Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 2, 2023, 4:42 p.m.	Aug. 2, 2023, 4:44 p.m.

Size	16.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`c467fc9aafa3b840fd94d27e697649b8`
SHA256	`c9f02f547a430b15b6ba7fdafc885046cdbc0af9eb113250c70b0d3f02e03ee2`
CRC32	`DE9EC283`
ssdeep	`393216:qK/HZQeUKGFAnHpFWd5ThgtBkyKziLH/gwK519OM:qjeCFbTmtBkyd7/LK5zOM`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description)

c9f02f547a430b15b6ba7fdafc885046cdbc0af9eb113250c70b0d3f02e03ee2.exe "C:\Users\test22\AppData\Local\Temp\c9f02f547a430b15b6ba7fdafc885046cdbc0af9eb113250c70b0d3f02e03ee2.exe"
2552
- TheWorld.exe "C:\Users\test22\AppData\Local\Temp\TheWorld\Application\TheWorld.exe"
  2692
  - TheWorld.exe "C:\Users\test22\AppData\Local\Temp\TheWorld\Application\TheWorld.exe" --type=upgrade_silent
    2712

Name	Response	Post-Analysis Lookup
s0.ssl.qhimg.com	A 18.67.51.16 CNAME d1mlrtwse9996r.cloudfront.net A 18.67.51.105 A 18.67.51.124 A 18.67.51.14	18.67.51.16
clients3.google.com	CNAME clients.l.google.com A 172.217.27.14	172.217.161.238
hao.ssl.dhrest.com	CNAME hao.ssl.dhrest.com.qh-cdn.com CNAME hao.ssl.dhrest.com.webcdn.360qhcdn.com A 101.198.192.8 A 101.198.192.7 A 104.192.110.245	104.192.110.245
show-g.mediav.com	CNAME max-dr.mdvdns.qihucdn.cn A 180.163.247.134	180.163.247.134
dl.360tpcdn.com	A 101.198.192.13 CNAME dl.360tpcdn.com.dl.360qhcdn.com CNAME dl.360tpcdn.com.qh-cdn.com A 101.198.192.12	104.192.108.19
s.360.cn	A 171.8.167.90 A 101.198.2.147 A 180.163.251.230 A 180.163.251.231	180.163.251.230
s1.ssl.qhres.com
update.theworld.cn	A 101.198.0.21	101.198.0.21
hao.360.cn	A 180.163.237.169	180.163.237.169
s0.ssl.qhres.com
p1.ssl.qhimg.com	A 99.86.207.22 A 99.86.207.87 CNAME d3h3opd4qa0dfk.cloudfront.net A 99.86.207.4 A 99.86.207.82	99.86.207.4
www.gstatic.com	A 142.251.220.67	142.250.76.131
p0.ssl.qhimg.com	A 99.86.207.22 A 99.86.207.87 CNAME d3h3opd4qa0dfk.cloudfront.net A 99.86.207.4 A 99.86.207.82	99.86.207.82

IP Address	Status	Action
101.198.0.21	Active	Moloch
101.198.192.13	Active	Moloch
142.251.220.67	Active	Moloch
164.124.101.2	Active	Moloch
172.217.27.14	Active	Moloch
180.163.237.169	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49170 172.217.27.14:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	7a:d9:ce:59:01:29:9a:bd:8b:2f:38:c6:15:94:76:52:a8:fb:56:03
TLS 1.2 192.168.56.101:49178 142.251.220.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	1d:cb:14:a0:ba:14:b6:03:59:6d:d5:e2:f5:4c:73:e3:ff:73:57:90

