Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 26, 2024, 6:37 p.m.	July 26, 2024, 6:49 p.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5aa3b4d694bc828650c63ade641f4581`
SHA256	`d3983e52c48a6f9844b5ca10248ee51b8a1f2bd6637243ff0384a92288572f61`
CRC32	`3BD32A3D`
ssdeep	`24576:bcW1jg/Z+bPaeDOAIsfkRTePAFt2adNSUZBNMxsMFAbwfSQbcI+LWBMmQ4JX+ZGm:gmjglbsfkRmadNbqBFA9HCW4wF5uCb`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

enter.exe "C:\Users\test22\AppData\Local\Temp\enter.exe"
2536
- explorti.exe "C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
  2800
  - 66cf9615db.exe "C:\Users\test22\AppData\Local\Temp\1000002001\66cf9615db.exe"
    3012
  - f6f1921920.exe "C:\Users\test22\1000003002\f6f1921920.exe"
    1120
    - cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\D78.tmp\D79.tmp\D7A.bat C:\Users\test22\1000003002\f6f1921920.exe"
      1404
      - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
        148
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef445f1e8,0x7fef445f1f8,0x7fef445f208
        2228
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2176 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
        2444
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        2520
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        2820
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\fae861c1-0e9c-4047-a4b9-1df299d24fc6.dmp"
        2504
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\fae861c1-0e9c-4047-a4b9-1df299d24fc6.dmp"
        800
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        1832
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        1868
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\07491923-3d16-4c30-a991-fe94ad83fed3.dmp"
        3568
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\07491923-3d16-4c30-a991-fe94ad83fed3.dmp"
        3616
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        3132
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        3188
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\6a33a94b-fc28-4b34-8220-6090ccbeebb2.dmp"
        3396
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\6a33a94b-fc28-4b34-8220-6090ccbeebb2.dmp"
        3440
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        3696
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        3744
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        3844
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        3892
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
crash-reports.mozilla.com	A 34.49.45.138 CNAME antenna-prod.socorro.prod.webservices.mozgcp.net	34.49.45.138

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.215.113.16	Active	Moloch
185.215.113.19	Active	Moloch
34.49.45.138	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49233 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49235 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49255 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.215.113.16:80 -> 192.168.56.101:49165	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 185.215.113.19:80 -> 192.168.56.101:49164	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49167 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49167 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49258 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49264 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49165	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.215.113.16:80 -> 192.168.56.101:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.101:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49168	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.101:49165	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49168	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49168	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49232 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49234 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49262 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA July 26, 2024, 6:38 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameA July 26, 2024, 6:31 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (50 out of 131 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:37 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0
IsDebuggerPresent July 26, 2024, 6:38 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\Locales\ko.pak
file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 26, 2024, 6:38 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	eqezoorp
section	vzestrad
section	.taggant

One or more processes crashed (50 out of 246 events)

