Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 17, 2024, 9:02 a.m.	July 17, 2024, 9:04 a.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`73aa6448467db3d1ac25f7e9d8cf1cd4`
SHA256	`931076586d551cccba6532aeb6393cc64ab293035c582125ef32e7eb82e3b0e5`
CRC32	`CEFD9173`
ssdeep	`24576:tUFuDtv4dsn0Ff5qI/z8L642KlCWZr9zs7wKztmZ7RGP3Wg+8o:tvDtvnn0R5h3cLZ9smNR0W4o`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

chart.exe "C:\Users\test22\AppData\Local\Temp\chart.exe"
932
- cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\test22\AppData\Local\Temp\AAAEBAFBGI.exe"
  2528
- cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\test22\AppData\Local\Temp\IEHDAFHDHC.exe"
  2612

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
77.91.77.81	Active	Moloch
85.28.47.30	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 85.28.47.30:80 -> 192.168.56.103:49162	2400008	ET DROP Spamhaus DROP Listed Traffic Inbound group 9	Misc Attack
TCP 192.168.56.103:49162 -> 85.28.47.30:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 85.28.47.30:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 85.28.47.30:80 -> 192.168.56.103:49162	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 85.28.47.30:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 85.28.47.30:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 85.28.47.30:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 85.28.47.30:80 -> 192.168.56.103:49162	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 85.28.47.30:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 85.28.47.30:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 85.28.47.30:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 85.28.47.30:80 -> 192.168.56.103:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 85.28.47.30:80 -> 192.168.56.103:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 85.28.47.30:80 -> 192.168.56.103:49162	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 85.28.47.30:80 -> 192.168.56.103:49162	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 85.28.47.30:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 85.28.47.30:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 85.28.47.30:80 -> 192.168.56.103:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 85.28.47.30:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 85.28.47.30:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 85.28.47.30:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49165 -> 85.28.47.30:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 85.28.47.30:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49165 -> 85.28.47.30:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 85.28.47.30:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameA July 17, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 17, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 17, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 17, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW July 17, 2024, 9:03 a.m.	buffer: Access is denied. console_handle: 0x0000000b	1	1	0

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 17, 2024, 9:02 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section
section	.data\x00Th

One or more processes crashed (30 events)

