers.edi: 81129 registers.eax: 322689 registers.ebp: 3997843476 registers.edx: 0 registers.ebx: 9795503 registers.esi: 9758752 registers.ecx: 3355967488	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb e9 3f 01 00 00 c1 ea 04 81 ea e3 d3 1c 89 e9 exception.symbol: ea81591e2a+0x5651db exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5657051 exception.address: 0x9651db registers.esp: 1638204 registers.edi: 322689 registers.eax: 26980 registers.ebp: 3997843476 registers.edx: 9877432 registers.ebx: 9826714 registers.esi: 9826710 registers.ecx: 4294943188	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 1c 24 68 07 c6 0b 7d 89 34 24 68 exception.symbol: ea81591e2a+0x5709e0 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5704160 exception.address: 0x9709e0 registers.esp: 1638204 registers.edi: 9929648 registers.eax: 31662 registers.ebp: 3997843476 registers.edx: 582600 registers.ebx: 4294938120 registers.esi: 322689 registers.ecx: 3355967488	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 51 89 2c 24 e9 47 02 00 00 29 ea ff 34 24 ff exception.symbol: ea81591e2a+0x5814c6 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5772486 exception.address: 0x9814c6 registers.esp: 1638204 registers.edi: 49416 registers.eax: 33241 registers.ebp: 3997843476 registers.edx: 70566152 registers.ebx: 9943230 registers.esi: 70566152 registers.ecx: 9998999	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 68 88 a4 ac 27 89 0c 24 c7 04 24 f3 98 ef 7f exception.symbol: ea81591e2a+0x581cd4 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5774548 exception.address: 0x981cd4 registers.esp: 1638204 registers.edi: 1121956456 registers.eax: 33241 registers.ebp: 3997843476 registers.edx: 4294937304 registers.ebx: 9943230 registers.esi: 70566152 registers.ecx: 9998999	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb e9 c8 fa ff ff b9 b6 a4 df 7e 29 ce e9 e8 f9 exception.symbol: ea81591e2a+0x58286c exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5777516 exception.address: 0x98286c registers.esp: 1638200 registers.edi: 1121956456 registers.eax: 27750 registers.ebp: 3997843476 registers.edx: 1475610961 registers.ebx: 1345795255 registers.esi: 9969368 registers.ecx: 1943612153	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 31 d2 e9 11 f8 ff ff 81 2c 24 d2 da 7b 2e ff exception.symbol: ea81591e2a+0x5827d7 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5777367 exception.address: 0x9827d7 registers.esp: 1638204 registers.edi: 1121956456 registers.eax: 27750 registers.ebp: 3997843476 registers.edx: 1475610961 registers.ebx: 1345795255 registers.esi: 9997118 registers.ecx: 1943612153	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 56 c7 04 24 3a d2 62 28 89 34 24 51 b9 00 bf exception.symbol: ea81591e2a+0x582297 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5776023 exception.address: 0x982297 registers.esp: 1638204 registers.edi: 1121956456 registers.eax: 27750 registers.ebp: 3997843476 registers.edx: 4294942136 registers.ebx: 1345795255 registers.esi: 9997118 registers.ecx: 2298801283	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb e9 f8 f8 ff ff 68 23 25 b3 69 ff 34 24 e9 c7 exception.symbol: ea81591e2a+0x59d5e8 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5887464 exception.address: 0x99d5e8 registers.esp: 1638200 registers.edi: 9735891 registers.eax: 27135 registers.ebp: 3997843476 registers.edx: 395049983 registers.ebx: 82190 registers.esi: 10607132 registers.ecx: 10079427	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 51 51 89 1c 24 e9 8e 00 00 00 87 3c 24 5c 68 exception.symbol: ea81591e2a+0x59d167 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5886311 exception.address: 0x99d167 registers.esp: 1638204 registers.edi: 9735891 registers.eax: 27135 registers.ebp: 3997843476 registers.edx: 1865726803 registers.ebx: 82190 registers.esi: 0 registers.ecx: 10082222	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 53 89 04 24 53 bb ab 08 ff 3e 89 d8 5b 01 c6 exception.symbol: ea81591e2a+0x59dbf5 exception.instruction: sti exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5889013 exception.address: 0x99dbf5 registers.esp: 1638200 registers.edi: 9735891 registers.eax: 28468 registers.ebp: 3997843476 registers.edx: 1865726803 registers.ebx: 1953900871 registers.esi: 10082557 registers.ecx: 10082222	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address				suspicious_request	POST http://80.64.18.63/tom4ku9v/index.php
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://80.64.18.219/files/unique2/random.exe