Time & API	Arguments	Status
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: enter+0x31e0b9 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 3268793 exception.address: 0xdae0b9 registers.esp: 4389132 registers.edi: 0 registers.eax: 1 registers.ebp: 4389148 registers.edx: 16068608 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 17 ea f9 3b 81 2c 24 fd f8 27 24 exception.symbol: enter+0x6d66d exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 448109 exception.address: 0xafd66d registers.esp: 4389100 registers.edi: 1968898280 registers.eax: 4294940244 registers.ebp: 4001542164 registers.edx: 11075584 registers.ebx: 11551895 registers.esi: 3 registers.ecx: 236777	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 29 db ff 34 18 ff 34 24 ff 34 24 e9 9e f7 ff exception.symbol: enter+0x6e8cb exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 452811 exception.address: 0xafe8cb registers.esp: 4389100 registers.edi: 1968898280 registers.eax: 11555497 registers.ebp: 4001542164 registers.edx: 11075584 registers.ebx: 11551895 registers.esi: 3 registers.ecx: 1356281822	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 56 be 73 5e 99 6b 68 5c 43 5a 10 89 3c 24 53 exception.symbol: enter+0x6e775 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 452469 exception.address: 0xafe775 registers.esp: 4389100 registers.edi: 1968898280 registers.eax: 11555497 registers.ebp: 4001542164 registers.edx: 11075584 registers.ebx: 4294940452 registers.esi: 3 registers.ecx: 1259	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 50 89 0c 24 50 c7 04 24 36 61 fa 7e e9 d4 fb exception.symbol: enter+0x1f7408 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2061320 exception.address: 0xc87408 registers.esp: 4389100 registers.edi: 11560880 registers.eax: 13138052 registers.ebp: 4001542164 registers.edx: 2130566132 registers.ebx: 43975327 registers.esi: 270313 registers.ecx: 0	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 51 b9 44 f0 d7 74 81 c9 9e df fb 4f 81 f1 e6 exception.symbol: enter+0x1f9021 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2068513 exception.address: 0xc89021 registers.esp: 4389096 registers.edi: 11560880 registers.eax: 13143329 registers.ebp: 4001542164 registers.edx: 892792518 registers.ebx: 43975327 registers.esi: 270313 registers.ecx: 347571279	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 56 e9 ce fe ff ff 81 c3 69 20 ff 23 81 c3 87 exception.symbol: enter+0x1f9580 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2069888 exception.address: 0xc89580 registers.esp: 4389100 registers.edi: 11560880 registers.eax: 13172267 registers.ebp: 4001542164 registers.edx: 892792518 registers.ebx: 43975327 registers.esi: 270313 registers.ecx: 347571279	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 55 bd 9b 22 c6 35 81 ec 04 00 00 00 e9 00 00 exception.symbol: enter+0x1f976a exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2070378 exception.address: 0xc8976a registers.esp: 4389100 registers.edi: 0 registers.eax: 13146255 registers.ebp: 4001542164 registers.edx: 892792518 registers.ebx: 1549541099 registers.esi: 270313 registers.ecx: 347571279	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 51 e9 76 02 00 00 50 b8 62 ef ff 7e 40 52 ba exception.symbol: enter+0x1fa331 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2073393 exception.address: 0xc8a331 registers.esp: 4389100 registers.edi: 1995505668 registers.eax: 29729 registers.ebp: 4001542164 registers.edx: 0 registers.ebx: 13178454 registers.esi: 1551381551 registers.ecx: 0	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 53 e9 03 03 00 00 5a e9 b4 fc ff ff ff 74 24 exception.symbol: enter+0x1fa61d exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2074141 exception.address: 0xc8a61d registers.esp: 4389100 registers.edi: 0 registers.eax: 29729 registers.ebp: 4001542164 registers.edx: 1259 registers.ebx: 13151690 registers.esi: 1551381551 registers.ecx: 0	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 81 ec 04 00 00 00 89 04 exception.symbol: enter+0x20447f exception.instruction: in eax, dx exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2114687 exception.address: 0xc9447f registers.esp: 4389092 registers.edi: 4402703 registers.eax: 1447909480 registers.ebp: 4001542164 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 13180726 registers.ecx: 20	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: enter+0x2040c4 exception.address: 0xc940c4 exception.module: enter.exe exception.exception_code: 0xc000001d exception.offset: 2113732 registers.esp: 4389092 registers.edi: 4402703 registers.eax: 1 registers.ebp: 4001542164 registers.edx: 22104 registers.ebx: 0 registers.esi: 13180726 registers.ecx: 20	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 68 2b 2d 12 01 exception.symbol: enter+0x206d2b exception.instruction: in eax, dx exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2125099 exception.address: 0xc96d2b registers.esp: 4389092 registers.edi: 4402703 registers.eax: 1447909480 registers.ebp: 4001542164 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13180726 registers.ecx: 10	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 31 f6 ff 34 3e ff 34 24 8b 1c 24 83 c4 04 81 exception.symbol: enter+0x20acd2 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2141394 exception.address: 0xc9acd2 registers.esp: 4389100 registers.edi: 13243763 registers.eax: 27619 registers.ebp: 4001542164 registers.edx: 2130566132 registers.ebx: 31261030 registers.esi: 10 registers.ecx: 2082406400	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb e9 63 04 00 00 ff 34 24 59 68 31 12 1e 57 89 exception.symbol: enter+0x20affa exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2142202 exception.address: 0xc9affa registers.esp: 4389100 registers.edi: 13243763 registers.eax: 27619 registers.ebp: 4001542164 registers.edx: 2130566132 registers.ebx: 2014952032 registers.esi: 4294942652 registers.ecx: 2082406400	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 e8 10 00 00 00 00 f2 d8 14 b6 94 94 exception.symbol: enter+0x20b745 exception.instruction: int 1 exception.module: enter.exe exception.exception_code: 0xc0000005 exception.offset: 2144069 exception.address: 0xc9b745 registers.esp: 4389060 registers.edi: 0 registers.eax: 4389060 registers.ebp: 4001542164 registers.edx: 1786433260 registers.ebx: 13219885 registers.esi: 4294944746 registers.ecx: 2082427796	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb e9 d6 03 00 00 b9 63 8b cd 56 89 cb e9 fd 01 exception.symbol: enter+0x212908 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2173192 exception.address: 0xca2908 registers.esp: 4389100 registers.edi: 13243763 registers.eax: 13279072 registers.ebp: 4001542164 registers.edx: 13220476 registers.ebx: 1786433260 registers.esi: 4294936449 registers.ecx: 