Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 25, 2021, 2:32 p.m.	June 25, 2021, 2:34 p.m.

Size	698.8KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`43cd8230b8e5c132362d91f30341dd26`
SHA256	`5a57385f2f478ef411b2a180b65ad408d7133149d9584ccfe3954813db79729e`
CRC32	`2980A841`
ssdeep	`12288:1XmwRo+mv8QD4+0N46dNNQ57kekvu5q+14EgY7t3k+Lo494eSkZM0mlrizzYB5:1X48QE+UTEwvu5qb+3k494eSkZM0mlrJ`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature

BrowzarBrowser_j2.exe "C:\Users\test22\AppData\Local\Temp\BrowzarBrowser_j2.exe"
2288
- Browzar.exe "C:\Program Files (x86)\Browzar\Browzar.exe"
  8564
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
cse.google.com	A 142.250.66.46	172.217.31.142
www.google-analytics.com	CNAME www-google-analytics.l.google.com A 142.250.199.78	172.217.174.110
pagead2.googlesyndication.com	A 142.250.204.66	172.217.175.226
ajax.googleapis.com	A 172.217.163.234	172.217.175.10
www.browzar.com	A 139.59.176.201	139.59.176.201

IP Address	Status	Action
139.59.176.201	Active	Moloch
142.250.199.78	Active	Moloch
142.250.204.66	Active	Moloch
142.250.66.46	Active	Moloch
164.124.101.2	Active	Moloch
172.217.163.234	Active	Moloch
172.217.25.14	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49816 -> 142.250.66.46:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49815 -> 142.250.204.66:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49816 142.250.66.46:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com	f6:bb:41:2d:b9:00:0e:0f:6a:a0:82:ab:72:f2:75:3a:e2:ab:b9:88
TLSv1 192.168.56.102:49815 142.250.204.66:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.g.doubleclick.net	e5:9c:b3:d0:38:19:d1:1d:5d:96:05:41:fe:42:1e:08:84:b2:cc:7f