Checks if process is being debugged by a debugger (20 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 2, 2023, 4:22 p.m.			0	0
IsDebuggerPresent Aug. 2, 2023, 4:23 p.m.			0	0
IsDebuggerPresent Aug. 2, 2023, 4:23 p.m.			0	0
IsDebuggerPresent Aug. 2, 2023, 4:23 p.m.			0	0
IsDebuggerPresent Aug. 2, 2023, 4:23 p.m.			0	0
IsDebuggerPresent Aug. 2, 2023, 4:23 p.m.			0	0
IsDebuggerPresent Aug. 2, 2023, 4:23 p.m.			0	0
IsDebuggerPresent Aug. 2, 2023, 4:23 p.m.			0	0
IsDebuggerPresent Aug. 2, 2023, 4:23 p.m.			0	0
IsDebuggerPresent Aug. 2, 2023, 4:23 p.m.			0	0
IsDebuggerPresent Aug. 2, 2023, 4:23 p.m.			0	0
IsDebuggerPresent Aug. 2, 2023, 4:23 p.m.			0	0
IsDebuggerPresent Aug. 2, 2023, 4:23 p.m.			0	0
IsDebuggerPresent Aug. 2, 2023, 4:23 p.m.			0	0
IsDebuggerPresent Aug. 2, 2023, 4:23 p.m.			0	0
IsDebuggerPresent Aug. 2, 2023, 4:23 p.m.			0	0
IsDebuggerPresent Aug. 2, 2023, 4:23 p.m.			0	0
IsDebuggerPresent Aug. 2, 2023, 4:23 p.m.			0	0
IsDebuggerPresent Aug. 2, 2023, 4:23 p.m.			0	0
IsDebuggerPresent Aug. 2, 2023, 4:23 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 2, 2023, 4:22 p.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 2, 2023, 4:23 p.m.	stacktrace: CredUIPromptForWindowsCredentialsWorker-0x412 credui+0x1e8e @ 0x712e1e8e CredUIPromptForWindowsCredentialsWorker-0x44f credui+0x1e51 @ 0x712e1e51 CredUIPromptForWindowsCredentialsWorker-0xf87 credui+0x1319 @ 0x712e1319 CredUIPromptForWindowsCredentialsWorker-0xd63 credui+0x153d @ 0x712e153d RtlQueryEnvironmentVariable+0x241 RtlQueryEnvironmentVariable_U-0x23 ntdll+0x39930 @ 0x76f49930 LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x76f4d8a9 _vsnwprintf+0x63c RtlInitializeHandleTable-0x10 ntdll+0x4f5cf @ 0x76f5f5cf LdrGetProcedureAddress+0x18 LdrGetProcedureAddressEx-0x9 ntdll+0x301c2 @ 0x76f401c2 New_ntdll_LdrGetProcedureAddress@16+0x59 New_ntdll_LdrLoadDll@16-0xfb @ 0x7354d359 GetProcAddress+0x44 GetVersion-0x38 kernelbase+0x111c4 @ 0x759811c4 hook+0x173 hook_get_mem-0x33a @ 0x73534e8e monitor_hook+0x5d monitor_unhook-0x1c @ 0x7353162d hook_library+0x1a unhook_library-0x3 @ 0x7353c6b9 log_init+0x1ce hook_init-0x5 @ 0x73533c00 RtlUnlockModuleSection+0x591 RtlQueryAtomInAtomTable-0x164 ntdll+0x676b8 @ 0x76f776b8 LdrLoadDll+0x310 _strcmpi-0x6f ntdll+0x3c74a @ 0x76f4c74a RtlEncodeSystemPointer+0x222 RtlFindClearBits-0x56f ntdll+0x3e27a @ 0x76f4e27a RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52 RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x76f4d69f LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7354d4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a GetHandleVerifier-0x13231 theworld+0x1683f @ 0xb0683f GetHandleVerifier-0x130f2 theworld+0x1697e @ 0xb0697e GetHandleVerifier-0x12e52 theworld+0x16c1e @ 0xb06c1e GetHandleVerifier-0x13e27 theworld+0x15c49 @ 0xb05c49 ClearBreakpadPipeEnvironmentVariable+0x58f0 theworld+0x60050 @ 0xb50050 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x14b060 registers.esp: 3270748 registers.edi: 0 registers.eax: 3270764 registers.ebp: 3270772 registers.edx: 1936982016 registers.ebx: 3270832 registers.esi: 12 registers.ecx: 0	1	0	0
__exception__ Aug. 2, 2023, 4:23 p.m.	stacktrace: RtlIntegerToUnicodeString+0x20b RtlpUnWaitCriticalSection-0x1c4 ntdll+0x38cb8 @ 0x76f48cb8 GdiplusStartup+0x48 GdiplusShutdown-0x76 gdiplus+0x25648 @ 0x71125648 ChromeMain+0x22acda RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x146ade chrome+0x233671 @ 0x71543671 ChromeMain+0x22aa7d RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x146d3b chrome+0x233414 @ 0x71543414 ChromeMain+0x219a18 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x157da0 chrome+0x2223af @ 0x715323af ChromeMain+0x219b4f RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x157c69 chrome+0x2224e6 @ 0x715324e6 ChromeMain+0x1a0200 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d15b8 chrome+0x1a8b97 @ 0x714b8b97 ChromeMain+0x151e0c RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x21f9ac chrome+0x15a7a3 @ 0x7146a7a3 ChromeMain+0x19ff6a RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d184e chrome+0x1a8901 @ 0x714b8901 ChromeMain+0x19feca RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d18ee chrome+0x1a8861 @ 0x714b8861 ChromeMain+0x19fe4e RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d196a chrome+0x1a87e5 @ 0x714b87e5 ChromeMain+0x19fd79 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d1a3f chrome+0x1a8710 @ 0x714b8710 ChromeMain+0x19fd53 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d1a65 chrome+0x1a86ea @ 0x714b86ea ChromeMain+0x219a4d RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x157d6b chrome+0x2223e4 @ 0x715323e4 ChromeMain+0x219a18 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x157da0 chrome+0x2223af @ 0x715323af ChromeMain+0x202657 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x16f161 chrome+0x20afee @ 0x7151afee ChromeMain+0x1a0200 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d15b8 chrome+0x1a8b97 @ 0x714b8b97 ChromeMain+0x151e0c RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x21f9ac chrome+0x15a7a3 @ 0x7146a7a3 ChromeMain+0x19ff6a RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d184e chrome+0x1a8901 @ 0x714b8901 ChromeMain+0x19feca RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d18ee chrome+0x1a8861 @ 0x714b8861 ChromeMain+0x19fe4e RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d196a chrome+0x1a87e5 @ 0x714b87e5 ChromeMain+0x19fd79 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d1a3f chrome+0x1a8710 @ 0x714b8710 ChromeMain+0x19fd53 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d1a65 chrome+0x1a86ea @ 0x714b86ea ChromeMain+0x208f6c RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x16884c chrome+0x211903 @ 0x71521903 ChromeMain+0x1ea719 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x18709f chrome+0x1f30b0 @ 0x715030b0 ChromeMain+0x1acab9 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1c4cff chrome+0x1b5450 @ 0x714c5450 ChromeMain+0x203ff0 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x16d7c8 chrome+0x20c987 @ 0x7151c987 ChromeMain+0x203eb5 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x16d903 chrome+0x20c84c @ 0x7151c84c ChromeMain+0x203b09 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x16dcaf chrome+0x20c4a0 @ 0x7151c4a0 ChromeMain+0x2039f0 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x16ddc8 chrome+0x20c387 @ 0x7151c387 ChromeMain+0x2038e1 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x16ded7 chrome+0x20c278 @ 0x7151c278 ChromeMain+0x1f7a2b RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x179d8d chrome+0x2003c2 @ 0x715103c2 GetHandleVerifier+0x4f681d chrome+0x8fd854 @ 0x71c0d854 GetHandleVerifier+0x50a0d3 chrome+0x91110a @ 0x71c2110a GetHandleVerifier+0x502ca3 chrome+0x909cda @ 0x71c19cda GetHandleVerifier+0x50296a chrome+0x9099a1 @ 0x71c199a1 ChromeMain+0x178542 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1f9276 chrome+0x180ed9 @ 0x71490ed9 ChromeMain+0x1780b4 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1f9704 chrome+0x180a4b @ 0x71490a4b ChromeMain+0x177eb6 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1f9902 chrome+0x18084d @ 0x7149084d ChromeMain+0x177815 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1f9fa3 chrome+0x1801ac @ 0x714901ac ChromeMain+0x1774d1 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1fa2e7 chrome+0x17fe68 @ 0x7148fe68 ChromeMain+0x177268 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1fa550 chrome+0x17fbff @ 0x7148fbff ChromeMain+0x595fb RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x3181bd chrome+0x61f92 @ 0x71371f92 ChromeMain+0x58fc1 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x3187f7 chrome+0x61958 @ 0x71371958 ChromeMain+0x58f6b RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x31884d chrome+0x61902 @ 0x71371902 ChromeMain+0x218ba RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x34fefe chrome+0x2a251 @ 0x7133a251 ChromeMain+0x164ca RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x35b2ee chrome+0x1ee61 @ 0x7132ee61 ChromeMain+0x162f1 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x35b4c7 chrome+0x1ec88 @ 0x7132ec88 ChromeMain+0x16186 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x35b632 chrome+0x1eb1d @ 0x7132eb1d ChromeMain+0x284c RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x36ef6c chrome+0xb1e3 @ 0x7131b1e3 ChromeMain+0x87 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x371731 chrome+0x8a1e @ 0x71318a1e GetHandleVerifier-0x12de6 theworld+0x16c8a @ 0xb06c8a GetHandleVerifier-0x13e27 theworld+0x15c49 @ 0xb05c49 ClearBreakpadPipeEnvironmentVariable+0x58f0 theworld+0x60050 @ 0xb50050 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: ff 40 14 8b 5d f4 8b 7d f0 80 3d 82 03 fe 7f 00 exception.symbol: RtlIntegerToUnicodeString+0x2fc RtlpUnWaitCriticalSection-0xd3 ntdll+0x38da9 exception.instruction: inc dword ptr [eax + 0x14] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 232873 exception.address: 0x76f48da9 registers.esp: 3269724 registers.edi: 1898395488 registers.eax: 0 registers.ebp: 3269804 registers.edx: 4 registers.ebx: 4294967292 registers.esi: 1898395484 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 2, 2023, 4:23 p.m.