13220476	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb e9 e4 00 00 00 b9 53 7b bd 3f e9 f6 05 00 00 exception.symbol: enter+0x2122f5 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2171637 exception.address: 0xca22f5 registers.esp: 4389100 registers.edi: 0 registers.eax: 13250280 registers.ebp: 4001542164 registers.edx: 604292951 registers.ebx: 1786433260 registers.esi: 4294936449 registers.ecx: 13220476	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 56 be 11 d3 7f 43 e9 ac f8 ff exception.symbol: enter+0x21b474 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2208884 exception.address: 0xcab474 registers.esp: 4389096 registers.edi: 11514122 registers.eax: 13281826 registers.ebp: 4001542164 registers.edx: 6 registers.ebx: 31261252 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 53 83 ec 04 e9 00 00 00 00 89 2c 24 e9 b2 00 exception.symbol: enter+0x21ab90 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2206608 exception.address: 0xcaab90 registers.esp: 4389100 registers.edi: 0 registers.eax: 13284481 registers.ebp: 4001542164 registers.edx: 6 registers.ebx: 31261252 registers.esi: 262633 registers.ecx: 0	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 56 89 e6 83 ec 04 89 1c 24 50 b8 a2 ee bf 6f exception.symbol: enter+0x21f938 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2226488 exception.address: 0xcaf938 registers.esp: 4389092 registers.edi: 0 registers.eax: 32489 registers.ebp: 4001542164 registers.edx: 563288103 registers.ebx: 13333927 registers.esi: 4294937964 registers.ecx: 4109429608	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 55 57 bf 6a 31 ff 6d bd 4f 2e 75 a4 29 fd 5f exception.symbol: enter+0x228387 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2261895 exception.address: 0xcb8387 registers.esp: 4389092 registers.edi: 4001542164 registers.eax: 0 registers.ebp: 4001542164 registers.edx: 13337800 registers.ebx: 84201 registers.esi: 13279570 registers.ecx: 2082406400	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 3c 24 52 89 e2 81 c2 04 00 00 00 exception.symbol: enter+0x2320ce exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2302158 exception.address: 0xcc20ce registers.esp: 4389088 registers.edi: 2082406400 registers.eax: 28859 registers.ebp: 4001542164 registers.edx: 2130566132 registers.ebx: 13367353 registers.esi: 13377041 registers.ecx: 0	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 04 24 68 00 2a 5e 44 89 exception.symbol: enter+0x232995 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2304405 exception.address: 0xcc2995 registers.esp: 4389092 registers.edi: 2082406400 registers.eax: 1136472928 registers.ebp: 4001542164 registers.edx: 2130566132 registers.ebx: 13367353 registers.esi: 13405900 registers.ecx: 4294941704	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb e9 a2 00 00 00 83 c4 04 c1 e8 02 2d 8a 71 7c exception.symbol: enter+0x2456e3 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2381539 exception.address: 0xcd56e3 registers.esp: 4389056 registers.edi: 13450475 registers.eax: 13456050 registers.ebp: 4001542164 registers.edx: 2130566132 registers.ebx: 1683973611 registers.esi: 13450609 registers.ecx: 2082406400	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb e9 a5 06 00 00 01 54 24 04 e9 c9 00 00 00 31 exception.symbol: enter+0x245538 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2381112 exception.address: 0xcd5538 registers.esp: 4389060 registers.edi: 322689 registers.eax: 13487696 registers.ebp: 4001542164 registers.edx: 2130566132 registers.ebx: 4294938256 registers.esi: 13450609 registers.ecx: 2082406400	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 1c 24 89 e3 81 c3 04 00 exception.symbol: enter+0x246164 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2384228 exception.address: 0xcd6164 registers.esp: 4389060 registers.edi: 322689 registers.eax: 30104 registers.ebp: 4001542164 registers.edx: 1329345555 registers.ebx: 1609278208 registers.esi: 13489176 registers.ecx: 2082406400	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 68 78 f4 ed 67 89 14 24 e9 08 00 00 00 31 14 exception.symbol: enter+0x246681 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2385537 exception.address: 0xcd6681 registers.esp: 4389060 registers.edi: 605325648 registers.eax: 30104 registers.ebp: 4001542164 registers.edx: 1329345555 registers.ebx: 1609278208 registers.esi: 13489176 registers.ecx: 4294940128	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 52 68 b2 da 67 58 5a 51 b9 00 f2 f9 6e 81 c9 exception.symbol: enter+0x246d89 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2387337 exception.address: 0xcd6d89 registers.esp: 4389056 registers.edi: 13462431 registers.eax: 27478 registers.ebp: 4001542164 registers.edx: 1329345555 registers.ebx: 322459615 registers.esi: 13489176 registers.ecx: 4294940128	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 0b 99 fa 1e e9 32 f9 ff ff 89 14 exception.symbol: enter+0x2473a7 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2388903 exception.address: 0xcd73a7 registers.esp: 4389060 registers.edi: 13489909 registers.eax: 27478 registers.ebp: 4001542164 registers.edx: 1329345555 registers.ebx: 322459615 registers.esi: 13489176 registers.ecx: 4294940128	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 52 89 e2 81 c2 04 00 00 00 83 ea 04 87 14 24 exception.symbol: enter+0x247150 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2388304 exception.address: 0xcd7150 registers.esp: 4389060 registers.edi: 13465137 registers.eax: 0 registers.ebp: 4001542164 registers.edx: 1329345555 registers.ebx: 322459615 registers.esi: 13489176 registers.ecx: 1392536160	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb e9 24 fb ff ff 89 e6 e9 00 00 00 00 51 b9 04 exception.symbol: enter+0x249ffd exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2400253 exception.address: 0xcd9ffd registers.esp: 4389060 registers.edi: 13487318 registers.eax: 44777 registers.ebp: 4001542164 registers.edx: 13502274 registers.ebx: 11524916 registers.esi: 4294941928 registers.ecx: 1233979425	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 81 c6 36 fe 7f 7c 50 b8 4a 29 f7 7e 2d 7d e6 exception.symbol: enter+0x25037c exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2425724 exception.address: 0xce037c registers.esp: 4389056 registers.edi: 13487318 registers.eax: 30967 registers.ebp: 4001542164 registers.edx: 0 registers.ebx: 65786 registers.esi: 13498895 registers.ecx: 1971716238	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 29 db ff 34 33 ff 34 24 8b 0c 24 81 ec 04 00 exception.symbol: enter+0x24fe2d exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2424365 exception.address: 0xcdfe2d registers.esp: 4389060 registers.edi: 13487318 registers.eax: 30967 registers.ebp: 4001542164 registers.edx: 0 