Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 29, 2024, 1:22 p.m.	July 29, 2024, 1:40 p.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a45cd34dab56ce2f61232c79a750374d`
SHA256	`bd7458b4201fc99b83cf5784c8f02b575d724cc4dee8972a8e95a37858fde55f`
CRC32	`90A7409C`
ssdeep	`49152:wB5UV20xq7JP4Kcr8/wNh3IV+T3ebUv6uA4+66M:wB+2uGJQKcrW2we3eYv6V6D`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
2544
- explorti.exe "C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
  2820
  - 17a12ed0f8.exe "C:\Users\test22\AppData\Local\Temp\1000016001\17a12ed0f8.exe"
    3020
  - 75c5ed8dda.exe "C:\Users\test22\AppData\Local\Temp\1000017001\75c5ed8dda.exe"
    812
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
      1356
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        2216
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\ed748d2a-8ada-4d33-884e-e2fb34e8f309.dmp"
        2604
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\ed748d2a-8ada-4d33-884e-e2fb34e8f309.dmp"
        2812
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        648
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        676
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\42dc52c3-4edb-4337-842a-8cf86b5d9964.dmp"
        2668
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\42dc52c3-4edb-4337-842a-8cf86b5d9964.dmp"
        2144
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        2120
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        2452
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\25486c72-1a2d-424a-acf3-a490fab06966.dmp"
        948
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\25486c72-1a2d-424a-acf3-a490fab06966.dmp"
        1092
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        1320
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        736
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\bc4b21ca-8f6b-41c8-9a22-fcc66457be4b.dmp"
        1980
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\bc4b21ca-8f6b-41c8-9a22-fcc66457be4b.dmp"
        2228
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        1892
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        2308
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
crash-reports.mozilla.com	A 34.49.45.138 CNAME antenna-prod.socorro.prod.webservices.mozgcp.net	34.49.45.138

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.215.113.16	Active	Moloch
185.215.113.19	Active	Moloch
34.49.45.138	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.19:80 -> 192.168.56.101:49165	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 185.215.113.16:80 -> 192.168.56.101:49166	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49166 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49166	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.101:49166	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49166	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49166	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.215.113.16:80 -> 192.168.56.101:49166	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49166	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49182 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49183 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49186 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49187 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49211 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49207 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49213 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA July 29, 2024, 1:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 29, 2024, 1:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 29, 2024, 1:24 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 97 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 29, 2024, 1:22 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:22 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:22 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:22 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:22 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:22 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:22 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:23 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:24 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:24 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:24 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:24 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:24 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:24 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:24 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:24 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:24 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:24 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:24 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:24 p.m.			0	0
IsDebuggerPresent July 29, 2024, 1:24 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 29, 2024, 1:23 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	altqaqrb
section	nevwrxlc
section	.taggant

One or more processes crashed (50 out of 261 events)