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 25, 2021, 2:32 p.m.			0	0
IsDebuggerPresent June 25, 2021, 2:32 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 25, 2021, 2:32 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 25, 2021, 2:32 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x74bff777 NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x74d6419a NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x74de011d WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad ObjectStublessClient4+0x4ff CoQueryProxyBlanket-0x4f8 ole32+0x35d2c @ 0x74af5d2c ObjectStublessClient6+0xfb ObjectStublessClient20-0x20f ole32+0x3637b @ 0x74af637b CoSetState+0xa6b IsValidInterface-0xbb3 ole32+0x43170 @ 0x74b03170 CoSetState+0x993 IsValidInterface-0xc8b ole32+0x43098 @ 0x74b03098 CoCreateInstanceEx+0xd7 CoFreeUnusedLibrariesEx-0x183c ole32+0x49e25 @ 0x74b09e25 CoCreateInstanceEx+0x38 CoFreeUnusedLibrariesEx-0x18db ole32+0x49d86 @ 0x74b09d86 New_ole32_CoCreateInstanceEx@24+0x59 New_ole32_CoGetClassObject@20-0x1c8 @ 0x729c4c3d CoCreateInstance+0x34 CoCreateInstanceEx-0xf ole32+0x49d3f @ 0x74b09d3f New_ole32_CoCreateInstance@20+0x120 New_ole32_CoCreateInstanceEx@24-0x7c @ 0x729c4b68 DllGetClassObject-0x304c ieframe+0xe1a5 @ 0x6f8fe1a5 ImportPrivacySettings+0x259 IEDisassociateThreadWithTab-0x57daf ieframe+0x1d497a @ 0x6fac497a SetQueryNetSessionCount+0x28abe DllRegisterServer-0x60d7f ieframe+0x13f8fb @ 0x6fa2f8fb IEIsProtectedModeProcess+0x2d66f IELaunchURL-0xfe49 ieframe+0x80e1a @ 0x6f970e1a IEIsProtectedModeProcess+0x2cb79 IELaunchURL-0x1093f ieframe+0x80324 @ 0x6f970324 IEIsProtectedModeProcess+0x2ca2a IELaunchURL-0x10a8e ieframe+0x801d5 @ 0x6f9701d5 IEIsProtectedModeProcess+0x2d63e IELaunchURL-0xfe7a ieframe+0x80de9 @ 0x6f970de9 IEIsProtectedModeProcess+0x2d5f2 IELaunchURL-0xfec6 ieframe+0x80d9d @ 0x6f970d9d ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa8224 DllRegisterServer-0x299f4 mfc42u+0xb6d30 @ 0x72256d30 ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xabc62 DllRegisterServer-0x25fb6 mfc42u+0xba76e @ 0x7225a76e ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa6a6b DllRegisterServer-0x2b1ad mfc42u+0xb5577 @ 0x72255577 ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa730d DllRegisterServer-0x2a90b mfc42u+0xb5e19 @ 0x72255e19 ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa6250 DllRegisterServer-0x2b9c8 mfc42u+0xb4d5c @ 0x72254d5c ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa6467 DllRegisterServer-0x2b7b1 mfc42u+0xb4f73 @ 0x72254f73 ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa5e7a DllRegisterServer-0x2bd9e mfc42u+0xb4986 @ 0x72254986 ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x61669 DllRegisterServer-0x705af mfc42u+0x70175 @ 0x72210175 ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x7b43 DllRegisterServer-0xca0d5 mfc42u+0x1664f @ 0x721b664f ?interfaceMap@CCustomControlSite@@1UAFX_INTERFACEMAP@@B-0x3cf4d browzar+0x600b @ 0x40600b ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x9cbe DllRegisterServer-0xc7f5a mfc42u+0x187ca @ 0x721b87ca ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x9df5 DllRegisterServer-0xc7e23 mfc42u+0x18901 @ 0x721b8901 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x755b965e SetKeyboardState+0xbbd CliImmSetHotKey-0x12c9e user32+0x4206f @ 0x755e206f CreateDialogIndirectParamAorW+0x33 CreateDialogParamW-0x9 user32+0x410d3 @ 0x755e10d3 CreateDialogIndirectParamW+0x1b AdjustWindowRect-0x6d user32+0x2c659 @ 0x755cc659 ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x50d90 DllRegisterServer-0x80e88 mfc42u+0x5f89c @ 0x721ff89c ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x51162 DllRegisterServer-0x80ab6 mfc42u+0x5fc6e @ 0x721ffc6e ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x6171e DllRegisterServer-0x704fa mfc42u+0x7022a @ 0x7221022a ?interfaceMap@CCustomControlSite@@1UAFX_INTERFACEMAP@@B-0xa5da browzar+0x3897e @ 0x43897e exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x8001010d exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 45274372 registers.edi: 1957755408 registers.eax: 45274372 registers.ebp: 45274452 registers.edx: 1 registers.ebx: 6477148 registers.esi: 2147549453 registers.ecx: 0	1	0	0