Time & API	Arguments	Status
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b0167 @ 0x1000167 chart+0x3bfdd5 @ 0x100fdd5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: 0f 0b e8 0d 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f7224 exception.instruction: ud2 exception.module: chart.exe exception.exception_code: 0xc000001d exception.offset: 3109412 exception.address: 0xf47224 registers.esp: 3866212 registers.edi: 17772784 registers.eax: 0 registers.ebp: 3866240 registers.edx: 2 registers.ebx: 652864531 registers.esi: 15253504 registers.ecx: 10565500	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b0167 @ 0x1000167 chart+0x3bfdd5 @ 0x100fdd5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: f7 f0 e8 38 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f71f9 exception.instruction: div eax exception.module: chart.exe exception.exception_code: 0xc0000094 exception.offset: 3109369 exception.address: 0xf471f9 registers.esp: 3866212 registers.edi: 3866212 registers.eax: 0 registers.ebp: 3866240 registers.edx: 0 registers.ebx: 16020026 registers.esi: 0 registers.ecx: 3866248	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b0167 @ 0x1000167 chart+0x3bfdd5 @ 0x100fdd5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: f7 f0 e8 38 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f71f9 exception.instruction: div eax exception.module: chart.exe exception.exception_code: 0xc0000094 exception.offset: 3109369 exception.address: 0xf471f9 registers.esp: 3866212 registers.edi: 3866212 registers.eax: 0 registers.ebp: 3866240 registers.edx: 0 registers.ebx: 16019983 registers.esi: 0 registers.ecx: 3866248	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b0167 @ 0x1000167 chart+0x3bfdd5 @ 0x100fdd5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: 0f 0b e8 0d 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f7224 exception.instruction: ud2 exception.module: chart.exe exception.exception_code: 0xc000001d exception.offset: 3109412 exception.address: 0xf47224 registers.esp: 3866212 registers.edi: 3866212 registers.eax: 0 registers.ebp: 3866240 registers.edx: 2 registers.ebx: 16019983 registers.esi: 0 registers.ecx: 3866248	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b0167 @ 0x1000167 chart+0x3bfdd5 @ 0x100fdd5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: 0f 0b e8 0d 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f7224 exception.instruction: ud2 exception.module: chart.exe exception.exception_code: 0xc000001d exception.offset: 3109412 exception.address: 0xf47224 registers.esp: 3866212 registers.edi: 3866212 registers.eax: 0 registers.ebp: 3866240 registers.edx: 2 registers.ebx: 16020026 registers.esi: 0 registers.ecx: 3866248	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b0167 @ 0x1000167 chart+0x3bfdd5 @ 0x100fdd5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: f7 f0 e8 38 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f71f9 exception.instruction: div eax exception.module: chart.exe exception.exception_code: 0xc0000094 exception.offset: 3109369 exception.address: 0xf471f9 registers.esp: 3866212 registers.edi: 3866212 registers.eax: 0 registers.ebp: 3866240 registers.edx: 0 registers.ebx: 16020026 registers.esi: 0 registers.ecx: 3866248	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b3446 @ 0x1003446 chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: 0f 0b e8 0d 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f7224 exception.instruction: ud2 exception.module: chart.exe exception.exception_code: 0xc000001d exception.offset: 3109412 exception.address: 0xf47224 registers.esp: 3866140 registers.edi: 16568816 registers.eax: 0 registers.ebp: 3866168 registers.edx: 2 registers.ebx: 11059200 registers.esi: 15253504 registers.ecx: 15253504	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b3446 @ 0x1003446 chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: f7 f0 e8 38 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f71f9 exception.instruction: div eax exception.module: chart.exe exception.exception_code: 0xc0000094 exception.offset: 3109369 exception.address: 0xf471f9 registers.esp: 3866140 registers.edi: 3866140 registers.eax: 0 registers.ebp: 3866168 registers.edx: 0 registers.ebx: 16020026 registers.esi: 0 registers.ecx: 3866176	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b3446 @ 0x1003446 chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: 0f 0b e8 0d 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f7224 exception.instruction: ud2 exception.module: chart.exe exception.exception_code: 0xc000001d exception.offset: 3109412 exception.address: 0xf47224 registers.esp: 3866140 registers.edi: 3866140 registers.eax: 0 registers.ebp: 3866168 registers.edx: 2 registers.ebx: 16019983 registers.esi: 0 registers.ecx: 3866176	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b3446 @ 0x1003446 chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: 0f 0b e8 0d 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f7224 exception.instruction: ud2 exception.module: chart.exe exception.exception_code: 0xc000001d exception.offset: 3109412 exception.address: 0xf47224 registers.esp: 3866140 registers.edi: 3866140 registers.eax: 0 registers.ebp: 3866168 registers.edx: 2 registers.ebx: 16020026 registers.esi: 0 registers.ecx: 3866176	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b3446 @ 0x1003446 chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: f7 