Time & API	Arguments	Status
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: random+0x3240b9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3293369 exception.address: 0x3a40b9 registers.esp: 9502256 registers.edi: 0 registers.eax: 1 registers.ebp: 9502272 registers.edx: 5550080 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 51 b9 ae 95 76 6f 81 e1 d8 50 de 7f 81 c1 9b exception.symbol: random+0x6d03b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 446523 exception.address: 0xed03b registers.esp: 9502220 registers.edi: 970069 registers.eax: 26622 registers.ebp: 3990990868 registers.edx: 524288 registers.ebx: 0 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 56 89 1c 24 52 ba 18 b6 52 74 57 e9 5d f6 ff exception.symbol: random+0x6d7cd exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 448461 exception.address: 0xed7cd registers.esp: 9502224 registers.edi: 996691 registers.eax: 238825 registers.ebp: 3990990868 registers.edx: 524288 registers.ebx: 0 registers.esi: 3 registers.ecx: 4294943788	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb bb ed 08 fd 6f 81 e3 61 28 d7 3b 87 f3 f7 d6 exception.symbol: random+0x6e106 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 450822 exception.address: 0xee106 registers.esp: 9502224 registers.edi: 0 registers.eax: 31343 registers.ebp: 3990990868 registers.edx: 977785 registers.ebx: 0 registers.esi: 3 registers.ecx: 1259	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb e9 04 01 00 00 01 cf e9 88 02 00 00 81 04 24 exception.symbol: random+0x1fa214 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2073108 exception.address: 0x27a214 registers.esp: 9502220 registers.edi: 1010311 registers.eax: 27703 registers.ebp: 3990990868 registers.edx: 2130566132 registers.ebx: 50135805 registers.esi: 2597235 registers.ecx: 765	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb e9 61 fe ff ff 89 3c 24 bf 10 2b bb 7f 4f 81 exception.symbol: random+0x1fa80a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2074634 exception.address: 0x27a80a registers.esp: 9502224 registers.edi: 4294942584 registers.eax: 27703 registers.ebp: 3990990868 registers.edx: 517097 registers.ebx: 50135805 registers.esi: 2624938 registers.ecx: 765	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 31 d2 ff 34 1a 8b 0c 24 e9 5e 00 00 00 68 d6 exception.symbol: random+0x1fc83d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2082877 exception.address: 0x27c83d registers.esp: 9502224 registers.edi: 4294942584 registers.eax: 30136 registers.ebp: 3990990868 registers.edx: 586727826 registers.ebx: 2635907 registers.esi: 2624938 registers.ecx: 999179319	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb e9 e8 ff ff ff 59 e9 82 00 00 00 50 e9 a6 03 exception.symbol: random+0x1fc613 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2082323 exception.address: 0x27c613 registers.esp: 9502224 registers.edi: 4294942584 registers.eax: 30136 registers.ebp: 3990990868 registers.edx: 4294939460 registers.ebx: 2635907 registers.esi: 2624938 registers.ecx: 1549541099	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 68 da c0 a3 6a e9 d8 00 00 00 29 eb 81 c3 46 exception.symbol: random+0x201b31 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2104113 exception.address: 0x281b31 registers.esp: 9502224 registers.edi: 13970968 registers.eax: 32211 registers.ebp: 3990990868 registers.edx: 1719770833 registers.ebx: 2660144 registers.esi: 3524753704 registers.ecx: 14288	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 56 e9 9d 00 00 00 89 e5 81 c5 04 00 00 00 50 exception.symbol: random+0x2020c1 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2105537 exception.address: 0x2820c1 registers.esp: 9502224 registers.edi: 13970968 registers.eax: 1259 registers.ebp: 3990990868 registers.edx: 1719770833 registers.ebx: 2630672 registers.esi: 0 registers.ecx: 14288	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 51 e9 4e bf ff ff 5c 89 exception.symbol: random+0x20aaeb exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2140907 exception.address: 0x28aaeb registers.esp: 9502216 registers.edi: 13970968 registers.eax: 1447909480 registers.ebp: 3990990868 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 2642717 registers.ecx: 20	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: random+0x20a894 exception.address: 0x28a894 exception.module: random.exe exception.exception_code: 0xc000001d exception.offset: 2140308 registers.esp: 9502216 registers.edi: 13970968 registers.eax: 1 registers.ebp: 3990990868 registers.edx: 22104 registers.ebx: 0 registers.esi: 2642717 registers.ecx: 20	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 74 2a 2d 12 01 exception.symbol: random+0x20a124 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2138404 exception.address: 0x28a124 registers.esp: 9502216 registers.edi: 13970968 registers.eax: 1447909480 registers.ebp: 3990990868 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 2642717 registers.ecx: 10	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 80 ea 8c 6a 00 52 e8 03 00 00 00 20 exception.symbol: random+0x20dc73 exception.instruction: int 1 exception.module: random.exe exception.exception_code: 0xc0000005 exception.offset: 2153587 exception.address: 0x28dc73 registers.esp: 9502184 registers.edi: 0 registers.eax: 9502184 registers.ebp: 3990990868 registers.edx: 121203336 registers.ebx: 2678237 registers.esi: 0 registers.ecx: 121218171	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 53 bb 1c 6b 5b 39 81 ef 44 39 dd 7b 01 df 52 exception.symbol: random+0x20eb97 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2157463 exception.address: 0x28eb97 registers.esp: 9502220 registers.edi: 2679063 registers.eax: 25793 registers.ebp: 3990990868 registers.edx: 184341727 registers.ebx: 4862265 registers.esi: 2678486 registers.ecx: 2678470	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 56 89 14 24 c7 04 24 fa c5 92 03 89 04 24 55 exception.symbol: random+0x20e99f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2156959 exception.address: 0x28e99f registers.esp: 9502224 registers.edi: 2704856 registers.eax: 25793 registers.ebp: 3990990868 registers.edx: 184341727 registers.ebx: 4862265 registers.esi: 2678486 registers.ecx: 2678470	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 51 89 34 24 c7 04 24 64 f8 bc 2f 56 e9 3a fa exception.symbol: random+0x20ec27 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2157607 exception.address: 0x28ec27 registers.esp: 9502224 registers.edi: 2682160 registers.eax: 25793 registers.ebp: 3990990868 registers.edx: 184341727 registers.ebx: 6379 registers.esi: 0 registers.ecx: 2678470	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb e9 78 fc ff ff f7 d5 81 c5 41 e5 7f 37 e9 fd exception.symbol: random+0x2161f8 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2187768 exception.address: 0x2961f8 registers.esp: 9502220 registers.edi: 2682160 registers.eax: 2709736 registers.ebp: 3990990868 registers.edx: 2683026 registers.ebx: 6379 registers.esi: 0 registers.ecx: 2683026	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb e9 fd 01 00 00 b8 04 00 00 00 01 c2 58 83 c2 exception.symbol: random+0x2160d4 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2187476 exception.address: 0x2960d4 registers.esp: 9502224 registers.edi: 2682160 registers.eax: 2735720 registers.ebp: 3990990868 registers.edx: 2683026 registers.ebx: 6379 registers.esi: 0 registers.ecx: 2683026	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb e9 47 00 00 00 68 c1 54 94 2e 89 0c 24 52 ba exception.symbol: random+0x216251 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2187857 exception.address: 0x296251 registers.esp: 9502224 registers.edi: 1373997397 registers.eax: 2712708 registers.ebp: 3990990868 registers.edx: 2683026 registers.ebx: 6379 registers.esi: 0 registers.ecx: 0	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb e9 6c fe ff ff 81 04 24 18 e5 3a 05 ff 34 24 exception.symbol: random+0x21e9c4 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2222532 exception.address: 0x29e9c4 registers.esp: 9502224 registers.edi: 965630 registers.eax: 32009 registers.ebp: 3990990868 registers.edx: 2776471 registers.ebx: 4862487 registers.esi: 262633 registers.ecx: 4294938120	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 55 89 e5 81 c5 04 00 00 00 52 ba 04 00 00 00 exception.symbol: random+0x223dd5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2244053 exception.address: 0x2a3dd5 registers.esp: 9502216 registers.edi: 965630 registers.eax: 29114 registers.ebp: 3990990868 registers.edx: 1500142005 registers.ebx: 4294941060 registers.esi: 2795890 registers.ecx: 1179202795	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 68 eb ae e4 34 89 34 24 89 0c 24 b9 20 de a3 exception.symbol: random+0x228d37 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2264375 exception.address: 0x2a8d37 registers.esp: 9502212 registers.edi: 965630 registers.eax: 27748 registers.ebp: 3990990868 registers.edx: 2785841 registers.ebx: 1571073347 registers.esi: 2795890 registers.ecx: 1626406912	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 29 db ff 34 13 ff 34 24 8b 34 24 57 89 e7 81 exception.symbol: random+0x228d80 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2264448 exception.address: 0x2a8d80 registers.esp: 9502216 registers.edi: 965630 registers.eax: 27748 registers.ebp: 3990990868 registers.edx: 2813589 registers.ebx: 1571073347 registers.esi: 2795890 registers.ecx: 1626406912	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb e9 e2 fe ff ff 89 c5 58 81 ee 4a 64 ef 3f 01 exception.symbol: random+0x22866f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2262639 exception.address: 0x2a866f registers.esp: 9502216 registers.edi: 965630 registers.eax: 27748 registers.ebp: 3990990868 registers.edx: 2813589 registers.ebx: 4294942668 registers.esi: 84201 registers.ecx: 1626406912	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 50 e9 bd f6 ff ff 97 f7 d0 97 87 fa e9 87 fb exception.symbol: random+0x2465f5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2385397 