stacktrace:

CredUIPromptForWindowsCredentialsWorker-0x412 credui+0x1e8e @ 0x712e1e8e
CredUIPromptForWindowsCredentialsWorker-0x44f credui+0x1e51 @ 0x712e1e51
CredUIPromptForWindowsCredentialsWorker-0xf87 credui+0x1319 @ 0x712e1319
CredUIPromptForWindowsCredentialsWorker-0xd63 credui+0x153d @ 0x712e153d
RtlQueryEnvironmentVariable+0x241 RtlQueryEnvironmentVariable_U-0x23 ntdll+0x39930 @ 0x76f49930
LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x76f4d8a9
_vsnwprintf+0x63c RtlInitializeHandleTable-0x10 ntdll+0x4f5cf @ 0x76f5f5cf
LdrGetProcedureAddress+0x18 LdrGetProcedureAddressEx-0x9 ntdll+0x301c2 @ 0x76f401c2
New_ntdll_LdrGetProcedureAddress@16+0x59 New_ntdll_LdrLoadDll@16-0xfb @ 0x7354d359
GetProcAddress+0x44 GetVersion-0x38 kernelbase+0x111c4 @ 0x759811c4
hook+0x173 hook_get_mem-0x33a @ 0x73534e8e
monitor_hook+0x5d monitor_unhook-0x1c @ 0x7353162d
hook_library+0x1a unhook_library-0x3 @ 0x7353c6b9
log_init+0x1ce hook_init-0x5 @ 0x73533c00
RtlUnlockModuleSection+0x591 RtlQueryAtomInAtomTable-0x164 ntdll+0x676b8 @ 0x76f776b8
LdrLoadDll+0x310 _strcmpi-0x6f ntdll+0x3c74a @ 0x76f4c74a
RtlEncodeSystemPointer+0x222 RtlFindClearBits-0x56f ntdll+0x3e27a @ 0x76f4e27a
RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x76f4d69f
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7354d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a
GetHandleVerifier-0x13231 theworld+0x1683f @ 0xb0683f
GetHandleVerifier-0x130f2 theworld+0x1697e @ 0xb0697e
GetHandleVerifier-0x12e52 theworld+0x16c1e @ 0xb06c1e
GetHandleVerifier-0x13e27 theworld+0x15c49 @ 0xb05c49
ClearBreakpadPipeEnvironmentVariable+0x58f0 theworld+0x60050 @ 0xb50050
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x14b060
registers.esp: 3270748
registers.edi: 0
registers.eax: 3270764
registers.ebp: 3270772
registers.edx: 1936982016
registers.ebx: 3270832
registers.esi: 12
registers.ecx: 0