f0 e8 38 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f71f9 exception.instruction: div eax exception.module: chart.exe exception.exception_code: 0xc0000094 exception.offset: 3109369 exception.address: 0xf471f9 registers.esp: 3866140 registers.edi: 3866140 registers.eax: 0 registers.ebp: 3866168 registers.edx: 0 registers.ebx: 16020026 registers.esi: 0 registers.ecx: 3866176	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b36f5 @ 0x10036f5 chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: 0f 0b e8 0d 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f7224 exception.instruction: ud2 exception.module: chart.exe exception.exception_code: 0xc000001d exception.offset: 3109412 exception.address: 0xf47224 registers.esp: 3866140 registers.edi: 16568816 registers.eax: 0 registers.ebp: 3866168 registers.edx: 2 registers.ebx: 11059200 registers.esi: 15253504 registers.ecx: 167680307	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b36f5 @ 0x10036f5 chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: 0f 0b e8 0d 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f7224 exception.instruction: ud2 exception.module: chart.exe exception.exception_code: 0xc000001d exception.offset: 3109412 exception.address: 0xf47224 registers.esp: 3866140 registers.edi: 3866140 registers.eax: 0 registers.ebp: 3866168 registers.edx: 2 registers.ebx: 16020026 registers.esi: 0 registers.ecx: 3866176	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b36f5 @ 0x10036f5 chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: f7 f0 e8 38 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f71f9 exception.instruction: div eax exception.module: chart.exe exception.exception_code: 0xc0000094 exception.offset: 3109369 exception.address: 0xf471f9 registers.esp: 3866140 registers.edi: 3866140 registers.eax: 0 registers.ebp: 3866168 registers.edx: 0 registers.ebx: 16020026 registers.esi: 0 registers.ecx: 3866176	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b387e @ 0x100387e chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: f7 f0 e8 38 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f71f9 exception.instruction: div eax exception.module: chart.exe exception.exception_code: 0xc0000094 exception.offset: 3109369 exception.address: 0xf471f9 registers.esp: 3866140 registers.edi: 16568816 registers.eax: 0 registers.ebp: 3866168 registers.edx: 0 registers.ebx: 11059200 registers.esi: 15253504 registers.ecx: 3866168	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b387e @ 0x100387e chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: f7 f0 e8 38 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f71f9 exception.instruction: div eax exception.module: chart.exe exception.exception_code: 0xc0000094 exception.offset: 3109369 exception.address: 0xf471f9 registers.esp: 3866140 registers.edi: 3866140 registers.eax: 0 registers.ebp: 3866168 registers.edx: 0 registers.ebx: 16019983 registers.esi: 0 registers.ecx: 3866176	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b387e @ 0x100387e chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: f7 f0 e8 38 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f71f9 exception.instruction: div eax exception.module: chart.exe exception.exception_code: 0xc0000094 exception.offset: 3109369 exception.address: 0xf471f9 registers.esp: 3866140 registers.edi: 3866140 registers.eax: 0 registers.ebp: 3866168 registers.edx: 0 registers.ebx: 16019983 registers.esi: 0 registers.ecx: 3866176	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b387e @ 0x100387e chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: f7 f0 e8 38 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f71f9 exception.instruction: div eax exception.module: chart.exe exception.exception_code: 0xc0000094 exception.offset: 3109369 exception.address: 0xf471f9 registers.esp: 3866140 registers.edi: 3866140 registers.eax: 0 registers.ebp: 3866168 registers.edx: 0 registers.ebx: 16019983 registers.esi: 0 registers.ecx: 3866176	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b387e @ 0x100387e chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: 0f 0b e8 0d 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f7224 exception.instruction: ud2 exception.module: chart.exe exception.exception_code: 0xc000001d exception.offset: 3109412 exception.address: 0xf47224 registers.esp: 3866140 registers.edi: 3866140 registers.eax: 0 registers.ebp: 3866168 registers.edx: 2 registers.ebx: 16019983 registers.esi: 0 registers.ecx: 3866176	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b387e @ 0x100387e chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: 0f 0b e8 0d 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f7224 exception.instruction: ud2 exception.module: chart.exe exception.exception_code: 0xc000001d exception.offset: 3109412 exception.address: 0xf47224 registers.esp: 3866140 registers.edi: 3866140 registers.eax: 0 registers.ebp: 3866168 registers.edx: 2 registers.ebx: 16020026 registers.esi: 0 registers.ecx: 3866176	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b3a67 @ 0x1003a67 chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: f7 f0 e8 38 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f71f9 exception.instruction: div eax exception.module: chart.exe exception.exception_code: 0xc0000094 exception.offset: 3109369 exception.address: 0xf471f9 registers.esp: 3866140 registers.edi: 16568816 registers.eax: 0 registers.ebp: 