registers.ebx: 65786 registers.esi: 13529862 registers.ecx: 1971716238	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 0c 24 68 87 95 f7 6f e9 exception.symbol: enter+0x2503f0 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2425840 exception.address: 0xce03f0 registers.esp: 4389060 registers.edi: 13487318 registers.eax: 30967 registers.ebp: 4001542164 registers.edx: 0 registers.ebx: 4294939408 registers.esi: 13529862 registers.ecx: 4157036136	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 51 b9 ac c5 fd 7f 81 c1 c6 d7 c1 fe 01 cb 59 exception.symbol: enter+0x250874 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2426996 exception.address: 0xce0874 registers.esp: 4389056 registers.edi: 13487318 registers.eax: 32853 registers.ebp: 4001542164 registers.edx: 0 registers.ebx: 13502400 registers.esi: 13529862 registers.ecx: 4157036136	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 55 c7 04 24 f2 a9 81 67 89 2c 24 52 68 7a e3 exception.symbol: enter+0x250ca7 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2428071 exception.address: 0xce0ca7 registers.esp: 4389060 registers.edi: 4294937360 registers.eax: 32853 registers.ebp: 4001542164 registers.edx: 157417 registers.ebx: 13535253 registers.esi: 13529862 registers.ecx: 4157036136	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 55 e9 20 fd ff ff 01 fa 5f e9 3d 02 00 00 81 exception.symbol: enter+0x251a9d exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2431645 exception.address: 0xce1a9d registers.esp: 4389056 registers.edi: 4294937360 registers.eax: 13506416 registers.ebp: 4001542164 registers.edx: 157417 registers.ebx: 13535253 registers.esi: 13529862 registers.ecx: 1311442412	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 0c 24 68 ca 19 fe 60 e9 e3 fa ff exception.symbol: enter+0x251ee4 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2432740 exception.address: 0xce1ee4 registers.esp: 4389060 registers.edi: 4294937360 registers.eax: 13531624 registers.ebp: 4001542164 registers.edx: 81129 registers.ebx: 13535253 registers.esi: 4294944620 registers.ecx: 1311442412	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb e9 0c f7 ff ff 81 f6 70 1b 2b 74 56 59 5e 81 exception.symbol: enter+0x26672b exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2516779 exception.address: 0xcf672b registers.esp: 4389060 registers.edi: 13376371 registers.eax: 13617125 registers.ebp: 4001542164 registers.edx: 1960209163 registers.ebx: 8688304 registers.esi: 5701086 registers.ecx: 1973785264	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 89 1c 24 68 00 ec exception.symbol: enter+0x266467 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2516071 exception.address: 0xcf6467 registers.esp: 4389060 registers.edi: 606898519 registers.eax: 13592589 registers.ebp: 4001542164 registers.edx: 0 registers.ebx: 8688304 registers.esi: 5701086 registers.ecx: 1973785264	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 55 c7 04 24 8a 71 a6 5e 89 2c 24 89 34 24 be exception.symbol: enter+0x270152 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2556242 exception.address: 0xd00152 registers.esp: 4389056 registers.edi: 13606622 registers.eax: 13629337 registers.ebp: 4001542164 registers.edx: 2481704 registers.ebx: 13606590 registers.esi: 13606586 registers.ecx: 2082406400	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 57 56 be 45 79 f1 76 89 f7 5e 81 cf 5f d7 d7 exception.symbol: enter+0x26fda4 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2555300 exception.address: 0xcffda4 registers.esp: 4389060 registers.edi: 13606622 registers.eax: 13657423 registers.ebp: 4001542164 registers.edx: 2481704 registers.ebx: 13606590 registers.esi: 13606586 registers.ecx: 2082406400	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 68 a2 42 e8 5a e9 93 fd ff ff 81 c6 33 f7 25 exception.symbol: enter+0x26fd46 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2555206 exception.address: 0xcffd46 registers.esp: 4389060 registers.edi: 604292951 registers.eax: 13632067 registers.ebp: 4001542164 registers.edx: 2481704 registers.ebx: 13606590 registers.esi: 13606586 registers.ecx: 0	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb e9 2a 01 00 00 b8 0b fa 7e 76 bf 8b 34 ec 56 exception.symbol: enter+0x275f33 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2580275 exception.address: 0xd05f33 registers.esp: 4389060 registers.edi: 13642793 registers.eax: 32257 registers.ebp: 4001542164 registers.edx: 13686623 registers.ebx: 13606590 registers.esi: 13606586 registers.ecx: 2082406400	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 7d b0 fb 3e c1 24 24 04 f7 14 24 exception.symbol: enter+0x276298 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2581144 exception.address: 0xd06298 registers.esp: 4389060 registers.edi: 4294938000 registers.eax: 32257 registers.ebp: 4001542164 registers.edx: 13686623 registers.ebx: 13606590 registers.esi: 13606586 registers.ecx: 3923937618	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 51 89 04 24 83 ec 04 89 3c 24 68 91 66 af 64 exception.symbol: enter+0x2803c3 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2622403 exception.address: 0xd103c3 registers.esp: 4389060 registers.edi: 15591760 registers.eax: 28896 registers.ebp: 4001542164 registers.edx: 108 registers.ebx: 4294941444 registers.esi: 13726324 registers.ecx: 109	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 50 89 e0 57 bf e9 d1 f9 7f 4f c1 ef 04 81 f7 exception.symbol: enter+0x28b837 exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2668599 exception.address: 0xd1b837 registers.esp: 4389060 registers.edi: 13376371 registers.eax: 4294939496 registers.ebp: 4001542164 registers.edx: 11 registers.ebx: 13714333 registers.esi: 2298801283 registers.ecx: 13773779	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 55 89 1c 24 55 bd 53 c4 4a 52 89 eb 5d e9 f9 exception.symbol: enter+0x294e3e exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2707006 exception.address: 0xd24e3e registers.esp: 4389056 registers.edi: 13376371 registers.eax: 25580 registers.ebp: 4001542164 registers.edx: 2130566132 registers.ebx: 13714333 registers.esi: 13780730 registers.ecx: 2082406400	1
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: fb 56 e9 67 02 00 00 81 c2 e3 fa e9 7f 29 f2 81 exception.symbol: enter+0x29494d exception.instruction: sti exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2705741 exception.address: 0xd2494d registers.esp: 4389060 registers.edi: 13376371 registers.eax: 25580 registers.ebp: 4001542164 registers.edx: 2130566132 registers.ebx: 13714333 registers.esi: 13806310 registers.ecx: 2082406400	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.19/Vi9leo/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/stealc/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/cost/random.exe