__exception__

Aug. 2, 2023, 4:23 p.m.

stacktrace:

RtlIntegerToUnicodeString+0x20b RtlpUnWaitCriticalSection-0x1c4 ntdll+0x38cb8 @ 0x76f48cb8
GdiplusStartup+0x48 GdiplusShutdown-0x76 gdiplus+0x25648 @ 0x71125648
ChromeMain+0x22acda RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x146ade chrome+0x233671 @ 0x71543671
ChromeMain+0x22aa7d RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x146d3b chrome+0x233414 @ 0x71543414
ChromeMain+0x219a18 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x157da0 chrome+0x2223af @ 0x715323af
ChromeMain+0x219b4f RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x157c69 chrome+0x2224e6 @ 0x715324e6
ChromeMain+0x1a0200 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d15b8 chrome+0x1a8b97 @ 0x714b8b97
ChromeMain+0x151e0c RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x21f9ac chrome+0x15a7a3 @ 0x7146a7a3
ChromeMain+0x19ff6a RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d184e chrome+0x1a8901 @ 0x714b8901
ChromeMain+0x19feca RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d18ee chrome+0x1a8861 @ 0x714b8861
ChromeMain+0x19fe4e RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d196a chrome+0x1a87e5 @ 0x714b87e5
ChromeMain+0x19fd79 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d1a3f chrome+0x1a8710 @ 0x714b8710
ChromeMain+0x19fd53 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d1a65 chrome+0x1a86ea @ 0x714b86ea
ChromeMain+0x219a4d RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x157d6b chrome+0x2223e4 @ 0x715323e4
ChromeMain+0x219a18 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x157da0 chrome+0x2223af @ 0x715323af
ChromeMain+0x202657 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x16f161 chrome+0x20afee @ 0x7151afee
ChromeMain+0x1a0200 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d15b8 chrome+0x1a8b97 @ 0x714b8b97
ChromeMain+0x151e0c RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x21f9ac chrome+0x15a7a3 @ 0x7146a7a3
ChromeMain+0x19ff6a RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d184e chrome+0x1a8901 @ 0x714b8901
ChromeMain+0x19feca RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d18ee chrome+0x1a8861 @ 0x714b8861
ChromeMain+0x19fe4e RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d196a chrome+0x1a87e5 @ 0x714b87e5
ChromeMain+0x19fd79 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d1a3f chrome+0x1a8710 @ 0x714b8710
ChromeMain+0x19fd53 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1d1a65 chrome+0x1a86ea @ 0x714b86ea
ChromeMain+0x208f6c RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x16884c chrome+0x211903 @ 0x71521903
ChromeMain+0x1ea719 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x18709f chrome+0x1f30b0 @ 0x715030b0
ChromeMain+0x1acab9 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1c4cff chrome+0x1b5450 @ 0x714c5450
ChromeMain+0x203ff0 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x16d7c8 chrome+0x20c987 @ 0x7151c987
ChromeMain+0x203eb5 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x16d903 chrome+0x20c84c @ 0x7151c84c
ChromeMain+0x203b09 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x16dcaf chrome+0x20c4a0 @ 0x7151c4a0
ChromeMain+0x2039f0 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x16ddc8 chrome+0x20c387 @ 0x7151c387
ChromeMain+0x2038e1 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x16ded7 chrome+0x20c278 @ 0x7151c278
ChromeMain+0x1f7a2b RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x179d8d chrome+0x2003c2 @ 0x715103c2
GetHandleVerifier+0x4f681d chrome+0x8fd854 @ 0x71c0d854
GetHandleVerifier+0x50a0d3 chrome+0x91110a @ 0x71c2110a
GetHandleVerifier+0x502ca3 chrome+0x909cda @ 0x71c19cda
GetHandleVerifier+0x50296a chrome+0x9099a1 @ 0x71c199a1
ChromeMain+0x178542 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1f9276 chrome+0x180ed9 @ 0x71490ed9
ChromeMain+0x1780b4 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1f9704 chrome+0x180a4b @ 0x71490a4b
ChromeMain+0x177eb6 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1f9902 chrome+0x18084d @ 0x7149084d
ChromeMain+0x177815 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1f9fa3 chrome+0x1801ac @ 0x714901ac
ChromeMain+0x1774d1 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1fa2e7 chrome+0x17fe68 @ 0x7148fe68
ChromeMain+0x177268 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x1fa550 chrome+0x17fbff @ 0x7148fbff
ChromeMain+0x595fb RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x3181bd chrome+0x61f92 @ 0x71371f92
ChromeMain+0x58fc1 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x3187f7 chrome+0x61958 @ 0x71371958
ChromeMain+0x58f6b RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x31884d chrome+0x61902 @ 0x71371902
ChromeMain+0x218ba RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x34fefe chrome+0x2a251 @ 0x7133a251
ChromeMain+0x164ca RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x35b2ee chrome+0x1ee61 @ 0x7132ee61
ChromeMain+0x162f1 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x35b4c7 chrome+0x1ec88 @ 0x7132ec88
ChromeMain+0x16186 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x35b632 chrome+0x1eb1d @ 0x7132eb1d
ChromeMain+0x284c RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x36ef6c chrome+0xb1e3 @ 0x7131b1e3
ChromeMain+0x87 RelaunchChromeBrowserWithNewCommandLineIfNeeded-0x371731 chrome+0x8a1e @ 0x71318a1e
GetHandleVerifier-0x12de6 theworld+0x16c8a @ 0xb06c8a
GetHandleVerifier-0x13e27 theworld+0x15c49 @ 0xb05c49
ClearBreakpadPipeEnvironmentVariable+0x58f0 theworld+0x60050 @ 0xb50050
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: ff 40 14 8b 5d f4 8b 7d f0 80 3d 82 03 fe 7f 00
exception.symbol: RtlIntegerToUnicodeString+0x2fc RtlpUnWaitCriticalSection-0xd3 ntdll+0x38da9
exception.instruction: inc dword ptr [eax + 0x14]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 232873
exception.address: 0x76f48da9
registers.esp: 3269724
registers.edi: 1898395488
registers.eax: 0
registers.ebp: 3269804
registers.edx: 4
registers.ebx: 4294967292
registers.esi: 1898395484
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://update.theworld.cn/client.php?locale=en-GB&c=auto&ver=7.0.0.108&mid=fa7bb520099706f4d9615c3663eacc55&pid=tw