Performs some HTTP requests (2 events)

request	POST http://80.64.18.63/tom4ku9v/index.php
request	GET http://80.64.18.219/files/unique2/random.exe

Sends data using the HTTP POST Method (1 event)

request

POST http://80.64.18.63/tom4ku9v/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 81 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:39 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000046e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 180224 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

ea81591e2a.exe tried to sleep 251 seconds, actually delayed analysis time by 251 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\10000510101\ea81591e2a.exe

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\4d0ca3b476\taren.exe
file	C:\Users\test22\AppData\Local\Temp\10000510101\ea81591e2a.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\4d0ca3b476\taren.exe
file	C:\Users\test22\AppData\Local\Temp\10000510101\ea81591e2a.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 4, 2025, 12:44 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\4d0ca3b476\taren.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\4d0ca3b476\taren.exe	1	1	0
ShellExecuteExW May 4, 2025, 12:45 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10000510101\ea81591e2a.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10000510101\ea81591e2a.exe	1	1	0

An executable file was downloaded by the process taren.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile May 4, 2025, 12:45 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àRn1p}p@ }2C@`07t`ðÉ0¸[}h[} P¼@à.rsrcðÉ0`¼%Ì@À.idata 07(@À À+@7(@àftynlkci`c`(@àbkbmgnxk`}ìB@à.taggant0p}"ðB@à request_handle: 0x00cc000c	1	1	0

Expresses interest in specific running processes (1 event)

process

system

Communicates with host for which no DNS query was performed (2 events)

host	80.64.18.219
host	80.64.18.63

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 95 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA May 4, 2025, 12:45 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (1 event)

file	C:\Windows\Tasks\taren.job

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 68 82 2b 97 2a 89 14 24 exception.symbol: ea81591e2a+0x4ff451 exception.instruction: in eax, dx exception.module: ea81591e2a.exe exception.exception_code: 0xc0000096 exception.offset: 5239889 exception.address: 0x8ff451 registers.esp: 1638236 registers.edi: 9411211 registers.eax: 1447909480 registers.ebp: 3997843476 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 9415375 registers.ecx: 20	1	0	0

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojandownloader.Convagent
Skyhigh	BehavesLike.Win32.Generic.gh
ALYac	Gen:Variant.Doina.45665
Cylance	Unsafe
VIPRE	Gen:Variant.Doina.45665
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Doina.45665
K7GW	Trojan-Downloader ( 005790d31 )
K7AntiVirus	Trojan-Downloader ( 005790d31 )
Arcabit	Trojan.Doina.DB261
Baidu	Win32.Trojan.Delf.in
VirIT	Trojan.Win32.Genus.XVS
Symantec	Trojan.Whispergate
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/TrojanDownloader.Amadey.A
APEX	Malicious
Avast	Win32:MalwareX-gen [Adw]
Kaspersky	HEUR:Trojan-Downloader.Win32.Convagent.gen
Alibaba	TrojanDownloader:Win32/Convagent.0d47c743
NANO-Antivirus	Trojan.Win32.Convagent.kxcmvw
MicroWorld-eScan	Gen:Variant.Doina.45665
Rising	Trojan.Injector!1.12C32 (CLASSIC)
Emsisoft	Gen:Variant.Doina.45665 (B)
F-Secure	Trojan.TR/Redcap.prxhe
DrWeb	Trojan.MulDrop31.39259
TrendMicro	Trojan.Win32.AMADEY.YXFEBZ
McAfeeD	Real Protect-LS!5757874C90B7
Trapmine	malicious.moderate.ml.score
CTX	exe.trojan.amadey
Sophos	Troj/Amadey-O
SentinelOne	Static AI - Malicious PE
Jiangmin	TrojanDownloader.Deyma.azv
Google	Detected
Avira	TR/Redcap.prxhe
Antiy-AVL	Trojan[Downloader]/Win32.Deyma
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Win32/Multiverze!rfn
ViRobot	Trojan.Win.Z.Doina.425472.C
ZoneAlarm	Troj/Amadey-O
GData	Gen:Variant.Doina.45665
Varist	W32/Agent.DJJ.gen!Eldorado
AhnLab-V3	Trojan/Win.Amadey.R679980
McAfee	Artemis!5757874C90B7
DeepInstinct	MALICIOUS
VBA32	BScope.TrojanDownloader.Deyma
Malwarebytes	Trojan.Agent.RMD.Generic
Ikarus	Trojan.Spy.Stealer
Panda	Trj/Genetic.gen

amnew.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All