Performs some HTTP requests (3 events)

request	POST http://185.215.113.19/Vi9leo/index.php
request	GET http://185.215.113.16/stealc/random.exe
request	GET http://185.215.113.16/cost/random.exe

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.19/Vi9leo/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 100 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a91000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73402000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x030e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:38 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00151000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2800 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2800 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2800 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

explorti.exe tried to sleep 1126 seconds, actually delayed analysis time by 1126 seconds

An application raised an exception which may be indicative of an exploit crash (12 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 148 crashed
Application Crash	Process firefox.exe with pid 2820 crashed
Application Crash	Process firefox.exe with pid 1868 crashed
Application Crash	Process firefox.exe with pid 3188 crashed
Application Crash	Process firefox.exe with pid 3744 crashed
Application Crash	Process firefox.exe with pid 3892 crashed
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: 0x1d52e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1d52e04 registers.r14: 187887664 registers.r15: 187888104 registers.rcx: 1536 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 110987360 registers.rsp: 187886840 registers.r11: 187891360 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1612 registers.r12: 32814656 registers.rbp: 187886976 registers.rdi: 32748832 registers.rax: 30748160 registers.r13: 187887536	1	0	0
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9826536 registers.r15: 8791500428912 registers.rcx: 48 registers.rsi: 8791500360576 registers.r10: 0 registers.rbx: 0 registers.rsp: 9826168 registers.r11: 9829552 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 14920896 registers.rbp: 9826288 registers.rdi: 67215392 registers.rax: 13442816 registers.r13: 9827128	1	0	0
__exception__ July 26, 2024, 6:31 p.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10218712 registers.r15: 8791496955504 registers.rcx: 48 registers.rsi: 8791496887168 registers.r10: 0 registers.rbx: 0 registers.rsp: 10218344 registers.r11: 10221728 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14905984 registers.rbp: 10218464 registers.rdi: 248619040 registers.rax: 13442816 registers.r13: 10219304	1	0	0
__exception__ July 26, 2024, 6:31 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9631184 registers.r15: 9630688 registers.rcx: 48 registers.rsi: 14705280 registers.r10: 0 registers.rbx: 0 registers.rsp: 9629736 registers.r11: 9631936 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 9630519 registers.rbp: 9629856 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0
__exception__ July 26, 2024, 6:31 p.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9236376 registers.r15: 8791373289072 registers.rcx: 48 registers.rsi: 8791373220736 registers.r10: 0 registers.rbx: 0 registers.rsp: 9236008 registers.r11: 9239392 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14916336 registers.rbp: 9236128 registers.rdi: 95526944 registers.rax: 13442816 registers.r13: 9236968	1	0	0
__exception__ July 26, 2024, 6:31 p.m.	stacktrace: 0xb91f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb91f04 registers.r14: 10419216 registers.r15: 10418720 registers.rcx: 48 registers.rsi: 14706144 registers.r10: 0 registers.rbx: 0 registers.rsp: 10417768 registers.r11: 10419968 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 10418551 registers.rbp: 10417888 registers.rdi: 100 registers.rax: 12132096 registers.r13: 2	1	0	0

Steals private information from local Internet browsers (44 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Csd Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom Prefix Set
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing IP Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\3e59b4bf-187f-49f5-8de3-f688a44e4600.dmp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Module Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\ChromeFilenameClientIncident.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Side-Effect Free Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Inclusion Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Managed Mode Settings
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Extension Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-63327DF3-A54.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Resource Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-66A3AB44-94.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Policy\User Policy
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Download Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Download
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\AnyIpMalware.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List Prefix Set
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Stability\148-1721986635369140.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\1000003002\f6f1921920.exe
file	C:\Users\test22\AppData\Local\Temp\1000002001\66cf9615db.exe
file	C:\Users\test22\AppData\Local\Temp\D78.tmp\D79.tmp\D7A.bat

Creates a suspicious process (1 event)

cmdline

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\D78.tmp\D79.tmp\D7A.bat C:\Users\test22\1000003002\f6f1921920.exe"

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
file	C:\Users\test22\AppData\Local\Temp\1000002001\66cf9615db.exe
file	C:\Users\test22\1000003002\f6f1921920.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
file	C:\Users\test22\AppData\Local\Temp\1000002001\66cf9615db.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW July 26, 2024, 6:37 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	1	1
ShellExecuteExW July 26, 2024, 6:37 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000002001\66cf9615db.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000002001\66cf9615db.exe	1	1
ShellExecuteExW July 26, 2024, 6:37 p.m.	show_type: 0 filepath_r: C:\Users\test22\1000003002\f6f1921920.exe parameters: filepath: C:\Users\test22\1000003002\f6f1921920.exe	1	1
ShellExecuteExW July 26, 2024, 6:37 p.m.	show_type: 0 filepath_r: C:\Windows\sysnative\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\D78.tmp\D79.tmp\D7A.bat C:\Users\test22\1000003002\f6f1921920.exe" filepath: C:\Windows\sysnative\cmd	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00000268c23d0000 process_handle: 0xffffffffffffffff	1	0	0