Performs some HTTP requests (3 events)

request	GET http://dl.360tpcdn.com/cse/ppflash.cab
request	GET http://update.theworld.cn/client.php?locale=zh-CN&mid=fa7bb520099706f4d9615c3663eacc55&ver=7.0.0.108&rn=297
request	GET http://update.theworld.cn/client.php?locale=en-GB&c=auto&ver=7.0.0.108&mid=fa7bb520099706f4d9615c3663eacc55&pid=tw

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 2, 2023, 4:22 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (3 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Aug. 2, 2023, 4:22 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13303595008 root_path: C:\Users\test22\AppData\Local\Temp\TheWorld total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW Aug. 2, 2023, 4:23 p.m.	total_number_of_free_bytes: 13236195328 free_bytes_available: 13236195328 root_path: c:\users\test22\appdata\local\temp\theworld\User Data\Default\Cache total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Aug. 2, 2023, 4:24 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13210157056 root_path: C:\ total_number_of_bytes: 0	1	1

Checks for known Chinese AV sofware registry keys (1 event)

regkey

.*360Safe

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\AppData\Local\Temp\TheWorld\Application\7.0.0.108\chrome_elf.dll
file	C:\Users\test22\AppData\Local\Temp\TheWorld\Application\7.0.0.108\chrome_child.dll
file	C:\Users\test22\AppData\Local\Temp\TheWorld\Application\ppflash\29_0_0_171\pepflashplayer32_29_0_0_171.dll
file	C:\Users\test22\AppData\Local\Temp\TheWorld\Application\7.0.0.108\chrome.dll
file	C:\Users\test22\AppData\Local\Temp\TheWorld\Application\TheWorld.exe

Creates a shortcut to an executable file (6 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\TheWorld\Application\TheWorld.exe

Drops an executable to the user AppData folder (5 events)

file	C:\Users\test22\AppData\Local\Temp\TheWorld\Application\7.0.0.108\chrome.dll
file	C:\Users\test22\AppData\Local\Temp\TheWorld\Application\ppflash\29_0_0_171\pepflashplayer32_29_0_0_171.dll
file	C:\Users\test22\AppData\Local\Temp\TheWorld\Application\7.0.0.108\chrome_elf.dll
file	C:\Users\test22\AppData\Local\Temp\TheWorld\Application\TheWorld.exe
file	C:\Users\test22\AppData\Local\Temp\TheWorld\Application\7.0.0.108\chrome_child.dll

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Aug. 2, 2023, 4:24 p.m.	thread_identifier: 2708 thread_handle: 0x00000444 process_identifier: 2712 current_directory: filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\TheWorld\Application\TheWorld.exe" --type=upgrade_silent filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000044c	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 2, 2023, 4:23 p.m.	flags: 46 family: 0	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0000b400', u'virtual_address': u'0x00023000', u'entropy': 7.8983814016151594, u'name': u'UPX1', u'virtual_size': u'0x0000c000'}

entropy

7.89838140162

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00012a00', u'virtual_address': u'0x0002f000', u'entropy': 7.620331501106251, u'name': u'.rsrc', u'virtual_size': u'0x00013000'}

entropy

7.62033150111

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Yara rule detected in process memory (24 events)

description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over HTTP	rule	Network_HTTP
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over HTTP	rule	Network_HTTP
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000005ec	1	0	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0035b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000008bc	1	0	0