__exception__ June 25, 2021, 2:32 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x74bff777 NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x74d6419a NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x74de011d WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad ObjectStublessClient4+0x4ff CoQueryProxyBlanket-0x4f8 ole32+0x35d2c @ 0x74af5d2c ObjectStublessClient6+0xfb ObjectStublessClient20-0x20f ole32+0x3637b @ 0x74af637b CoSetState+0xa6b IsValidInterface-0xbb3 ole32+0x43170 @ 0x74b03170 CoSetState+0x993 IsValidInterface-0xc8b ole32+0x43098 @ 0x74b03098 CoCreateInstanceEx+0xd7 CoFreeUnusedLibrariesEx-0x183c ole32+0x49e25 @ 0x74b09e25 CoCreateInstanceEx+0x38 CoFreeUnusedLibrariesEx-0x18db ole32+0x49d86 @ 0x74b09d86 New_ole32_CoCreateInstanceEx@24+0x59 New_ole32_CoGetClassObject@20-0x1c8 @ 0x729c4c3d CoCreateInstance+0x34 CoCreateInstanceEx-0xf ole32+0x49d3f @ 0x74b09d3f New_ole32_CoCreateInstance@20+0x120 New_ole32_CoCreateInstanceEx@24-0x7c @ 0x729c4b68 DllGetClassObject-0x304c ieframe+0xe1a5 @ 0x6f8fe1a5 ImportPrivacySettings+0x259 IEDisassociateThreadWithTab-0x57daf ieframe+0x1d497a @ 0x6fac497a SetQueryNetSessionCount+0x28abe DllRegisterServer-0x60d7f ieframe+0x13f8fb @ 0x6fa2f8fb IEIsProtectedModeProcess+0x2d66f IELaunchURL-0xfe49 ieframe+0x80e1a @ 0x6f970e1a IEIsProtectedModeProcess+0x2cb79 IELaunchURL-0x1093f ieframe+0x80324 @ 0x6f970324 IEIsProtectedModeProcess+0x2ca2a IELaunchURL-0x10a8e ieframe+0x801d5 @ 0x6f9701d5 IEIsProtectedModeProcess+0x2d63e IELaunchURL-0xfe7a ieframe+0x80de9 @ 0x6f970de9 IEIsProtectedModeProcess+0x2d5f2 IELaunchURL-0xfec6 ieframe+0x80d9d @ 0x6f970d9d ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa8224 DllRegisterServer-0x299f4 mfc42u+0xb6d30 @ 0x72256d30 ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xabc62 DllRegisterServer-0x25fb6 mfc42u+0xba76e @ 0x7225a76e ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa6a6b DllRegisterServer-0x2b1ad mfc42u+0xb5577 @ 0x72255577 ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa730d DllRegisterServer-0x2a90b mfc42u+0xb5e19 @ 0x72255e19 ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa6250 DllRegisterServer-0x2b9c8 mfc42u+0xb4d5c @ 0x72254d5c ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa6467 DllRegisterServer-0x2b7b1 mfc42u+0xb4f73 @ 0x72254f73 ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa5e7a DllRegisterServer-0x2bd9e mfc42u+0xb4986 @ 0x72254986 ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x61669 DllRegisterServer-0x705af mfc42u+0x70175 @ 0x72210175 ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x7b43 DllRegisterServer-0xca0d5 mfc42u+0x1664f @ 0x721b664f ?interfaceMap@CCustomControlSite@@1UAFX_INTERFACEMAP@@B-0x3cf4d browzar+0x600b @ 0x40600b ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x9cbe DllRegisterServer-0xc7f5a mfc42u+0x187ca @ 0x721b87ca ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x9df5 DllRegisterServer-0xc7e23 mfc42u+0x18901 @ 0x721b8901 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x755b965e SetKeyboardState+0xbbd CliImmSetHotKey-0x12c9e user32+0x4206f @ 0x755e206f CreateDialogIndirectParamAorW+0x33 CreateDialogParamW-0x9 user32+0x410d3 @ 0x755e10d3 CreateDialogIndirectParamW+0x1b AdjustWindowRect-0x6d user32+0x2c659 @ 0x755cc659 ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x50d90 DllRegisterServer-0x80e88 mfc42u+0x5f89c @ 0x721ff89c ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x51162 DllRegisterServer-0x80ab6 mfc42u+0x5fc6e @ 0x721ffc6e ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x6171e DllRegisterServer-0x704fa mfc42u+0x7022a @ 0x7221022a ?interfaceMap@CCustomControlSite@@1UAFX_INTERFACEMAP@@B-0xa5da browzar+0x3897e @ 0x43897e exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x8001010d exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 45274372 registers.edi: 1957755408 registers.eax: 45274372 registers.ebp: 45274452 registers.edx: 1 registers.ebx: 6477148 registers.esi: 2147549453 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 25, 2021, 2:32 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x74bff777
NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x74d6419a
NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x74de011d
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
ObjectStublessClient4+0x4ff CoQueryProxyBlanket-0x4f8 ole32+0x35d2c @ 0x74af5d2c
ObjectStublessClient6+0xfb ObjectStublessClient20-0x20f ole32+0x3637b @ 0x74af637b
CoSetState+0xa6b IsValidInterface-0xbb3 ole32+0x43170 @ 0x74b03170
CoSetState+0x993 IsValidInterface-0xc8b ole32+0x43098 @ 0x74b03098
CoCreateInstanceEx+0xd7 CoFreeUnusedLibrariesEx-0x183c ole32+0x49e25 @ 0x74b09e25
CoCreateInstanceEx+0x38 CoFreeUnusedLibrariesEx-0x18db ole32+0x49d86 @ 0x74b09d86
New_ole32_CoCreateInstanceEx@24+0x59 New_ole32_CoGetClassObject@20-0x1c8 @ 0x729c4c3d
CoCreateInstance+0x34 CoCreateInstanceEx-0xf ole32+0x49d3f @ 0x74b09d3f
New_ole32_CoCreateInstance@20+0x120 New_ole32_CoCreateInstanceEx@24-0x7c @ 0x729c4b68
DllGetClassObject-0x304c ieframe+0xe1a5 @ 0x6f8fe1a5
ImportPrivacySettings+0x259 IEDisassociateThreadWithTab-0x57daf ieframe+0x1d497a @ 0x6fac497a
SetQueryNetSessionCount+0x28abe DllRegisterServer-0x60d7f ieframe+0x13f8fb @ 0x6fa2f8fb
IEIsProtectedModeProcess+0x2d66f IELaunchURL-0xfe49 ieframe+0x80e1a @ 0x6f970e1a
IEIsProtectedModeProcess+0x2cb79 IELaunchURL-0x1093f ieframe+0x80324 @ 0x6f970324
IEIsProtectedModeProcess+0x2ca2a IELaunchURL-0x10a8e ieframe+0x801d5 @ 0x6f9701d5
IEIsProtectedModeProcess+0x2d63e IELaunchURL-0xfe7a ieframe+0x80de9 @ 0x6f970de9
IEIsProtectedModeProcess+0x2d5f2 IELaunchURL-0xfec6 ieframe+0x80d9d @ 0x6f970d9d
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa8224 DllRegisterServer-0x299f4 mfc42u+0xb6d30 @ 0x72256d30
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xabc62 DllRegisterServer-0x25fb6 mfc42u+0xba76e @ 0x7225a76e
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa6a6b DllRegisterServer-0x2b1ad mfc42u+0xb5577 @ 0x72255577
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa730d DllRegisterServer-0x2a90b mfc42u+0xb5e19 @ 0x72255e19
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa6250 DllRegisterServer-0x2b9c8 mfc42u+0xb4d5c @ 0x72254d5c
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa6467 DllRegisterServer-0x2b7b1 mfc42u+0xb4f73 @ 0x72254f73
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa5e7a DllRegisterServer-0x2bd9e mfc42u+0xb4986 @ 0x72254986
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x61669 DllRegisterServer-0x705af mfc42u+0x70175 @ 0x72210175
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x7b43 DllRegisterServer-0xca0d5 mfc42u+0x1664f @ 0x721b664f
?interfaceMap@CCustomControlSite@@1UAFX_INTERFACEMAP@@B-0x3cf4d browzar+0x600b @ 0x40600b
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x9cbe DllRegisterServer-0xc7f5a mfc42u+0x187ca @ 0x721b87ca
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x9df5 DllRegisterServer-0xc7e23 mfc42u+0x18901 @ 0x721b8901
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x755b965e
SetKeyboardState+0xbbd CliImmSetHotKey-0x12c9e user32+0x4206f @ 0x755e206f
CreateDialogIndirectParamAorW+0x33 CreateDialogParamW-0x9 user32+0x410d3 @ 0x755e10d3
CreateDialogIndirectParamW+0x1b AdjustWindowRect-0x6d user32+0x2c659 @ 0x755cc659
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x50d90 DllRegisterServer-0x80e88 mfc42u+0x5f89c @ 0x721ff89c
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x51162 DllRegisterServer-0x80ab6 mfc42u+0x5fc6e @ 0x721ffc6e
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x6171e DllRegisterServer-0x704fa mfc42u+0x7022a @ 0x7221022a
?interfaceMap@CCustomControlSite@@1UAFX_INTERFACEMAP@@B-0xa5da browzar+0x3897e @ 0x43897e