exception.address: 0x2c65f5 registers.esp: 9502184 registers.edi: 2901851 registers.eax: 26218 registers.ebp: 3990990868 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 2901851 registers.ecx: 2933451	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 9d dd bc 6e ff 34 24 58 53 e9 97 exception.symbol: random+0x2467a8 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2385832 exception.address: 0x2c67a8 registers.esp: 9502184 registers.edi: 3200210770 registers.eax: 26218 registers.ebp: 3990990868 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 0 registers.ecx: 2910135	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb e9 67 fa ff ff 81 ed 81 09 75 3f 01 d5 81 c5 exception.symbol: random+0x247083 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2388099 exception.address: 0x2c7083 registers.esp: 9502180 registers.edi: 2910614 registers.eax: 31222 registers.ebp: 3990990868 registers.edx: 823764402 registers.ebx: 1657441545 registers.esi: 0 registers.ecx: 2910135	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 31 c9 ff 34 0f e9 bb 07 00 00 5d 50 89 e0 05 exception.symbol: random+0x246c11 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2386961 exception.address: 0x2c6c11 registers.esp: 9502184 registers.edi: 2941836 registers.eax: 31222 registers.ebp: 3990990868 registers.edx: 823764402 registers.ebx: 1657441545 registers.esi: 0 registers.ecx: 2910135	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 52 50 89 e0 53 bb 04 00 00 00 01 d8 5b 83 e8 exception.symbol: random+0x246fb5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2387893 exception.address: 0x2c6fb5 registers.esp: 9502184 registers.edi: 2941836 registers.eax: 4071983456 registers.ebp: 3990990868 registers.edx: 823764402 registers.ebx: 1657441545 registers.esi: 0 registers.ecx: 4294938784	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 53 e9 02 fb ff ff 89 2c 24 89 1c 24 52 ba 00 exception.symbol: random+0x24833e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2392894 exception.address: 0x2c833e registers.esp: 9502184 registers.edi: 2940669 registers.eax: 25297 registers.ebp: 3990990868 registers.edx: 823764402 registers.ebx: 721426842 registers.esi: 0 registers.ecx: 4294938784	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 77 48 fb 06 89 04 24 e9 00 00 00 exception.symbol: random+0x2485ee exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2393582 exception.address: 0x2c85ee registers.esp: 9502184 registers.edi: 2917977 registers.eax: 25297 registers.ebp: 3990990868 registers.edx: 0 registers.ebx: 721426842 registers.esi: 0 registers.ecx: 2484562	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb e9 a2 f4 ff ff 48 ef 26 a6 c0 46 27 56 e8 28 exception.symbol: random+0x24936a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2397034 exception.address: 0x2c936a registers.esp: 9502180 registers.edi: 2917977 registers.eax: 30454 registers.ebp: 3990990868 registers.edx: 2918342 registers.ebx: 721426842 registers.esi: 0 registers.ecx: 175683212	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 a4 ff ff ff ff 34 24 e9 exception.symbol: random+0x248dbb exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2395579 exception.address: 0x2c8dbb registers.esp: 9502184 registers.edi: 2917977 registers.eax: 30454 registers.ebp: 3990990868 registers.edx: 2921324 registers.ebx: 721426842 registers.esi: 1342204512 registers.ecx: 0	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 51 68 4d a1 d6 6b e9 e8 00 00 00 81 04 24 0b exception.symbol: random+0x24d7ec exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2414572 exception.address: 0x2cd7ec registers.esp: 9502180 registers.edi: 2922139 registers.eax: 2937016 registers.ebp: 3990990868 registers.edx: 0 registers.ebx: 65786 registers.esi: 2921355 registers.ecx: 1971716238	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 57 e9 18 fb ff ff 81 ee 04 00 00 00 87 34 24 exception.symbol: random+0x24d7b5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2414517 exception.address: 0x2cd7b5 registers.esp: 9502184 registers.edi: 2922139 registers.eax: 2963366 registers.ebp: 3990990868 registers.edx: 44777 registers.ebx: 65786 registers.esi: 4294944048 registers.ecx: 1971716238	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 81 c6 da e7 b7 7f 68 39 64 21 27 89 1c 24 e9 exception.symbol: random+0x24e3e4 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2417636 exception.address: 0x2ce3e4 registers.esp: 9502180 registers.edi: 2922139 registers.eax: 30465 registers.ebp: 3990990868 registers.edx: 1019183030 registers.ebx: 973728 registers.esi: 2940869 registers.ecx: 345384192	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb e9 c9 00 00 00 81 c7 01 2e 76 47 81 f7 2f 47 exception.symbol: random+0x24e19f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2417055 exception.address: 0x2ce19f registers.esp: 9502184 registers.edi: 2922139 registers.eax: 30465 registers.ebp: 3990990868 registers.edx: 65513 registers.ebx: 0 registers.esi: 2944386 registers.ecx: 345384192	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 52 ba f0 f3 df 7f f7 da 81 c2 06 32 9e ff e9 exception.symbol: random+0x252e5a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2436698 exception.address: 0x2d2e5a registers.esp: 9502180 registers.edi: 38555 registers.eax: 31171 registers.ebp: 3990990868 registers.edx: 38555 registers.ebx: 769 registers.esi: 769 registers.ecx: 2959443	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 31 ff ff 34 0f ff 34 24 ff 34 24 5a 56 81 ec exception.symbol: random+0x252c72 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2436210 exception.address: 0x2d2c72 registers.esp: 9502184 registers.edi: 38555 registers.eax: 31171 registers.ebp: 3990990868 registers.edx: 38555 registers.ebx: 769 registers.esi: 769 registers.ecx: 2990614	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 50 55 52 e9 4c 02 00 00 58 83 c4 04 e9 d3 05 exception.symbol: random+0x252a43 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2435651 exception.address: 0x2d2a43 registers.esp: 9502184 registers.edi: 4294938708 registers.eax: 31171 registers.ebp: 3990990868 registers.edx: 81129 registers.ebx: 769 registers.esi: 769 registers.ecx: 2990614	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb e9 43 00 00 00 89 e7 56 be 3a 8d de 76 81 f6 exception.symbol: random+0x253b38 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2439992 exception.address: 0x2d3b38 registers.esp: 9502184 registers.edi: 4294938708 registers.eax: 32528 registers.ebp: 3990990868 registers.edx: 678621519 registers.ebx: 41478481 registers.esi: 2966694 registers.ecx: 0	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 52 ba 6d 32 ff 77 29 d7 5a 03 3c 24 53 e9 84 exception.symbol: random+0x26b434 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2536500 exception.address: 0x2eb434 registers.esp: 9502180 registers.edi: 3058902 registers.eax: 25265 registers.ebp: 3990990868 registers.edx: 2130566132 registers.ebx: 262323 registers.esi: 8338278 registers.ecx: 2133623219	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 31 c0 ff 34 38 8b 14 24 e9 00 exception.symbol: random+0x26b69b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2537115 exception.address: 0x2eb69b registers.esp: 9502184 registers.edi: 3084167 registers.eax: 25265 registers.ebp: 3990990868 registers.edx: 2130566132 registers.ebx: 262323 registers.esi: 8338278 registers.ecx: 2133623219	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 51 51 89 14 24 89 3c 24 e9 19 04 00 00 b8 c3 exception.symbol: random+0x26ad33 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2534707 exception.address: 0x2ead33 registers.esp: 9502184 registers.edi: 3084167 registers.eax: 4294944644 registers.ebp: 3990990868 registers.edx: 2179041617 registers.ebx: 262323 registers.esi: 8338278 registers.ecx: 2133623219	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 56 89 14 24 ba 22 49 6b 37 57 89 e7 81 c7 04 exception.symbol: random+0x26c3dc exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2540508 exception.address: 0x2ec3dc registers.esp: 9502184 registers.edi: 3084167 registers.eax: 32629 registers.ebp: 3990990868 registers.edx: 1767225703 registers.ebx: 1911406245 registers.esi: 8338278 registers.ecx: 3094576	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb e9 0f fd ff ff 81 cf 85 9d 3b 2f c1 ef 01 55 exception.symbol: random+0x26c0f0 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2539760 exception.address: 0x2ec0f0 registers.esp: 9502184 registers.edi: 607422805 registers.eax: 32629 registers.ebp: 3990990868 registers.edx: 1767225703 registers.ebx: 1911406245 registers.esi: 0 registers.ecx: 3064864	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 55 56 57 bf 1e 2c f9 7d 89 fe 5f 81 f6 15 59 exception.symbol: random+0x27945a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2593882 exception.address: 0x2f945a registers.esp: 9502184 registers.edi: 4294938332 registers.eax: 32227 registers.ebp: 3990990868 registers.edx: 2130566132 registers.ebx: 3360203880 registers.esi: 3148385 registers.ecx: 1626406912	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 50 b8 5c 7d ff 7f 51 68 0f 0b 5e 4e 89 04 24 exception.symbol: random+0x286d2e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2649390 exception.address: 0x306d2e registers.esp: 9502184 registers.edi: 1875428967 registers.eax: 32064 registers.ebp: 3990990868 registers.edx: 108 registers.ebx: 3203850 registers.esi: 3800362919 registers.ecx: 109	1
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: fb 68 02 f8 76 13 89 1c 24 50 c7 04 24 16 4c bd exception.symbol: random+0x286f4c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2649932 exception.address: 0x306f4c registers.esp: 9502184 registers.edi: 1875428967 registers.eax: 32064 registers.ebp: 3990990868 registers.edx: 108 registers.ebx: 3174346 registers.esi: 0 registers.ecx: 604292951	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.19/Vi9leo/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/stealc/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/well/random.exe