3866168 registers.edx: 0 registers.ebx: 11059200 registers.esi: 15253504 registers.ecx: 0	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b3a67 @ 0x1003a67 chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: f7 f0 e8 38 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f71f9 exception.instruction: div eax exception.module: chart.exe exception.exception_code: 0xc0000094 exception.offset: 3109369 exception.address: 0xf471f9 registers.esp: 3866140 registers.edi: 3866140 registers.eax: 0 registers.ebp: 3866168 registers.edx: 0 registers.ebx: 16019983 registers.esi: 0 registers.ecx: 3866176	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b3a67 @ 0x1003a67 chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: 0f 0b e8 0d 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f7224 exception.instruction: ud2 exception.module: chart.exe exception.exception_code: 0xc000001d exception.offset: 3109412 exception.address: 0xf47224 registers.esp: 3866140 registers.edi: 3866140 registers.eax: 0 registers.ebp: 3866168 registers.edx: 2 registers.ebx: 16019983 registers.esi: 0 registers.ecx: 3866176	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b3b85 @ 0x1003b85 chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: 0f 0b e8 0d 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f7224 exception.instruction: ud2 exception.module: chart.exe exception.exception_code: 0xc000001d exception.offset: 3109412 exception.address: 0xf47224 registers.esp: 3866140 registers.edi: 16568816 registers.eax: 0 registers.ebp: 3866168 registers.edx: 2 registers.ebx: 11059200 registers.esi: 15253504 registers.ecx: 3607039093	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b3b85 @ 0x1003b85 chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: 0f 0b e8 0d 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f7224 exception.instruction: ud2 exception.module: chart.exe exception.exception_code: 0xc000001d exception.offset: 3109412 exception.address: 0xf47224 registers.esp: 3866140 registers.edi: 3866140 registers.eax: 0 registers.ebp: 3866168 registers.edx: 2 registers.ebx: 16020026 registers.esi: 0 registers.ecx: 3866176	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b3b85 @ 0x1003b85 chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: 0f 0b e8 0d 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f7224 exception.instruction: ud2 exception.module: chart.exe exception.exception_code: 0xc000001d exception.offset: 3109412 exception.address: 0xf47224 registers.esp: 3866140 registers.edi: 3866140 registers.eax: 0 registers.ebp: 3866168 registers.edx: 2 registers.ebx: 16020026 registers.esi: 0 registers.ecx: 3866176	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b3b85 @ 0x1003b85 chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: 0f 0b e8 0d 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f7224 exception.instruction: ud2 exception.module: chart.exe exception.exception_code: 0xc000001d exception.offset: 3109412 exception.address: 0xf47224 registers.esp: 3866140 registers.edi: 3866140 registers.eax: 0 registers.ebp: 3866168 registers.edx: 2 registers.ebx: 16020026 registers.esi: 0 registers.ecx: 3866176	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b3b85 @ 0x1003b85 chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: 0f 0b e8 0d 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f7224 exception.instruction: ud2 exception.module: chart.exe exception.exception_code: 0xc000001d exception.offset: 3109412 exception.address: 0xf47224 registers.esp: 3866140 registers.edi: 3866140 registers.eax: 0 registers.ebp: 3866168 registers.edx: 2 registers.ebx: 16020026 registers.esi: 0 registers.ecx: 3866176	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b3b85 @ 0x1003b85 chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: 0f 0b e8 0d 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f7224 exception.instruction: ud2 exception.module: chart.exe exception.exception_code: 0xc000001d exception.offset: 3109412 exception.address: 0xf47224 registers.esp: 3866140 registers.edi: 3866140 registers.eax: 0 registers.ebp: 3866168 registers.edx: 2 registers.ebx: 16020026 registers.esi: 0 registers.ecx: 3866176	1
__exception__ July 17, 2024, 9:02 a.m.	stacktrace: chart+0x3b3b85 @ 0x1003b85 chart+0x3bfde5 @ 0x100fde5 chart+0x4a23a6 @ 0x10f23a6 exception.instruction_r: 0f 0b e8 0d 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: chart+0x2f7224 exception.instruction: ud2 exception.module: chart.exe exception.exception_code: 0xc000001d exception.offset: 3109412 exception.address: 0xf47224 registers.esp: 3866140 registers.edi: 3866140 registers.eax: 0 registers.ebp: 3866168 registers.edx: 2 registers.ebx: 16020026 registers.esi: 0 registers.ecx: 3866176	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://85.28.47.30/920475a59bac849d.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://85.28.47.30/69934896f997d5bb/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://85.28.47.30/69934896f997d5bb/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://85.28.47.30/69934896f997d5bb/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://85.28.47.30/69934896f997d5bb/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://85.28.47.30/69934896f997d5bb/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://85.28.47.30/69934896f997d5bb/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://85.28.47.30/69934896f997d5bb/vcruntime140.dll