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x8001010d
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 45274372
registers.edi: 1957755408
registers.eax: 45274372
registers.ebp: 45274452
registers.edx: 1
registers.ebx: 6477148
registers.esi: 2147549453
registers.ecx: 0

__exception__

June 25, 2021, 2:32 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x74bff777
NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x74d6419a
NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x74de011d
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
ObjectStublessClient4+0x4ff CoQueryProxyBlanket-0x4f8 ole32+0x35d2c @ 0x74af5d2c
ObjectStublessClient6+0xfb ObjectStublessClient20-0x20f ole32+0x3637b @ 0x74af637b
CoSetState+0xa6b IsValidInterface-0xbb3 ole32+0x43170 @ 0x74b03170
CoSetState+0x993 IsValidInterface-0xc8b ole32+0x43098 @ 0x74b03098
CoCreateInstanceEx+0xd7 CoFreeUnusedLibrariesEx-0x183c ole32+0x49e25 @ 0x74b09e25
CoCreateInstanceEx+0x38 CoFreeUnusedLibrariesEx-0x18db ole32+0x49d86 @ 0x74b09d86
New_ole32_CoCreateInstanceEx@24+0x59 New_ole32_CoGetClassObject@20-0x1c8 @ 0x729c4c3d
CoCreateInstance+0x34 CoCreateInstanceEx-0xf ole32+0x49d3f @ 0x74b09d3f
New_ole32_CoCreateInstance@20+0x120 New_ole32_CoCreateInstanceEx@24-0x7c @ 0x729c4b68
DllGetClassObject-0x304c ieframe+0xe1a5 @ 0x6f8fe1a5
ImportPrivacySettings+0x259 IEDisassociateThreadWithTab-0x57daf ieframe+0x1d497a @ 0x6fac497a
SetQueryNetSessionCount+0x28abe DllRegisterServer-0x60d7f ieframe+0x13f8fb @ 0x6fa2f8fb
IEIsProtectedModeProcess+0x2d66f IELaunchURL-0xfe49 ieframe+0x80e1a @ 0x6f970e1a
IEIsProtectedModeProcess+0x2cb79 IELaunchURL-0x1093f ieframe+0x80324 @ 0x6f970324
IEIsProtectedModeProcess+0x2ca2a IELaunchURL-0x10a8e ieframe+0x801d5 @ 0x6f9701d5
IEIsProtectedModeProcess+0x2d63e IELaunchURL-0xfe7a ieframe+0x80de9 @ 0x6f970de9
IEIsProtectedModeProcess+0x2d5f2 IELaunchURL-0xfec6 ieframe+0x80d9d @ 0x6f970d9d
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa8224 DllRegisterServer-0x299f4 mfc42u+0xb6d30 @ 0x72256d30
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xabc62 DllRegisterServer-0x25fb6 mfc42u+0xba76e @ 0x7225a76e
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa6a6b DllRegisterServer-0x2b1ad mfc42u+0xb5577 @ 0x72255577
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa730d DllRegisterServer-0x2a90b mfc42u+0xb5e19 @ 0x72255e19
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa6250 DllRegisterServer-0x2b9c8 mfc42u+0xb4d5c @ 0x72254d5c
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa6467 DllRegisterServer-0x2b7b1 mfc42u+0xb4f73 @ 0x72254f73
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0xa5e7a DllRegisterServer-0x2bd9e mfc42u+0xb4986 @ 0x72254986
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x61669 DllRegisterServer-0x705af mfc42u+0x70175 @ 0x72210175
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x7b43 DllRegisterServer-0xca0d5 mfc42u+0x1664f @ 0x721b664f
?interfaceMap@CCustomControlSite@@1UAFX_INTERFACEMAP@@B-0x3cf4d browzar+0x600b @ 0x40600b
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x9cbe DllRegisterServer-0xc7f5a mfc42u+0x187ca @ 0x721b87ca
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x9df5 DllRegisterServer-0xc7e23 mfc42u+0x18901 @ 0x721b8901
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x755b965e
SetKeyboardState+0xbbd CliImmSetHotKey-0x12c9e user32+0x4206f @ 0x755e206f
CreateDialogIndirectParamAorW+0x33 CreateDialogParamW-0x9 user32+0x410d3 @ 0x755e10d3
CreateDialogIndirectParamW+0x1b AdjustWindowRect-0x6d user32+0x2c659 @ 0x755cc659
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x50d90 DllRegisterServer-0x80e88 mfc42u+0x5f89c @ 0x721ff89c
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x51162 DllRegisterServer-0x80ab6 mfc42u+0x5fc6e @ 0x721ffc6e
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x6171e DllRegisterServer-0x704fa mfc42u+0x7022a @ 0x7221022a
?interfaceMap@CCustomControlSite@@1UAFX_INTERFACEMAP@@B-0xa5da browzar+0x3897e @ 0x43897e

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (13 events)