Performs some HTTP requests (3 events)

request	POST http://185.215.113.19/Vi9leo/index.php
request	GET http://185.215.113.16/stealc/random.exe
request	GET http://185.215.113.16/well/random.exe

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.19/Vi9leo/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 205 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00081000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02250000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02260000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02370000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73402000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03150000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:16 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01061000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2820 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2820 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2820 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 1:22 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (2 events)

description	75c5ed8dda.exe tried to sleep 282 seconds, actually delayed analysis time by 282 seconds
description	explorti.exe tried to sleep 1134 seconds, actually delayed analysis time by 1134 seconds

An application raised an exception which may be indicative of an exploit crash (10 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process firefox.exe with pid 2216 crashed
Application Crash	Process firefox.exe with pid 676 crashed
Application Crash	Process firefox.exe with pid 2308 crashed
Application Crash	Process firefox.exe with pid 2452 crashed
Application Crash	Process firefox.exe with pid 736 crashed
__exception__ July 29, 2024, 1:23 p.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10613368 registers.r15: 8791562491504 registers.rcx: 48 registers.rsi: 8791562423168 registers.r10: 0 registers.rbx: 0 registers.rsp: 10613000 registers.r11: 10616384 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14919456 registers.rbp: 10613120 registers.rdi: 65118240 registers.rax: 13442816 registers.r13: 10613960	1	0	0
__exception__ July 29, 2024, 1:23 p.m.	stacktrace: 0xb91f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb91f04 registers.r14: 10547352 registers.r15: 8791562557040 registers.rcx: 48 registers.rsi: 8791562488704 registers.r10: 0 registers.rbx: 0 registers.rsp: 10546984 registers.r11: 10550368 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 15967792 registers.rbp: 10547104 registers.rdi: 68270208 registers.rax: 12132096 registers.r13: 10547944	1	0	0
__exception__ July 29, 2024, 1:23 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10287744 registers.r15: 10287248 registers.rcx: 48 registers.rsi: 14707680 registers.r10: 0 registers.rbx: 0 registers.rsp: 10286296 registers.r11: 10288496 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 10287079 registers.rbp: 10286416 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0
__exception__ July 29, 2024, 1:24 p.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9957704 registers.r15: 8791562557040 registers.rcx: 48 registers.rsi: 8791562488704 registers.r10: 0 registers.rbx: 0 registers.rsp: 9957336 registers.r11: 9960720 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 14914896 registers.rbp: 9957456 registers.rdi: 66166816 registers.rax: 13442816 registers.r13: 9958296	1	0	0
__exception__ July 29, 2024, 1:24 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10417680 registers.r15: 10417184 registers.rcx: 48 registers.rsi: 14707104 registers.r10: 0 registers.rbx: 0 registers.rsp: 10416232 registers.r11: 10418432 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 10417015 registers.rbp: 10416352 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\1000017001\75c5ed8dda.exe
file	C:\Users\test22\AppData\Local\Temp\1000016001\17a12ed0f8.exe

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
file	C:\Users\test22\AppData\Local\Temp\1000016001\17a12ed0f8.exe
file	C:\Users\test22\AppData\Local\Temp\1000017001\75c5ed8dda.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\1000017001\75c5ed8dda.exe
file	C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
file	C:\Users\test22\AppData\Local\Temp\1000016001\17a12ed0f8.exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW July 29, 2024, 1:22 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	1	1
ShellExecuteExW July 29, 2024, 1:22 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000016001\17a12ed0f8.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000016001\17a12ed0f8.exe	1	1
ShellExecuteExW July 29, 2024, 1:22 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000017001\75c5ed8dda.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000017001\75c5ed8dda.exe	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 29, 2024, 1:23 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00000282aa070000 process_handle: 0xffffffffffffffff	1	0	0