An executable file was downloaded by the process explorti.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile July 26, 2024, 6:37 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $Ã}¸õÖ¦Ö¦Ö¦èj}¦Ö¦èjH¦Ö¦èj\|¦äÖ¦dE¦Ö¦×¦öÖ¦èjy¦Ö¦èjL¦Ö¦èjK¦Ö¦RichÖ¦PELARdà \ 0@`À´Xdð×YS@0¬.text` `.rdataX204@@.data p¶R@À.rsrcð×Ø@@VñÇxSBèöD$tVèYÆ^Âá4ïÆÃUìì(¡ BeøEÜ¡$BV3W{EàEøuðèÍÿÿÿ¡(BEø?Eè¡,BEäÇEì ÇEôEô¡ôYDÎÁáMè=©u ÇðYD@.ëí=ëu%\|TDEðÁèEüEüEäUøÖ3Â3Á+ø=ôYDÇìYDî=êôEüuEØP3ÀPPPÿd0Bjÿ¬0BÇÁèEüEàEüMøEøGÈaÇÁàEÜÏ3Á3Eü+ðÿMìuðMÿÿÿ{_3^ÉÃUì¡ôYD TDìVÁè3ö;ÆSWÙø=ôYDY uvVVÿX0BVVüÿÿPÿ$0BVVVÿ0BVVVVVVVh°QBÿ0BhüQBVÿ@0Bh(RBVÿ40BVVÿ0BVôÿÿPVh`RBVVÿ0BVÿl0BVÿ0BèKþÿÿÃOoÿÿÿ_[^ÉÃUììSVW3ö3ÿÿ0BÿBq Gÿ}\|é=ôYDVÿt0B3Àðº(ÿ 0BVVVVVVÿL0BVVVÿ\|0BVVVVVÿ¤1BVVVÿ<0BVì÷ÿÿPVÿh0Bh RBh¼RBh3CètVVVVè VVè´Ä$EüPMìÇEüàRBèÓMìÇEìxSBèëVVèüYY¡@BôYDKhðRB£0hDÿ0BhSBP£TDÿ`0Bÿ5ôYD£xTDVÿ,0BMøQj@ÿ5ôYD£TDPÿxTD3ÿÿÌ }(VVÿ1BVEüPVVVÿ0BVVVVVÿ0BVÿ1BVVVÿP0Bÿä[ Gÿ3\|¶\0B¿.iVì÷ÿÿPÿ1Bÿ1BÿÓOuç95ôYDvV¡0hD8K TD9=ôYDu,VVVVÿ0Bÿ(0BVÿl0BEüPVVVÿ°0BVVÿp0BG;=ôYDrª3ÿ¡ôYDÇ=uVVÿD0BVÿ1BhSBh4SBÿ0BGÿ\|Êèýÿÿ3ÿÿÓÿauuüEüEüTDGÿ½t\|Ýj{_=ôYDu-VVVVVVVÿ´0BVVÿx0BVÿT0BVVVVÿ0BVÿH0BOuÄhTSBÿ80BÿTD_^[ÉÃUììV3ö=ôYDWuDVVVVÿ0BVVVVVVVVVVÿ1BVèüVVè+Vè: VVè~VèÃ VVèÄ$3ÿÿm}VEüPVVVÿ0BVÿ0Bÿ\0BVÿ0Bÿþ. Gÿ\|Å¡lB£ôYDè£üÿÿ¿7ì=ôYDuVü÷ÿÿPÿ00BOuã_3À^ÉÂÿUìì eàWjY3À}äó«_9EuèêÇèÈÿÉÃEÀtäVÿuEèÿuEàÿuEàPÇEäÿÿÿÇEìBè$ ÄÿMäðxEàÆë EàPjèu YYÆ^ÉÃÿUìÿujÿuÿuègÿÿÿÄ]ÃAÀu¸2BÃÿUì}Wùt-VÿuèpVèéYYGÀtÿuVPèwÄÆG^_]ÂÿVñ~t ÿvèdYfÆF^ÃÿUìEVñfÇ2BÆFÿ0èÿÿÿÆ^]ÂÇ2Bé°ÿÿÿÿUìVñÇ2BèÿÿÿöEtVè`YÆ^]ÂÿUì}t-ÿujÿ5P%CÿÀ0BÀuVèðÿ\0BPè4Y^]Ãjh@UBèt3ÿ}ä3Àu;÷À;ÇuèLÇèïÈÿé´VèóY}üöF@uoVèYøÿtøþtÐÁúÈáÁá`hDë¹ tBöA$u)øÿtøþtÈÁùàÁà`hDë¸ tBö@$tèÉÇèlMäÿ9}äu!ÿNxE¶ÀÿëVÿuèYYEäÇEüþÿÿÿèEäèÕÃuVè©YÃÿUìQeüVEüPÿuÿuèY ðÄöu9EütèGÀt è>MüÆ^ÉÃÌÌÌÌW\|$ën¤$ÿL$W÷ÁtÁÀt=÷Áuïÿºÿþþ~Ððÿ3ÂÁ©tèAüÀt#ät©ÿt©ÿtëÍyÿë yþëyýëyüL$÷ÁtÁÒtfÇ÷ÁuêëÇºÿþþ~Ððÿ3ÂÁ©táÒt4öt'÷Âÿt÷ÂÿtëÇD$_ÃfD$ÆG_ÃfD$_ÃD$_ÃÿUì}uè(ÇèËÈÿ]ÃVuöuèÇè®Èÿëÿuè¾"YÈ#ÊÈÿV;Èt3À^]ÃÿUìÿuj jÿuè,%Ä]ÃÿUì]éÜÿÿÿÿUììMS]VW}Mø]üÿt}tÉuèÇè/3À_^[ÉÃuötÈÿ3Ò÷÷9Ev!ûÿtSjQè)-ÄötÁÈÿ3Ò÷÷9Ewµ¯}÷F}ðßtFEôëÇEôÿÚ÷FtDFÀt=òû;Ørø;}ü»Wÿ6ÿuüÿuøè7,)~>}ø+ßÄ)}ü}ðé;]ôr\}ôt¹ÿÿÿ3Ò;Ùv Á÷uôÁëÃ÷uôÃ+Âë¸ÿÿÿ;ØwÃ;Eüw[PÿuøVèoYPèÞÄÀt{øÿtdEø+Ø)Eüë$Vèé#YøÿtR}üt"MøÿEøFKÿMüEôÛ&ÿÿÿEé¼þÿÿ}ÿtÿujÿuèø+Äè Ç"éþÿÿN Ç+Ã3Ò÷uéþÿÿNëìjh`UBè3öuä9ut/9ut*9uu-}ÿtÿuVÿuè+ÄèÃÇèf3ÀèÃÿuèhYuüÿuÿuÿuÿuÿuè×ýÿÿÄEäÇEüþÿÿÿè request_handle: 0x00cc000c	1	1	0
InternetReadFile July 26, 2024, 6:37 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELb@]à2V0@ \|qÈpt,.codeð78 `.textÂÒPÔ< `.rdata304@@.data,pD@À.rsrcV@@h¬hhAè\@ÄhèU@£AhhhèB@£Aè¼?¸pA£4AèÝÍèIËèCèÇèZèÔèøèx}è@CèÃ¶èk¡º.pA AèÓ?hõÿÿÿèã?£<A¸P¸AP1ÀPhhèÿ5 AèhhxpA APhè_ÿ5¨AèæhhppA¨APhè9hAhpAhh¡hèÊº:pA lAè+?ÿ5°AèhhppA°APhèå;@PèÁRèÍZPèÅhHAè:Íè XAûuèfèS,hèè±Ìÿ5AèÎ>èÏ>èµAèèçè½èìÀèSÃUSWºìÇ$JuóT$X$èa>ÿ4$èùDD$ÿt$èLD$T$RhhhhèÉT$RhhhhèvÉÇD$ÇD$ ÇD$$ÇD$(ÇD$,ÇD$0ÇD$ ÇD$ ÿt$XD$4ÿt$XD$8ÇD$ë¸ÿ;D$\|Tÿt$l$8XE\$4Ã\$4l$8¾]!Ûu ÿt$XD$8l$8¾EP\$ l$ÁãXD\$8C\$8ÿD$q¡ÇD$ ÇD$ë¸ÿ;D$\|m\$ \|$l$Áç\=\|$l$Áç\=ãÿ\$ \$l$ÁãÿtXD$,\$ Áãÿt\$ ÁãXDÿt$,\$$ÁãXDÿD$qÇD$ÇD$ ÿt$PXD$<ÇD$(ë\$TK;\$(Ã\$Cãÿ\$\$ \|$l$Áç\=ãÿ\$ \$ÁãÿtXD$,\$ Áãÿt\$ ÁãXDÿt$,\$$ÁãXD\$Áã\\|$ Áç\|=çÿûãÿ\$$\$$ÁãÿtXD$0l$<¾]3\$0Sl$@XE\$<C\$<ÿD$(.ÿÿÿT$RhhhhèÇT$RhhhhèÇÿt$èD$Pë1Àÿ4$èmÊPÿt$è0Èÿt$è'ÈXÄ@_[]ÂUSºìÇ$Juóè§ÊAû2\|AûuhAût¸ë1À!À¸&pAPÿ5AèB$ÇD$ë$;D$RèÉZPRèøÈZP¸fpAPÿt$ÿ5AèQBD$PèÉÿt$èé!ÀtLRèÄÈZPÿt$è3D$PèïÈT$Rè¥ÈZPRè=ÊT$Rè3ÊºfpARè(ÊD$Pè¾ÈÿD$aÿÿÿÿt$èë@D$hD$Pÿt$è4Pÿt$ ÿ5<AèX:ÿt$è;º$pA Aè:éÎÇAÇD$RèÈZPRèÈZP¸.pAPÿt$(ÿ5$Aè_AD$Pè%È¸2pAPÿt$èCD$ \|$ t\RèÅÇZPRè½ÇZP¸2pAPhÿt$ èAD$(PèÝÇRèÇZPRèÇZP¸2pAPhÿt$ èé@D$Pè¯ÇT$1Éè:î\$Ø¹÷ùÓ!Ûu+ÿt$è¡BP\$-AkÛÝXE\$C\$éRèÇZPRèÇZPhÿt$è¡CèüÈº6pAYQèÐ9Áè9´PARè×ÆZPRèoÈlARècÈRè½ÆZPRèµÆZP¸6pAPÿt$ èÄEXD$,PèÙÆÿt$(èÕAûuÿt$$èÜAPÿt$,è7ÿt$(è'$ARè]ÆZPRèõÇT$,RèëÇºfpARèàÇAPètÆé½Rè)ÆZPRè!ÆZP¸6pAPÿt$è0ED$PèFÆT$RèüÅZPRèÇ\$-AkÛÝEPèÆÿt$$è3AP\$-AkÛÝXEARè³ÅZPRèKÇPARè?ÇlARè3ÇT$Rè)ÇºfpARèÇAPè²Åëë\$C\$éLýÿÿD$ë1Àÿt$èÆÿt$(èÆÿt$è Æÿt$$èÆÿt$èûÅÄ,[]ÃS1ÀPPPPPPèWÆ¸qA£4AÇ$ë¸;$\|d¡4A¾D$ÿ4ARèâÄZPRèÚÄZP\$kÛÿSèDD$PèÅT$Rè·ÄZPRèOÆT$RèEÆD$PèÛÄÿ$qhè¬D$RèÄZPRèzÄZPèID$Pè©Äÿt$h¸$pAPÿt$ èk6RèKÄZPRèCÄZPÿt$èxxAPèlÄÿ5xAèÿ5xAè[ÿt$h¸$pAPÿ5xAè6RèöÃZPRèîÃZPÿt$è#,APèÄÿ5,Aè3ÿ5,Aèÿt$h¸$pAPÿ5,AèÁ5ÿ5,Aèw8RèÃZPRèÃZPÿt$èÃ@APè·Ãÿ5@AèÓÿt$ÿ5@Aè>8ÿt$h¸$pAPÿ5,Aè]5Rè=ÃZPRè5ÃZPÿt$èjpAPè^Ãÿt$èë1Àÿt$èØÃÿt$èÏÃÿt$èÆÃÄ[ÃUS1ÀPPPPPPè"ÄRèÜÂZPhhRèÊÂZPRèÂÂZPèÓzè¸5$èÎ4èÉ5$h !@Pÿt$è·4ÿ4$èµ4ÿ5°AèA request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002dc00', u'virtual_address': u'0x00001000', u'entropy': 7.984651828533469, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.98465182853