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Aug. 2, 2023, 4:24 p.m.	key_handle: 0x000002b4 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Manipulates memory of a non-child process indicative of process injection (50 out of 74 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2692 manipulating memory of non-child process 2864
Process injection	Process 2692 manipulating memory of non-child process 2444
NtAllocateVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 1 (PAGE_NOACCESS) base_address: 0x000b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x000005ec	1	0	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 1 (PAGE_NOACCESS) base_address: 0x00220000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x000005ec	1	0	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 region_size: 7340032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 1 (PAGE_NOACCESS) base_address: 0x003f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x000005ec	1	0	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 1 (PAGE_NOACCESS) base_address: 0x00c00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x000005ec	1	0	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000005ec	1	0	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 1 (PAGE_NOACCESS) base_address: 0x00d40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x000005ec	1	0	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 8 (PAGE_WRITECOPY) base_address: 0x76f30000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x76f30000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 8 (PAGE_WRITECOPY) base_address: 0x76f2f000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x76f2f000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 8 (PAGE_WRITECOPY) base_address: 0x76f2f000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x76f2f000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 8 (PAGE_WRITECOPY) base_address: 0x76f31000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x76f31000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 8 (PAGE_WRITECOPY) base_address: 0x76f2f000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x76f2f000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 8 (PAGE_WRITECOPY) base_address: 0x76f31000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x76f31000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 8 (PAGE_WRITECOPY) base_address: 0x76f2f000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x76f2f000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 8 (PAGE_WRITECOPY) base_address: 0x76f31000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x76f31000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 8 (PAGE_WRITECOPY) base_address: 0x76f2f000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x76f2f000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 8 (PAGE_WRITECOPY) base_address: 0x76f2f000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x76f2f000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 8 (PAGE_WRITECOPY) base_address: 0x76f2f000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x76f2f000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 8 (PAGE_WRITECOPY) base_address: 0x76f2f000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x76f2f000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 8 (PAGE_WRITECOPY) base_address: 0x76f2f000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x76f2f000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 8 (PAGE_WRITECOPY) base_address: 0x76f2f000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x76f2f000 process_handle: 0x000005ec	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00d40000 process_handle: 0x000005ec	1	0	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000005ec	1	0	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:24 p.m.	process_identifier: 2444 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 1 (PAGE_NOACCESS) base_address: 0x000b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x000008bc	1	0	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:24 p.m.	process_identifier: 2444 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 1 (PAGE_NOACCESS) base_address: 0x00120000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x000008bc	1	0	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:24 p.m.	process_identifier: 2444 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 1 (PAGE_NOACCESS) base_address: 0x002c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x000008bc	1	0	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000008bc	1	0	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:24 p.m.	process_identifier: 2444 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 1 (PAGE_NOACCESS) base_address: 0x00350000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x000008bc	1	0	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0035b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000008bc	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:24 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 8 (PAGE_WRITECOPY) base_address: 0x76f30000 process_handle: 0x000008bc	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:24 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x76f30000 process_handle: 0x000008bc	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:24 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 8 (PAGE_WRITECOPY) base_address: 0x76f2f000 process_handle: 0x000008bc	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:24 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x76f2f000 process_handle: 0x000008bc	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:24 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 8 (PAGE_WRITECOPY) base_address: 0x76f2f000 process_handle: 0x000008bc	1	0	0