An executable file was downloaded by the process explorti.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile July 29, 2024, 1:22 p.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $]2Z<\OZ<\OZ<\O5J÷OL<\O5JÂOJ<\O5JöO?<\OSDÏOQ<\OZ<]O,<\O5JóO[<\O5JÆO[<\O5JÁO[<\ORichZ<\OPEL)ç{dà h "0@pºàQx°°·üQ0M@0Ä.text@ `.rdataÄ+0,@@.dataì-`ÚJ@À.bemiwÓ$@@.bozarit (@À.rsrc°·°¸,@@á4ïÆÃUìì,¡ÀnBEØ¡ÄnBV3W{3ÉEÜEøuðMøèÌÿÿÿ¡ÈnBEø?Eè¡ÌnBEäÇEì ÇEôEôÆÁàEèEà¡TnD=©u ÇPnD@.ëí=ëu ÜhDEðÁèEüEüEäUøÖ3Â3Eà=TnDÇLnDî=êôEüuQQQQÿ0BEü3É+ø=TnDuEÔPQQQÿ¸0BjÿÀ0B3ÉÇÁèEüEÜEüUøEøGÈaÇÁàEØ×3Â3Eü+ðÿMìuð/ÿÿÿ{_3^ÉÃUì¡TnD àhDìVÁè3ö;ÆSWÙø=TnDY uvVVÿ`0BVVüÿÿPÿ(0BVVVÿ0BVVVVVVVhJBÿ$0BhÌJBVÿH0BhøJBVÿ<0BVVÿ0BVôÿÿPVh0KBVVÿ¤0BVÿt0BVÿ0Bè,þÿÿÃOoÿÿÿ_[^ÉÃUììSVW3ö3ÿÿ 0BÿBq Gÿ}\|é=TnD§Vÿ\|0BVVVVÿ0BVÿ´1B3Àðº(VVÿ¼0BVVVhpKBhKBh¸KBÿ\0BVVVÿ00BÿuüVVVVVVVVVVÿ1Bÿ¼1BVVVÿD0BVø÷ÿÿPVÿp0BhäKBhLBh`GCèqVVVVèjVVèÞVVèÌÄ,¡ÜBTnDKh$LB£\|Dÿ0Bh4LBP£ähDÿh0Bÿ5TnD£ØhDVÿ80BMøQj@ÿ5TnD£àhDPÿØhDd0B¿.iVøûÿÿPÿ¨1Bÿ 1BÿÓOuç95TnDvV¡\|D8K àhD9=TnDu,VVVVÿ 0Bÿ40BVÿt0BEüPVVVÿ0BVVÿx0BG;=TnDrª3ÿ¡TnDÇ=uVVÿL0BVÿ¬1BhDLBhtLBÿ0BGÿ\|ÊèKýÿÿ3ÿÿÓÿauuüEüEüàhDGÿ½t\|Ýj{_=TnDu1VVVVVVh°LBÿÄ0BVVÿ0BVÿl0BVVVVÿ0BVÿP0BOuÀhèLBÿt0BÿàhD_^[ÉÃUììV3ö=TnDWueVVVVÿ0BVVVÿ,0BhôLBÿ0BVVVVVVVVVVÿ1BVVèÞVVèVèlVè4VVèªVèVVèeVè^ Ä0S0B3ÿÿÌ }$VVÿ¤1BVEüPVVVÿ0BVVVVVÿÓVÿ°1BVVVÿT0Bÿä[ Gÿ3\|º3ÿÿm}VVVVVÿÓÿ 0Bÿd0BVÿ0Bÿþ. Gÿ\|Í¡B£TnDèzüÿÿ¿7ì[=TnDuVüûÿÿPÿX0BOuã_3À^ÉÂÿUìì eàWjY3À}äó«_9EuètÇèÈÿÉÃEÀtäVÿuEèÿuEàÿuEàPÇEäÿÿÿÇEìBè®ÄÿMäðxEàÆë EàPjèÿYYÆ^ÉÃÿUìÿujÿuÿuègÿÿÿÄ]ÃjhNBè[ 3ÿ}ä3Àu;÷À;ÇuèÔÇèwÈÿé´VèÛY}üöF@uoVèîYøÿtøþtÐÁúÈáÁáÀ\|Dë¹dBöA$u)øÿtøþtÈÁùàÁàÀ\|Dë¸dBö@$tèQÇèôMäÿ9}äu!ÿNxE¶ÀÿëVÿuèYYEäÇEüþÿÿÿèEäè¼ÃuVèYÃÿUìQeüVEüPÿuÿuè@!ðÄöu9EütèÏÀt èÆMüÆ^ÉÃÌÌÌÌÌÌÌÌÌÌÌW\|$ën¤$ÿL$W÷ÁtÁÀt=÷Áuïÿºÿþþ~Ððÿ3ÂÁ©tèAüÀt#ät©ÿt©ÿtëÍyÿë yþëyýëyüL$÷ÁtÁÒtfÇ÷ÁuêëÇºÿþþ~Ððÿ3ÂÁ©táÒt4öt'÷Âÿt÷ÂÿtëÇD$_ÃfD$ÆG_ÃfD$_ÃD$_ÃÿUìÿuj jÿuè°"Ä]ÃÿUì]éÜÿÿÿÿUì}uèÇè(Èÿ]ÃEÀtäjÿpÿ0ÿuè##Ä]ÃÿUììMS]VW}Mø]üÿt}tÉuè-ÇèÐ3À_^[ÉÃuötÈÿ3Ò÷÷9Ev!ûÿtSjQè+ÄötÁÈÿ3Ò÷÷9Ewµ¯}÷F}ðßtFEôëÇEôÿÚ÷FtDFÀt=òû;Ørø;}ü»Wÿ6ÿuüÿuøè)~>}ø+ßÄ)}ü}ðé;]ôr\}ôt¹ÿÿÿ3Ò;Ùv Á÷uôÁëÃ÷uôÃ+Âë¸ÿÿÿ;ØwÃ;Eüw[PÿuøVèpYPèB)ÄÀt{øÿtdEø+Ø)Eüë$VèM"YøÿtR}üt"MøÿEøFKÿMüEôÛ&ÿÿÿEé¼þÿÿ}ÿtÿujÿuèXÄèÁÇ"éþÿÿN Ç+Ã3Ò÷uéþÿÿNëìjh0NBè3öuä9ut/9ut9uu-}ÿtÿuVÿuèû)ÄèdÇè3ÀèÃÿuèiYuüÿuÿuÿuÿuÿuè×ýÿÿÄEäÇEüþÿÿÿèEäëÃÿuè¥YÃÿUìÿuÿuÿujÿÿuèZÿÿÿÄ]Ãè7-Àtjè9-Yö`Btjh@jèþÄjèc,ÌÿUìM¡`BU#U÷Ñ#ÈÊ `B]ÃÿUììSW}3Û;ûuèÇè*ÈÿéeVWè°ðYuø9_}_jSVèÄ.ÄEü;ÃûW÷Âu+Gé%O request_handle: 0x00cc000c	1	1	0