Performs some HTTP requests (8 events)

request	POST http://85.28.47.30/920475a59bac849d.php
request	GET http://85.28.47.30/69934896f997d5bb/sqlite3.dll
request	GET http://85.28.47.30/69934896f997d5bb/freebl3.dll
request	GET http://85.28.47.30/69934896f997d5bb/mozglue.dll
request	GET http://85.28.47.30/69934896f997d5bb/msvcp140.dll
request	GET http://85.28.47.30/69934896f997d5bb/nss3.dll
request	GET http://85.28.47.30/69934896f997d5bb/softokn3.dll
request	GET http://85.28.47.30/69934896f997d5bb/vcruntime140.dll

Sends data using the HTTP POST Method (1 event)

request

POST http://85.28.47.30/920475a59bac849d.php

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 17, 2024, 9:02 a.m.	process_identifier: 932 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 9:02 a.m.	process_identifier: 932 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 9:02 a.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 9:02 a.m.	process_identifier: 932 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 9:02 a.m.	process_identifier: 932 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 9:02 a.m.	process_identifier: 932 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 9:02 a.m.	process_identifier: 932 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 9:02 a.m.	process_identifier: 932 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 9:02 a.m.	process_identifier: 932 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 9:02 a.m.	process_identifier: 932 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 9:02 a.m.	process_identifier: 932 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 9:02 a.m.	process_identifier: 932 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 9:02 a.m.	process_identifier: 932 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 9:02 a.m.	process_identifier: 932 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 9:02 a.m.	process_identifier: 932 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 9:02 a.m.	process_identifier: 932 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 9:02 a.m.	process_identifier: 932 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 9:02 a.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 9:02 a.m.	process_identifier: 932 region_size: 995328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x61e00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (50 out of 4962 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\4\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\th\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\naepdomgkenhinolocfifgehidddafch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Module Info Cache\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\uk\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\epapihdplajcdnnkdeiahlgigofloibg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\zh_CN\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es_419\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\lo\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\03019df3fd85a69a8ebd1facc6da9ba73e469774fe77f579fc5a08b8328c1d6b.sth\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Module Info Cache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\52\manifest.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\ka\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Browser\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\hr\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\sk\Network\Cookies

Creates executable files on the filesystem (6 events)

file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Creates a suspicious process (4 events)

cmdline	C:\Windows\System32\cmd.exe /c start "" "C:\Users\test22\AppData\Local\Temp\IEHDAFHDHC.exe"
cmdline	C:\Windows\System32\cmd.exe /c start "" "C:\Users\test22\AppData\Local\Temp\AAAEBAFBGI.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\test22\AppData\Local\Temp\IEHDAFHDHC.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\test22\AppData\Local\Temp\AAAEBAFBGI.exe"

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 17, 2024, 9:03 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c start "" "C:\Users\test22\AppData\Local\Temp\AAAEBAFBGI.exe" filepath: C:\Windows\System32\cmd.exe	1	1	0
ShellExecuteExW July 17, 2024, 9:03 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c start "" "C:\Users\test22\AppData\Local\Temp\IEHDAFHDHC.exe" filepath: C:\Windows\System32\cmd.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (13 events)

Time & API	Arguments	Status	Return
Process32NextW July 17, 2024, 9:02 a.m.	snapshot_handle: 0x00000320 process_name: mobsync.exe process_identifier: 2032	1	1
Process32NextW July 17, 2024, 9:02 a.m.	snapshot_handle: 0x00000320 process_name: pw.exe process_identifier: 1684	1	1
Process32NextW July 17, 2024, 9:02 a.m.	snapshot_handle: 0x00000320 process_name: taskhost.exe process_identifier: 792	1	1
Process32NextW July 17, 2024, 9:02 a.m.	snapshot_handle: 0x00000320 process_name: cmd.exe process_identifier: 1648	1	1
Process32NextW July 17, 2024, 9:02 a.m.	snapshot_handle: 0x00000320 process_name: SearchProtocolHost.exe process_identifier: 724	1	1
Process32NextW July 17, 2024, 9:02 a.m.	snapshot_handle: 0x00000320 process_name: SearchFilterHost.exe process_identifier: 316	1	1
Process32NextW July 17, 2024, 9:02 a.m.	snapshot_handle: 0x00000320 process_name: conhost.exe process_identifier: 1268	1	1
Process32NextW July 17, 2024, 9:02 a.m.	snapshot_handle: 0x00000320 process_name: chart.exe process_identifier: 932	1	1
Process32NextW July 17, 2024, 9:02 a.m.	snapshot_handle: 0x00000320 process_name: pw.exe process_identifier: 1608	1	1
Process32NextW July 17, 2024, 9:02 a.m.	snapshot_handle: 0x00000470 process_name: svchost.exe process_identifier: 2252	1	1
Process32NextW July 17, 2024, 9:02 a.m.	snapshot_handle: 0x00000470 process_name: mscorsvw.exe process_identifier: 2280	1	1
Process32NextW July 17, 2024, 9:02 a.m.	snapshot_handle: 0x00000470 process_name: mscorsvw.exe process_identifier: 2324	1	1
Process32NextW July 17, 2024, 9:02 a.m.	snapshot_handle: 0x00000470 process_name: sppsvc.exe process_identifier: 2372	1	1

An executable file was downloaded by the process chart.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile July 17, 2024, 9:02 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile July 17, 2024, 9:02 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile July 17, 2024, 9:02 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile July 17, 2024, 9:02 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile July 17, 2024, 9:02 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile July 17, 2024, 9:02 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile July 17, 2024, 9:02 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (6 events)

section

{u'size_of_data': u'0x0000a600', u'virtual_address': u'0x00001000', u'entropy': 7.986295184518006, u'name': u'', u'virtual_size': u'0x0001b000'}

entropy

7.98629518452

description