Potential code injection by writing to the memory of another process (50 out of 80 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2692 injected into non-child 2864
Process injection	Process 2692 injected into non-child 2444
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: L(kernel32.dll$ý´CreateNamedPipeW base_address: 0x00d30000 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸R3ÉT$dÿÀÄÂ,ìRT$T$ÇD$ÔÇD$Øþ³ZÃ base_address: 0x00d40810 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸Rº(Ôÿâ base_address: 0x76f300a4 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸03ÉT$dÿÀÄÂìRT$T$ÇD$PÔÇD$¨´ZÃ base_address: 0x00d40850 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸0ºhÔÿâ base_address: 0x76f2fd54 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸:3ÉT$dÿÀÄÂìRT$T$ÇD$ÔÇD$Y´ZÃ base_address: 0x00d40890 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸:º¨Ôÿâ base_address: 0x76f2fe4c process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸3ÉT$dÿÀÄÂìRT$T$ÇD$ÐÔÇD$Ê´ZÃ base_address: 0x00d408d0 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸ºèÔÿâ base_address: 0x76f3132c process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸$3ÉT$dÿÀÄÂìRT$T$ÇD$ ÔÇD$;´ZÃ base_address: 0x00d40910 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸$º( Ôÿâ base_address: 0x76f2fc28 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸þ3ÉT$dÿÀÄÂìRT$T$ÇD$P ÔÇD$O´ZÃ base_address: 0x00d40950 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸þºh Ôÿâ base_address: 0x76f31128 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸#3ÉT$dÿÀÄÂìRT$T$ÇD$ ÔÇD$¼P´ZÃ base_address: 0x00d40990 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸#º¨ Ôÿâ base_address: 0x76f2fc10 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸ù3ÉT$dÿÀÄÂìRT$T$ÇD$Ð ÔÇD$ÑQ´ZÃ base_address: 0x00d409d0 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸ùºè Ôÿâ base_address: 0x76f310b0 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸ 3ÉT$dÿÀÄÂìRT$T$ÇD$ ÔÇD$O´ZÃ base_address: 0x00d40a10 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸ º( Ôÿâ base_address: 0x76f2f99c process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸!3ÉT$dÿÀÄÂìRT$T$ÇD$P ÔÇD$3O´ZÃ base_address: 0x00d40a50 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸!ºh Ôÿâ base_address: 0x76f2fbe0 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸-3ÉT$dÿÀÄÂìRT$T$ÇD$ ÔÇD$R´ZÃ base_address: 0x00d40a90 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸-º¨ Ôÿâ base_address: 0x76f2fd08 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸,3ÉT$dÿÀÄÂìRT$T$ÇD$Ð ÔÇD$fO´ZÃ base_address: 0x00d40ad0 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸,ºè Ôÿâ base_address: 0x76f2fcf0 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸%3ÉT$dÿÀÄÂ(ìRT$T$ÇD$ÔÇD$¥´ZÃ base_address: 0x00d40b10 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸%º(Ôÿâ base_address: 0x76f2fc40 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸'3ÉT$dÿÀÄÂìRT$T$ÇD$PÔÇD$´ZÃ base_address: 0x00d40b50 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸'ºhÔÿâ base_address: 0x76f2fc70 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: Ð base_address: 0x00d40800 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ÔPÔ ÔP ÔÐ ÔP Ô ÔÐ Ô ÔÔPÔÔÐÔ Ô base_address: 0x00bcb1d0 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: Ó base_address: 0x00bcb244 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: °úòvÐùòv4þòvHûòv@üòv(óvÈúòvèùòv@óvÈûòvpüòv&àóvµæóv·ôvIõvÑåûvõvßóv\|ÂövàÄøvñVþv@#óv base_address: 0x00bcb120 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: Section\Sessions\1\BaseNamedObjects\windows_shell_global_counters base_address: 0x00d50000 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: Õ base_address: 0x00bcb1a8 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: base_address: 0x00bcb11c process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: base_address: 0x00bcb19c process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: à base_address: 0x00bcb194 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: base_address: 0x00bb4634 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ` base_address: 0x00bcb180 process_identifier: 2864 process_handle: 0x000005ec	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:24 p.m.	buffer: L(kernel32.dll$ý´CreateNamedPipeW base_address: 0x00340000 process_identifier: 2444 process_handle: 0x000008bc	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:24 p.m.	buffer: ¸R3ÉT$dÿÀÄÂ,ìRT$T$ÇD$´5ÇD$Øþ³ZÃ base_address: 0x0035b410 process_identifier: 2444 process_handle: 0x000008bc	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:24 p.m.	buffer: ¸Rº(´5ÿâ base_address: 0x76f300a4 process_identifier: 2444 process_handle: 0x000008bc	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:24 p.m.	buffer: ¸03ÉT$dÿÀÄÂìRT$T$ÇD$P´5ÇD$¨´ZÃ base_address: 0x0035b450 process_identifier: 2444 process_handle: 0x000008bc	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:24 p.m.	buffer: ¸0ºh´5ÿâ base_address: 0x76f2fd54 process_identifier: 2444 process_handle: 0x000008bc	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:24 p.m.	buffer: ¸:3ÉT$dÿÀÄÂìRT$T$ÇD$´5ÇD$Y´ZÃ base_address: 0x0035b490 process_identifier: 2444 process_handle: 0x000008bc	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:24 p.m.	buffer: ¸:º¨´5ÿâ base_address: 0x76f2fe4c process_identifier: 2444 process_handle: 0x000008bc	1	1	0
WriteProcessMemory Aug. 2, 2023, 4:24 p.m.	buffer: ¸3ÉT$dÿÀÄÂìRT$T$ÇD$Ð´5ÇD$Ê´ZÃ base_address: 0x0035b4d0 process_identifier: 2444 process_handle: 0x000008bc	1	1	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2692 resumed a thread in remote process 2864
Process injection	Process 2692 resumed a thread in remote process 2444
NtResumeThread Aug. 2, 2023, 4:23 p.m.	thread_handle: 0x0000062c suspend_count: 1 process_identifier: 2864	1	0	0
NtResumeThread Aug. 2, 2023, 4:24 p.m.	thread_handle: 0x000008dc suspend_count: 1 process_identifier: 2444	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