InternetReadFile July 29, 2024, 1:22 p.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPELj§fà"¬ Æ(5¯À @P¯"@ P ¿ ®LÐè0 ° @àÀ ò@àÀö@à@ öú@àPbð @à.rsrcÐR@@y`(à@à.dataà"pÜ"@àØVß4èÆHïþX¦IÇýbgáíTT¦Th³1ÒðD\|8Ð®4aè¦´zêA¦M9¿îSù¼ª Ý[(ÆyÞö/8)9Ìcì,ÉA¯<bÿèXª6ÊD±²\fôìQ¦SmÇòhìä ²ÇdzÕiXr>¥¦nýSKç$9 Î,yß}<sÃßvE}kBn´Ø @Ô8-Ò9ÔIN)ÛváÖ`ÓIeu§qûú,~b rj4p¢ÑB)=L¿\o$¹§Î[êW¥ünC_Æz9t4Àbl^²:ÀÜ úÄÎôXpj0ª[èföQ¡M0`HÃ¦!]J`xî\p¯`¦Qfù¡ájV+ .±X^ÜWUq^à_ vêÛB0çÿÒzè=`UkMP×'êÐ!âGÌb½çE}4um ÚùÒ¢àØôn×Æü'òý¼¿Q!é<<z¢h@ðàó)4gõ¯9CF¸.¢(þ~¾õdÔ{=`ùÅ ÎÂ&¦¹¯KU4¸ÅlspØ4hs76/¢°?¦ß}yê²Ü})Ìpëêð¥¿áÐ8ÂÓÊÚXéÏnÓÃÉ/«´ÔGô5¬lB è>=]_ôO<;0kbÁà2?¶Pñ¤ª lprC{kÌ¬>PÄ`EàùvxøçFìÐ¨ç>6hÚ6d¾ã_z£±QHý)Ñ'nÛb?ýB¬ÜÓÞâ@×´õlÍaêëhÜEgä`É _ Z½®Zëÿ~äa}æ~o3äÆÑz,XÆä!rö¶6c1Ôÿ'Ü"ðÊ\"yÛÝôµúâFÞwßÜ¹Ëõ Æè öùñ@Táñ§à#ò¡Ù ð»3(ºÊíxÏÒµs¤89¯À´ i7µk÷íÙ»íýßùV_DBü§·ñÅ)§JØD¢K#:]2EÂ^c@òùÏù¾ÃZ/[Pµ°þVü3!ÖXç)[¢0/} r×)«¾Cõi/ÑïCÍOÍ'½ÚÑß ^\è'AjÚÇÏQØ.>=¹Ï[KcK>{Éù!^Zõ¥/_DØî¦g5R¬XÔØft:qä£ÕËXQÅUyÿçìÆîpjQ}kL´ [â¡1fµÔûhutNí $ Ç[Ñæ¾õ'0@)H2avRÍþ¾Dµ[Ô& Ü'êÿÞGX£KÈçl_,t½88¬:öâ!Ç]öÝ¿ï¦Ö7Væ@¦4Bg51búD©ÓirjÜ pâ°òJqaÜZ3Þ\Ï¹'õl2wìòµCíÿ¹`]ÅR,/ÿ2$ùd¸Gzºô·t`)tXÈàÞJtFÖA@¦ +3¯\|eÐ0èüôu'¾£Z Ã\|´Gokºq&?¼¼Î:¾(êuÐ5õ¯ÛK<3._NÐÁ<KLËßEÂ½_ýç(>Keb#T«^mëÊ´ÍLoZm¡÷3¶üÏL)G3õ0õ¼xbÃû?ìXGåÿÉeÍ8Qr!<^ W)%jÏ>öÝ¬Ùhþ[-K¥æ(=p¡¼oúÛRÈ¥äø¿¡â7Cl wóö(/d]{ÔõÑ-®b4ÅLê\hvÊØ¦Nâp$ßã&y&!ì³ß½KuxÈX8KóG~÷ _l½oÞ<äÏq5dam×¢ h¡\ên]Ex±wè4BÓZxhÿ¤Ã®k¼qpù`Ë°.óÎU +Jõá¼$øzâù"¿¨c²3É«wÛ]Õ08êm°?¾±<¼¬\OóË¦°z[3ËzG!C)²:÷Ga¤/I{o8 ³ :ÓpÃ;¬zÀ¯åAÖ%ñÌáa&S¸zÜ¡Pã¬>ó@cñ5ùjØÍ _ ýl Ä¦ê¦hwüúÆéíôFíJ®Ç: 5QÈÏÑqþ}Åãªl2%êxîÕµ¸b¨ ÇL°×9¸<´có§ß¯({².ëö¦^0Ñdr·DSpJo¤ò³²Kez1Çh=/2Kl©ÃpiÌÌ ê,¶?ÄÅ5ÃÄ®Ãic3y¡?Gß9mÆJBÂVVGðF° ÞMºyñPlëãä¨¥³ÖþÝUceV£jPiRJw»!NÁmêô?Y÷ÔüM3iØÁ©õ,}Ãè)ò^HNÇ2cÙçÿ J'Ò: ZDòsÛTv87mv_²¯¼EùÄMýÅþXj/úà³Á1%°ñì"þ¡öî©`±m5Ä^mSf×êæª7tÙªÚ åc/q\»¸Q>¤Mîb¨¾@qÄ[6Ö.YÝ+Eñg}¸tr¿aZ¡J ãó2K6EYï20ä.ÅÜy $0ük(cmF9µYñYÑTeåûÐóo8"Tà Ã^}¢îÎéÖ63z°ÛøI¥Õ0Wë&ÿ}nÐhÚ~þp;¨ØÊû¦'²2oãÝêÏïÂ¥øá ùÃ9M;PZÒ9TCõÿ¥ðsáOxñÊzSTBðÊ$}I\|È×kNÊÊ ÅGÌÊÝí[ù³íÁFGðÂ?¦¤Ö`Q×ª6±+dVÒ0XÚb·¥¿°Qü=·DCHÄwë@È«áÄä×uÄoî`1´T¶c²ýá33Vuö¶Â oÑÃªb±ýAKÿ>8¬cåÅOzhé6B2 Tü¸^ÕÃ¤a7³ ÷NÓó¼ã©:ð3D«^ðv§ ÎÑ ¤ô3Ú0Nl£;Üw3S÷ÔlBFÕúyÌôLS§îx Ó4Èo?ðÆ\|vÑ håìÚ6"å,vÙ´{Q¥²Ë¶Ç8rî©®0_²ÃBI]öq:{ Bí£?a×^ÿvKÐ.ßþuö=¸çÍÅßÁÒ^á0ÿàox^©wT°`b¥äfLÞp²zàEëæXµ:gÜ&<ú³°^BÞ \%_#A¨¡>}gô6ö¥¡Ì}ÕX_AáI!ç<ºvªrÑø¿-ÔÝ¸rIdaþ¤´={qö³?Í½æ:¡÷6¼)¡Gô¯ÖXMAð yEt>VZt>?·ð M.òoP¹ÛH? ÛçÍþúz;Ó(ëª~0ÅC¯ß)]ñJJ-E_2¦ ¬±nîmÝ#Ì·ö9zK×Êúä ¯T\`fUmà@Ö"](S-Îßù'j+Ec=Âðc Cýò;èÞwöÈ²æ§I< oD"E£=IWO¾5_ò!Í¿)ÀÐ³ùìJ¡¢ÊPÔWf¾x£voQUBÍ%¦_%JLL~iÆ*xw=r¬ªãnØí$`¸£Ï&l#n»úqî¸Ó\|XÅKÑ@íÆ<Ó×FüPA-lHÈ)J#ozinú/zÝ¬À ]mf¸&ü #&;wdòú¢^-?]$BÔüÞXvRÍEàö,e§B¸+¿êÙ:U¤AE«ÅNB X'ïÆúÁ/ß\|Ö`ëÇàïÝ request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002dc00', u'virtual_address': u'0x00001000', u'entropy': 7.978499126188984, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.97849912619