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001a3400', u'virtual_address': u'0x0031e000', u'entropy': 7.952940556000886, u'name': u'eqezoorp', u'virtual_size': u'0x001a4000'}

entropy

7.952940556

description

A section with a high entropy has been found

entropy

0.994120791021

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (50 out of 988 events)

url	https://crashpad.chromium.org/bug/new
url	https://crashpad.chromium.org/
url	http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
url	http://dts.search-results.com/sr?lng=
url	http://creativecommons.org/ns
url	https://qc.search.yahoo.com/search?ei=
url	https://cacert.omniroot.com/baltimoreroot.crt09
url	https://codereview.chromium.org/25305002).
url	https://search.yahoo.com/search?ei=
url	http://t1.symcb.com/ThawtePCA.crl0/
url	http://crbug.com/31395.
url	https://support.google.com/chrome/answer/165139
url	http://crbug.com/320723
url	http://crl.starfieldtech.com/sfroot-g2.crl0L
url	https://ct.startssl.com/
url	https://suggest.yandex.com.tr/suggest-ff.cgi?part=
url	https://drive-daily-5.corp.google.com/
url	https://github.com/GoogleChrome/Lighthouse/issues
url	http://www.searchnu.com/favicon.ico
url	https://support.google.com/installer/?product=
url	http://msdn.microsoft.com/en-us/library/ms792901.aspx
url	https://www.najdi.si/search.jsp?q=
url	http://x.ss2.us/x.cer0
url	http://crl.geotrust.com/crls/gtglobal.crl04
url	https://accounts.google.com/ServiceLogin
url	https://accounts.google.com/OAuthLogin
url	https://search.goo.ne.jp/sgt.jsp?MT=
url	https://www.google.com/tools/feedback/chrome/__submit
url	http://ocsp.starfieldtech.com/08
url	http://crl.certum.pl/ca.crl0h
url	http://ator
url	https://suggest.yandex.by/suggest-ff.cgi?part=
url	http://feed.snap.do/?q=
url	https://sp.uk.ask.com/sh/i/a16/favicon/favicon.ico
url	http://www.language
url	https://support.google.com/chrome/
url	http://developer.chrome.com/apps/declare_permissions.html
url	http://www.google.com/chrome/intl/ko/eula_text.html
url	https://www.globalsign.com/repository/03
url	http://www.startssl.com/sfsca.crl0
url	http://UA-Compatible
url	https://se.search.yahoo.com/search?ei=
url	http://EVSecure-ocsp.geotrust.com0
url	https://developers.google.com/web/fundamentals/accessibility/accessible-styles
url	https://mammoth.ct.comodo.com/
url	http://hladaj.atlas.sk/fulltext/?phrase=
url	http://buscador.softonic.com/?q=
url	https://chrome-devtools-frontend.appspot.com/
url	https://drive-dau
url	https://hk.search.yahoo.com/sugg/chrome?output=fxjson

Yara rule detected in process memory (50 out of 1501 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	browser info stealer	rule	infoStealer_browser_Zero
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Perform crypto currency mining	rule	BitCoin
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess July 26, 2024, 6:38 p.m.	status_code: 0xc0000005 process_identifier: 148 process_handle: 0x0000000000000094		0	0
NtTerminateProcess July 26, 2024, 6:38 p.m.	status_code: 0xc0000005 process_identifier: 148 process_handle: 0x0000000000000094	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\D78.tmp\D79.tmp\D7A.bat C:\Users\test22\1000003002\f6f1921920.exe"
cmdline	C:\Windows\sysnative\cmd /c "C:\Users\test22\AppData\Local\Temp\D78.tmp\D79.tmp\D7A.bat C:\Users\test22\1000003002\f6f1921920.exe"

Communicates with host for which no DNS query was performed (2 events)

host	185.215.113.16
host	185.215.113.19

Allocates execute permission to another process indicative of possible code injection (10 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory July 26, 2024, 6:37 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory July 26, 2024, 6:31 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 26, 2024, 6:31 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 26, 2024, 6:31 p.m.	process_identifier: 3188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 26, 2024, 6:31 p.m.	process_identifier: 3188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 26, 2024, 6:31 p.m.	process_identifier: 3744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 26, 2024, 6:31 p.m.	process_identifier: 3744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 26, 2024, 6:31 p.m.	process_identifier: 3892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 26, 2024, 6:31 p.m.	process_identifier: 3892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x000000000000004c	1

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 358 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA July 26, 2024, 6:37 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 26, 2024, 6:37 p.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\66cf9615db.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000002001\66cf9615db.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\f6f1921920.exe	reg_value	C:\Users\test22\1000003002\f6f1921920.exe
file	C:\Windows\Tasks\explorti.job

Potential code injection by writing to the memory of another process (45 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 26, 2024, 6:37 p.m.	buffer: base_address: 0x000000013f6a22b0 process_identifier: 2820 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 6:37 p.m.	buffer: base_address: 0x000000013f6b0d88 process_identifier: 2820 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 6:37 p.m.	buffer: I»`#g?Aÿã base_address: 0x0000000076d81590 process_identifier: 2820 process_handle: 0x0000000000000050	1	1
WriteProcessMemory July 26, 2024, 6:37 p.m.	buffer: [ base_address: 0x000000013f6b0d78 process_identifier: 2820 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 6:37 p.m.	buffer: I» g?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2820 process_handle: 0x0000000000000050	1	1
WriteProcessMemory July 26, 2024, 6:37 p.m.	buffer: [ base_address: 0x000000013f6b0d70 process_identifier: 2820 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 6:37 p.m.	buffer: ÏT base_address: 0x000000013f650108 process_identifier: 2820 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 6:37 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f6aaae8 process_identifier: 2820 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 6:37 p.m.	buffer: base_address: 0x000000013f6b0c78 process_identifier: 2820 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: base_address: 0x000000013f1822b0 process_identifier: 1868 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: base_address: 0x000000013f190d88 process_identifier: 1868 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: I»`#?Aÿã base_address: 0x0000000076d81590 process_identifier: 1868 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: ° base_address: 0x000000013f190d78 process_identifier: 1868 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: I» ?Aÿã base_address: 0x0000000076d57a90 process_identifier: 1868 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: ° base_address: 0x000000013f190d70 process_identifier: 1868 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: ÏT base_address: 0x000000013f130108 process_identifier: 1868 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f18aae8 process_identifier: 1868 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: base_address: 0x000000013f190c78 process_identifier: 1868 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: base_address: 0x000000013f1822b0 process_identifier: 3188 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: base_address: 0x000000013f190d88 process_identifier: 3188 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: I»`#?Aÿã base_address: 0x0000000076d81590 process_identifier: 3188 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: Z base_address: 0x000000013f190d78 process_identifier: 3188 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: I» ?Aÿã base_address: 0x0000000076d57a90 process_identifier: 3188 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: Z base_address: 0x000000013f190d70 process_identifier: 3188 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: ÏT base_address: 0x000000013f130108 process_identifier: 3188 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f18aae8 process_identifier: 3188 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: base_address: 0x000000013f190c78 process_identifier: 3188 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: base_address: 0x000000013f3c22b0 process_identifier: 3744 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: base_address: 0x000000013f3d0d88 process_identifier: 3744 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: I»`#9?Aÿã base_address: 0x0000000076d81590 process_identifier: 3744 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: base_address: 0x000000013f3d0d78 process_identifier: 3744 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: I» 9?Aÿã base_address: 0x0000000076d57a90 process_identifier: 3744 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: base_address: 0x000000013f3d0d70 process_identifier: 3744 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: ÏT base_address: 0x000000013f370108 process_identifier: 3744 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f3caae8 process_identifier: 3744 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: base_address: 0x000000013f3d0c78 process_identifier: 3744 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: base_address: 0x000000013f3c22b0 process_identifier: 3892 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: base_address: 0x000000013f3d0d88 process_identifier: 3892 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: I»`#9?Aÿã base_address: 0x0000000076d81590 process_identifier: 3892 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: 2 base_address: 0x000000013f3d0d78 process_identifier: 3892 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: I» 9?Aÿã base_address: 0x0000000076d57a90 process_identifier: 3892 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: 2 base_address: 0x000000013f3d0d70 process_identifier: 3892 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: ÏT base_address: 0x000000013f370108 process_identifier: 3892 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f3caae8 process_identifier: 3892 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 6:31 p.m.	buffer: base_address: 0x000000013f3d0c78 process_identifier: 3892 process_handle: 0x0000000000000048	1	1