180.163.237.169:80

Executed a process and injected code into it, probably while unpacking (50 out of 102 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 2, 2023, 4:22 p.m.	thread_handle: 0x00000180 suspend_count: 1 process_identifier: 2552	1	0
CreateProcessInternalW Aug. 2, 2023, 4:23 p.m.	thread_identifier: 2696 thread_handle: 0x000002bc process_identifier: 2692 current_directory: C:\Users\test22\AppData\Local\Temp\TheWorld filepath: C:\Users\test22\AppData\Local\Temp\TheWorld\Application\TheWorld.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\TheWorld\Application\TheWorld.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\TheWorld\Application\TheWorld.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002c4	1	1
NtResumeThread Aug. 2, 2023, 4:23 p.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 2692	1	0
CreateProcessInternalW Aug. 2, 2023, 4:23 p.m.	thread_identifier: 2868 thread_handle: 0x000005e0 process_identifier: 2864 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\TheWorld\Application\TheWorld.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\TheWorld\Application\TheWorld.exe" --type=renderer --enable-smooth-scrolling --disable-direct-write --lang=zh-CN --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-gpu-compositing --channel="2692.0.1161703622\1312518682" /prefetch:673131151 filepath_r: C:\Users\test22\AppData\Local\Temp\TheWorld\Application\TheWorld.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000005ec	1	1
NtGetContextThread Aug. 2, 2023, 4:23 p.m.	thread_handle: 0x000005e0	1	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 1 (PAGE_NOACCESS) base_address: 0x000b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x000005ec	1	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 1 (PAGE_NOACCESS) base_address: 0x00220000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x000005ec	1	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 region_size: 7340032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 1 (PAGE_NOACCESS) base_address: 0x003f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x000005ec	1	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 1 (PAGE_NOACCESS) base_address: 0x00c00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x000005ec	1	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000005ec	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: L(kernel32.dll$ý´CreateNamedPipeW base_address: 0x00d30000 process_identifier: 2864 process_handle: 0x000005ec	1	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 1 (PAGE_NOACCESS) base_address: 0x00d40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x000005ec	1	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000005ec	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸R3ÉT$dÿÀÄÂ,ìRT$T$ÇD$ÔÇD$Øþ³ZÃ base_address: 0x00d40810 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸Rº(Ôÿâ base_address: 0x76f300a4 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸03ÉT$dÿÀÄÂìRT$T$ÇD$PÔÇD$¨´ZÃ base_address: 0x00d40850 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸0ºhÔÿâ base_address: 0x76f2fd54 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸:3ÉT$dÿÀÄÂìRT$T$ÇD$ÔÇD$Y´ZÃ base_address: 0x00d40890 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸:º¨Ôÿâ base_address: 0x76f2fe4c process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸3ÉT$dÿÀÄÂìRT$T$ÇD$ÐÔÇD$Ê´ZÃ base_address: 0x00d408d0 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸ºèÔÿâ base_address: 0x76f3132c process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸$3ÉT$dÿÀÄÂìRT$T$ÇD$ ÔÇD$;´ZÃ base_address: 0x00d40910 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸$º( Ôÿâ base_address: 0x76f2fc28 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸þ3ÉT$dÿÀÄÂìRT$T$ÇD$P ÔÇD$O´ZÃ base_address: 0x00d40950 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸þºh Ôÿâ base_address: 0x76f31128 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸#3ÉT$dÿÀÄÂìRT$T$ÇD$ ÔÇD$¼P´ZÃ base_address: 0x00d40990 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸#º¨ Ôÿâ base_address: 0x76f2fc10 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸ù3ÉT$dÿÀÄÂìRT$T$ÇD$Ð ÔÇD$ÑQ´ZÃ base_address: 0x00d409d0 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸ùºè Ôÿâ base_address: 0x76f310b0 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸ 3ÉT$dÿÀÄÂìRT$T$ÇD$ ÔÇD$O´ZÃ base_address: 0x00d40a10 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸ º( Ôÿâ base_address: 0x76f2f99c process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸!3ÉT$dÿÀÄÂìRT$T$ÇD$P ÔÇD$3O´ZÃ base_address: 0x00d40a50 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸!ºh Ôÿâ base_address: 0x76f2fbe0 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸-3ÉT$dÿÀÄÂìRT$T$ÇD$ ÔÇD$R´ZÃ base_address: 0x00d40a90 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸-º¨ Ôÿâ base_address: 0x76f2fd08 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸,3ÉT$dÿÀÄÂìRT$T$ÇD$Ð ÔÇD$fO´ZÃ base_address: 0x00d40ad0 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸,ºè Ôÿâ base_address: 0x76f2fcf0 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸%3ÉT$dÿÀÄÂ(ìRT$T$ÇD$ÔÇD$¥´ZÃ base_address: 0x00d40b10 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸%º(Ôÿâ base_address: 0x76f2fc40 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸'3ÉT$dÿÀÄÂìRT$T$ÇD$PÔÇD$´ZÃ base_address: 0x00d40b50 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ¸'ºhÔÿâ base_address: 0x76f2fc70 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: Ð base_address: 0x00d40800 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: ÔPÔ ÔP ÔÐ ÔP Ô ÔÐ Ô ÔÔPÔÔÐÔ Ô base_address: 0x00bcb1d0 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: Ó base_address: 0x00bcb244 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: °úòvÐùòv4þòvHûòv@üòv(óvÈúòvèùòv@óvÈûòvpüòv&àóvµæóv·ôvIõvÑåûvõvßóv\|ÂövàÄøvñVþv@#óv base_address: 0x00bcb120 process_identifier: 2864 process_handle: 0x000005ec	1	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:23 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000005ec	1	0
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: Section\Sessions\1\BaseNamedObjects\windows_shell_global_counters base_address: 0x00d50000 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: Õ base_address: 0x00bcb1a8 process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: base_address: 0x00bcb11c process_identifier: 2864 process_handle: 0x000005ec	1	1
WriteProcessMemory Aug. 2, 2023, 4:23 p.m.	buffer: base_address: 0x00bcb19c process_identifier: 2864 process_handle: 0x000005ec	1	1

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Injector.4!c
Elastic	malicious (moderate confidence)
McAfee	Artemis!C467FC9AAFA3
Cylance	unsafe
Sangfor	Dropper.Win32.Injector.Vwlr
K7AntiVirus	Riskware ( 0040eff71 )
K7GW	Riskware ( 0040eff71 )
Cyren	W32/ABRisk.MQGX-4526
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Generik.BTQRPSQ
APEX	Malicious
Kaspersky	Trojan-Dropper.Win32.Injector.uwuw
Alibaba	TrojanDropper:Win32/Injector.3bb58300
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Drop.Injector.bthor
McAfee-GW-Edition	Artemis
Trapmine	suspicious.low.ml.score
Webroot	W32.Injector.uwuw
Avira	TR/Drop.Injector.bthor
Antiy-AVL	Trojan[Dropper]/Win32.Injector
Xcitium	Malware@#7g8u0287gww3
ZoneAlarm	Trojan-Dropper.Win32.Injector.uwuw
AhnLab-V3	Trojan/Win.Evo-gen.C5384754
VBA32	TrojanDropper.Injector
DeepInstinct	MALICIOUS
Malwarebytes	Malware.Heuristic.1003
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H0CBJ23
Tencent	Malware.Win32.Gencirc.117de6a0
Ikarus	Backdoor.Bredavi
MaxSecure	Trojan.Malware.201100169.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:Evo-gen [Trj]
Avast	Win32:Evo-gen [Trj]

c9f02f547a430b15b6ba7fdafc885046cdbc0af9eb113250c70b0d3f02e03ee2

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All