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001a5200', u'virtual_address': u'0x00324000', u'entropy': 7.954400534590307, u'name': u'altqaqrb', u'virtual_size': u'0x001a6000'}

entropy

7.95440053459

description

A section with a high entropy has been found

entropy

0.99414426404

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url	https://crash-reports.mozilla.com/submit?id=
url	https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c

Yara rule detected in process memory (50 out of 54 events)

description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

Communicates with host for which no DNS query was performed (2 events)

host	185.215.113.16
host	185.215.113.19

Allocates execute permission to another process indicative of possible code injection (10 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 29, 2024, 1:23 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory July 29, 2024, 1:23 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory July 29, 2024, 1:23 p.m.	process_identifier: 676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 29, 2024, 1:23 p.m.	process_identifier: 676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 29, 2024, 1:23 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 29, 2024, 1:23 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 29, 2024, 1:24 p.m.	process_identifier: 2452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 29, 2024, 1:24 p.m.	process_identifier: 2452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 29, 2024, 1:24 p.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 29, 2024, 1:24 p.m.	process_identifier: 736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x000000000000004c	1

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 358 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA July 29, 2024, 1:22 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 29, 2024, 1:22 p.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\17a12ed0f8.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000016001\17a12ed0f8.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\75c5ed8dda.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000017001\75c5ed8dda.exe
file	C:\Windows\Tasks\explorti.job

Potential code injection by writing to the memory of another process (45 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: base_address: 0x000000013f6f22b0 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: base_address: 0x000000013f700d88 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: I»`#l?Aÿã base_address: 0x0000000076d81590 process_identifier: 2216 process_handle: 0x0000000000000050	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: a base_address: 0x000000013f700d78 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: I» l?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2216 process_handle: 0x0000000000000050	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: a base_address: 0x000000013f700d70 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: ÏT base_address: 0x000000013f6a0108 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f6faae8 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: base_address: 0x000000013f700c78 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: base_address: 0x000000013f3122b0 process_identifier: 676 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: base_address: 0x000000013f320d88 process_identifier: 676 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: I»`#.?Aÿã base_address: 0x0000000076d81590 process_identifier: 676 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: H base_address: 0x000000013f320d78 process_identifier: 676 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: I» .?Aÿã base_address: 0x0000000076d57a90 process_identifier: 676 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: H base_address: 0x000000013f320d70 process_identifier: 676 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: ÏT base_address: 0x000000013f2c0108 process_identifier: 676 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f31aae8 process_identifier: 676 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: base_address: 0x000000013f320c78 process_identifier: 676 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: base_address: 0x000000013f3122b0 process_identifier: 2308 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: base_address: 0x000000013f320d88 process_identifier: 2308 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: I»`#.?Aÿã base_address: 0x0000000076d81590 process_identifier: 2308 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: Û= base_address: 0x000000013f320d78 process_identifier: 2308 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: I» .?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2308 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: Û= base_address: 0x000000013f320d70 process_identifier: 2308 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: ÏT base_address: 0x000000013f2c0108 process_identifier: 2308 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f31aae8 process_identifier: 2308 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: base_address: 0x000000013f320c78 process_identifier: 2308 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:24 p.m.	buffer: base_address: 0x000000013f3122b0 process_identifier: 2452 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:24 p.m.	buffer: base_address: 0x000000013f320d88 process_identifier: 2452 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:24 p.m.	buffer: I»`#.?Aÿã base_address: 0x0000000076d81590 process_identifier: 2452 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 29, 2024, 1:24 p.m.	buffer: Ø` base_address: 0x000000013f320d78 process_identifier: 2452 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:24 p.m.	buffer: I» .?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2452 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 29, 2024, 1:24 p.m.	buffer: Ø` base_address: 0x000000013f320d70 process_identifier: 2452 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:24 p.m.	buffer: ÏT base_address: 0x000000013f2c0108 process_identifier: 2452 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:24 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f31aae8 process_identifier: 2452 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:24 p.m.	buffer: base_address: 0x000000013f320c78 process_identifier: 2452 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:24 p.m.	buffer: base_address: 0x000000013f3122b0 process_identifier: 736 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:24 p.m.	buffer: base_address: 0x000000013f320d88 process_identifier: 736 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:24 p.m.	buffer: I»`#.?Aÿã base_address: 0x0000000076d81590 process_identifier: 736 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 29, 2024, 1:24 p.m.	buffer: base_address: 0x000000013f320d78 process_identifier: 736 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:24 p.m.	buffer: I» .?Aÿã base_address: 0x0000000076d57a90 process_identifier: 736 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 29, 2024, 1:24 p.m.	buffer: base_address: 0x000000013f320d70 process_identifier: 736 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:24 p.m.	buffer: ÏT base_address: 0x000000013f2c0108 process_identifier: 736 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:24 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f31aae8 process_identifier: 736 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 29, 2024, 1:24 p.m.	buffer: base_address: 0x000000013f320c78 process_identifier: 736 process_handle: 0x0000000000000048	1	1