request	GET http://www.browzar.com/start/?v=2000
request	GET http://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js
request	GET http://www.browzar.com/start/css/screen.css?1=1
request	GET http://www.browzar.com/start/css/ie8.css
request	GET http://www.browzar.com/start/images/browzar-logo.png
request	GET http://www.browzar.com/start/css/ie7.css
request	GET http://www.google-analytics.com/ga.js
request	GET http://www.google-analytics.com/r/__utm.gif?utmwv=5.7.2&utms=1&utmn=1496702806&utmhn=www.browzar.com&utmcs=utf-8&utmsr=1024x768&utmvp=1001x609&utmsc=32-bit&utmul=ko&utmje=1&utmfl=13.0%20r0&utmdt=Browzar%20%7C%20Your%20private%20window%20on%20the%20Web&utmhid=1112940496&utmr=-&utmp=%2Fstart%2F%3Fv%3D2000&utmht=1624614754659&utmac=UA-3260541-1&utmcc=__utma%3D175377393.301550976.1624614755.1624614755.1624614755.1%3B%2B__utmz%3D175377393.1624614755.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=2127249809&utmredir=1&utmu=HAAAAAAAAAAAAAAAAAAAAAAE~
request	GET http://www.browzar.com/favicon.ico
request	GET http://www.google-analytics.com/__utm.gif?utmwv=5.7.2&utms=2&utmn=106956919&utmhn=www.browzar.com&utmcs=utf-8&utmsr=1024x768&utmvp=1001x574&utmsc=32-bit&utmul=ko&utmje=1&utmfl=13.0%20r0&utmdt=Browzar%20%7C%20Your%20private%20window%20on%20the%20Web&utmhid=1654346529&utmr=-&utmp=%2Fstart%2F%3Fv%3D2000&utmht=1624614765497&utmac=UA-3260541-1&utmcc=__utma%3D175377393.301550976.1624614755.1624614755.1624614755.1%3B%2B__utmz%3D175377393.1624614755.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=HAAAAAAAAAAAAAAAAAAAAAAE~
request	GET http://www.google-analytics.com/__utm.gif?utmwv=5.7.2&utms=3&utmn=213885062&utmhn=www.browzar.com&utmcs=utf-8&utmsr=1024x768&utmvp=1001x574&utmsc=32-bit&utmul=ko&utmje=1&utmfl=13.0%20r0&utmdt=Browzar%20%7C%20Your%20private%20window%20on%20the%20Web&utmhid=1581547974&utmr=-&utmp=%2Fstart%2F%3Fv%3D2000&utmht=1624614765785&utmac=UA-3260541-1&utmcc=__utma%3D175377393.301550976.1624614755.1624614755.1624614755.1%3B%2B__utmz%3D175377393.1624614755.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=HAAAAAAAAAAAAAAAAAAAAAAE~
request	GET https://cse.google.com/cse.js?cx=d33ee9b7555c1feec
request	GET https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js

Allocates read-write-execute memory (usually to unpack itself) (50 out of 559 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e52000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e53000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e53000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e53000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e54000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e54000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e54000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e55000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e56000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e57000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e57000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e57000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e57000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e57000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e58000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e58000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e59000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e59000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e59000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e5a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e5a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e5b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e5c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e5c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e5d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e5e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e5e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e5f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ff0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ff1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ff1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ff1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ff2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ff2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ff3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ff3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ff4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ff4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ff4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ff5000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (7 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\ga[1].js
file	C:\Program Files (x86)\Browzar\Browzar.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\jquery.min[1].js
file	C:\Program Files (x86)\Browzar\n0NFEi3J3thn.exe
file	C:\Program Files (x86)\Browzar\Uninstall.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\jquery.min[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\ga[1].js

Drops a binary and executes it (1 event)

file	C:\Program Files (x86)\Browzar\Browzar.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 25, 2021, 2:32 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x05e50000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (9 events)

description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA June 25, 2021, 2:32 p.m.	key_handle: 0x00000378 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2288 resumed a thread in remote process 8564
NtResumeThread June 25, 2021, 2:32 p.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 8564	1	0	0

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Bkav	W32.AIDetect.malware2
DrWeb	Trojan.PWS.Stealer.30497
MicroWorld-eScan	Gen:Variant.Midie.90536
ALYac	Gen:Variant.Midie.90536
Cylance	Unsafe
K7GW	Trojan ( 0057d3ef1 )
Cybereason	malicious.72601a
Arcabit	Trojan.Midie.D161A8
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenCBL.ALZ
APEX	Malicious
Avast	Win32:DangerousSig [Trj]
ClamAV	Win.Malware.Midie-9871449-0
Kaspersky	UDS:Trojan-PSW.MSIL.Reline.gen
BitDefender	Gen:Variant.Midie.90536
Ad-Aware	Gen:Variant.Midie.90536
Sophos	Generic ML PUA (PUA)
McAfee-GW-Edition	BehavesLike.Win32.BadFile.jc
FireEye	Generic.mg.43cd8230b8e5c132
Emsisoft	Gen:Variant.Midie.90536 (B)
MaxSecure	Trojan-Ransom.Win32.Crypmod.zfq
MAX	malware (ai score=89)
Microsoft	Trojan:MSIL/AgentTesla.STA
GData	Gen:Variant.Midie.90536
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.R425221
McAfee	Artemis!43CD8230B8E5
Malwarebytes	Trojan.MalPack
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/PossibleThreat
AVG	Win32:DangerousSig [Trj]
CrowdStrike	win/malicious_confidence_70% (W)

BrowzarBrowser_j2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All