Network activity contains more than one unique useragent (2 events)

process	explorti.exe				useragent
process	crashreporter.exe				useragent	Breakpad/1.0 (Windows)

One or more non-whitelisted processes were created (11 events)

parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef445f1e8,0x7fef445f1f8,0x7fef445f208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2176 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1296,10169826000473031378,12349622251500549813,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=E56710EB561751AC76546BF11F5D2AF0 --mojo-platform-channel-handle=1328 --ignored=" --type=renderer " /prefetch:2
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\07491923-3d16-4c30-a991-fe94ad83fed3.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\fae861c1-0e9c-4047-a4b9-1df299d24fc6.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\6a33a94b-fc28-4b34-8220-6090ccbeebb2.dmp"

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://127.0.0.1

Appends a known multi-family ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (50 out of 54 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1120 resumed a thread in remote process 1404
Process injection	Process 1404 resumed a thread in remote process 148
Process injection	Process 1404 resumed a thread in remote process 2520
Process injection	Process 2228 resumed a thread in remote process 148
Process injection	Process 2520 resumed a thread in remote process 2820
Process injection	Process 1832 resumed a thread in remote process 1868
Process injection	Process 3132 resumed a thread in remote process 3188
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x00000224 suspend_count: 1 process_identifier: 1404	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000068 suspend_count: 0 process_identifier: 2520	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:38 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:38 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:38 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:38 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:38 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:38 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:38 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:38 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:38 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:38 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:38 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:38 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:38 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:38 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2820	1	0	0
NtResumeThread July 26, 2024, 6:31 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1868	1	0	0
NtResumeThread July 26, 2024, 6:31 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3188	1	0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 26, 2024, 6:37 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 81 ec 04 00 00 00 89 04 exception.symbol: enter+0x20447f exception.instruction: in eax, dx exception.module: enter.exe exception.exception_code: 0xc0000096 exception.offset: 2114687 exception.address: 0xc9447f registers.esp: 4389092 registers.edi: 4402703 registers.eax: 1447909480 registers.ebp: 4001542164 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 13180726 registers.ecx: 20	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 220 events)

Time & API	Arguments	Status	Return
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 2536	1	0
CreateProcessInternalW July 26, 2024, 6:37 p.m.	thread_identifier: 2804 thread_handle: 0x000003d8 process_identifier: 2800 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e0	1	1
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x000001a0 suspend_count: 1 process_identifier: 2800	1	0
CreateProcessInternalW July 26, 2024, 6:37 p.m.	thread_identifier: 3016 thread_handle: 0x00000474 process_identifier: 3012 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000002001\66cf9615db.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000002001\66cf9615db.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000002001\66cf9615db.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000478	1	1
CreateProcessInternalW July 26, 2024, 6:37 p.m.	thread_identifier: 604 thread_handle: 0x00000464 process_identifier: 1120 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\1000003002\f6f1921920.exe track: 1 command_line: "C:\Users\test22\1000003002\f6f1921920.exe" filepath_r: C:\Users\test22\1000003002\f6f1921920.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000488	1	1
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x000001d4 suspend_count: 1 process_identifier: 1120	1	0
CreateProcessInternalW July 26, 2024, 6:37 p.m.	thread_identifier: 800 thread_handle: 0x00000224 process_identifier: 1404 current_directory: C:\Users\test22\AppData\Local\Temp\ filepath: C:\Windows\sysnative\cmd.exe track: 1 command_line: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\D78.tmp\D79.tmp\D7A.bat C:\Users\test22\1000003002\f6f1921920.exe" filepath_r: C:\Windows\sysnative\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000228	1	1
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x00000224 suspend_count: 1 process_identifier: 1404	1	0
CreateProcessInternalW July 26, 2024, 6:37 p.m.	thread_identifier: 2176 thread_handle: 0x000000000000006c process_identifier: 148 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account" filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000068	1	1
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 148	1	0
CreateProcessInternalW July 26, 2024, 6:37 p.m.	thread_identifier: 2524 thread_handle: 0x0000000000000068 process_identifier: 2520 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account" filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000006c	1	1
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000068 suspend_count: 0 process_identifier: 2520	1	0
CreateProcessInternalW July 26, 2024, 6:37 p.m.	thread_identifier: 2224 thread_handle: 0x0000000000000098 process_identifier: 2228 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef445f1e8,0x7fef445f1f8,0x7fef445f208 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000009c	1	1
CreateProcessInternalW July 26, 2024, 6:37 p.m.	thread_identifier: 2440 thread_handle: 0x0000000000000144 process_identifier: 2444 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2176 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6 filepath_r: stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000148	1	1
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x00000000000001c0 suspend_count: 1 process_identifier: 148	1	0
CreateProcessInternalW July 26, 2024, 6:37 p.m.	thread_identifier: 2268 thread_handle: 0x00000000000005e4 process_identifier: 2260 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1296,10169826000473031378,12349622251500549813,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=E56710EB561751AC76546BF11F5D2AF0 --mojo-platform-channel-handle=1328 --ignored=" --type=renderer " /prefetch:2 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000064c	1	1
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x00000000000000e0 suspend_count: 1 process_identifier: 2228	1	0
NtGetContextThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0
NtGetContextThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0
NtGetContextThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0
NtGetContextThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0
NtGetContextThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0
NtGetContextThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0
NtGetContextThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0
NtGetContextThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0
NtGetContextThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0
NtGetContextThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0
NtGetContextThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0
NtGetContextThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0
NtGetContextThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0
NtGetContextThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0
NtGetContextThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0
NtGetContextThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 148	1	0
NtGetContextThread July 26, 2024, 6:37 p.m.	thread_handle: 0x0000000000000154	1	0

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Gen:Variant.Kryptik.260
Cylance	Unsafe
VIPRE	Gen:Variant.Kryptik.260
BitDefender	Gen:Variant.Kryptik.260
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Gen:Variant.Kryptik.260
Emsisoft	Gen:Variant.Kryptik.260 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!5AA3B4D694BC
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.5aa3b4d694bc8286
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/Crypt.TPM.Gen
MAX	malware (ai score=81)
Gridinsoft	Trojan.Heur!.038120A1
Microsoft	Backdoor:Win32/Bladabindi!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Kryptik.260
Varist	W32/Agent.JDU.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R645974
BitDefenderTheta	Gen:NN.ZexaF.36810.1DWaaKuQr@fi
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Amadey
Zoner	Probably Heur.ExeHeaderL
Tencent	Trojan-DL.Win32.Deyma.kh
Fortinet	W32/Themida.HZB!tr
AVG	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (D)

enter.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All