Network activity contains more than one unique useragent (2 events)

process	explorti.exe				useragent
process	crashreporter.exe				useragent	Breakpad/1.0 (Windows)

One or more non-whitelisted processes were created (9 events)

parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\25486c72-1a2d-424a-acf3-a490fab06966.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\42dc52c3-4edb-4337-842a-8cf86b5d9964.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\ed748d2a-8ada-4d33-884e-e2fb34e8f309.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\bc4b21ca-8f6b-41c8-9a22-fcc66457be4b.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

Appends a known multi-family ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (12 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 812 resumed a thread in remote process 1356
Process injection	Process 1356 resumed a thread in remote process 2216
Process injection	Process 648 resumed a thread in remote process 676
Process injection	Process 1892 resumed a thread in remote process 2308
Process injection	Process 2120 resumed a thread in remote process 2452
Process injection	Process 1320 resumed a thread in remote process 736
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x000002d4 suspend_count: 1 process_identifier: 1356	1	0	0
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2216	1	0	0
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 676	1	0	0
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2308	1	0	0
NtResumeThread July 29, 2024, 1:24 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2452	1	0	0
NtResumeThread July 29, 2024, 1:24 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 736	1	0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 29, 2024, 1:22 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 51 e9 4e bf ff ff 5c 89 exception.symbol: random+0x20aaeb exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2140907 exception.address: 0x28aaeb registers.esp: 9502216 registers.edi: 13970968 registers.eax: 1447909480 registers.ebp: 3990990868 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 2642717 registers.ecx: 20	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 176 events)

Time & API	Arguments	Status	Return
NtResumeThread July 29, 2024, 1:22 p.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 2544	1	0
CreateProcessInternalW July 29, 2024, 1:22 p.m.	thread_identifier: 2824 thread_handle: 0x000003d8 process_identifier: 2820 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e0	1	1
NtResumeThread July 29, 2024, 1:22 p.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 2820	1	0
CreateProcessInternalW July 29, 2024, 1:22 p.m.	thread_identifier: 3024 thread_handle: 0x00000470 process_identifier: 3020 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000016001\17a12ed0f8.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000016001\17a12ed0f8.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000016001\17a12ed0f8.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000474	1	1
CreateProcessInternalW July 29, 2024, 1:22 p.m.	thread_identifier: 2056 thread_handle: 0x00000460 process_identifier: 812 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000017001\75c5ed8dda.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000017001\75c5ed8dda.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000017001\75c5ed8dda.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000484	1	1
NtResumeThread July 29, 2024, 1:22 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 812	1	0
CreateProcessInternalW July 29, 2024, 1:23 p.m.	thread_identifier: 1336 thread_handle: 0x000002d4 process_identifier: 1356 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002dc	1	1
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x000002d4 suspend_count: 1 process_identifier: 1356	1	0
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:24 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:24 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:24 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:24 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:24 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:24 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:24 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:24 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:24 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:24 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:24 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
NtResumeThread July 29, 2024, 1:24 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 812	1	0
CreateProcessInternalW July 29, 2024, 1:23 p.m.	thread_identifier: 2224 thread_handle: 0x0000000000000044 process_identifier: 2216 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 1028 (CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 0 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: base_address: 0x000000013f6f22b0 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: base_address: 0x000000013f700d88 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
NtMapViewOfSection July 29, 2024, 1:23 p.m.	section_handle: 0x0000000000000060 process_identifier: 2216 commit_size: 0 win32_protect: 32 (PAGE_EXECUTE_READ) buffer: base_address: 0x0000000061870000 allocation_type: 0 () section_offset: 0 view_size: 65536 process_handle: 0x0000000000000050	1	0
NtAllocateVirtualMemory July 29, 2024, 1:23 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000061870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000050	1	0
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: I»`#l?Aÿã base_address: 0x0000000076d81590 process_identifier: 2216 process_handle: 0x0000000000000050	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: a base_address: 0x000000013f700d78 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: I» l?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2216 process_handle: 0x0000000000000050	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: a base_address: 0x000000013f700d70 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: ÏT base_address: 0x000000013f6a0108 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f6faae8 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 29, 2024, 1:23 p.m.	buffer: base_address: 0x000000013f700c78 process_identifier: 2216 process_handle: 0x000000000000004c	1	1
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2216	1	0
NtResumeThread July 29, 2024, 1:23 p.m.	thread_handle: 0x000000000000016c suspend_count: 1 process_identifier: 2216	1	0

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Gen:Variant.Kryptik.260
Cylance	Unsafe
VIPRE	Gen:Variant.Kryptik.260
BitDefender	Gen:Variant.Kryptik.260
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Gen:Variant.Kryptik.260
Emsisoft	Gen:Variant.Kryptik.260 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!A45CD34DAB56
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.a45cd34dab56ce2f
Sophos	Generic ML PUA (PUA)
Google	Detected
Avira	TR/Crypt.TPM.Gen
MAX	malware (ai score=80)
Kingsoft	malware.kb.a.708
Gridinsoft	Trojan.Heur!.038120A1
Microsoft	Trojan:Win32/Sabsik.EN.D!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Kryptik.260
Varist	W32/Agent.JDU.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R645974
BitDefenderTheta	Gen:NN.ZexaF.36810.1DWaa0VIn4ai
DeepInstinct	MALICIOUS
VBA32	TScope.Malware-Cryptor.SB
Malwarebytes	Trojan.Amadey
Zoner	Probably Heur.ExeHeaderL
Tencent	Trojan-DL.Win32.Deyma.kh
Fortinet	W32/Themida.HZB!tr
AVG	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (D)

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All