Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 6, 2024, 9:17 a.m.	Aug. 6, 2024, 9:40 a.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`54dda3a0f0895906ba57a691a4655415`
SHA256	`872ea10c56fbd7eed22a86a03387e45213bf90e7e85df771b0a747075a4fa004`
CRC32	`E33B1C81`
ssdeep	`24576:j7I25TWJuUpiD3iaFXJubX9iOQkZ1+G0n/v92SJojo1aS/pxPZxSN11INelXUt14:YyTvubXkO8G0ndD/nZ4WAlEtKgSLCrI`
Yara	PE_Header_Zero - PE File Signature anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description)

herso.exe "C:\Users\test22\AppData\Local\Temp\herso.exe"
1676
- explorti.exe "C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
  2232
  - 6e18515bc8.exe "C:\Users\test22\AppData\Local\Temp\1000036001\6e18515bc8.exe"
    2484
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
      2800
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        2868
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\feb1d719-5d37-4d6f-814f-ef095b02b421.dmp"
        2060
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\feb1d719-5d37-4d6f-814f-ef095b02b421.dmp"
        2104
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
        2500
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        2600
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\714ebb42-5311-4f11-93fe-3625f15d0edd.dmp"
        2288
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\714ebb42-5311-4f11-93fe-3625f15d0edd.dmp"
        2564
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
        2932
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        1712
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\854944f6-c863-4df9-957c-e39bb5ed1152.dmp"
        2076
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\854944f6-c863-4df9-957c-e39bb5ed1152.dmp"
        2948
  - 8bc9ea3c13.exe "C:\Users\test22\1000037002\8bc9ea3c13.exe"
    2976
  - 356feeff4e.exe "C:\Users\test22\AppData\Local\Temp\1000038001\356feeff4e.exe"
    3048
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
crash-reports.mozilla.com	A 34.49.45.138 CNAME antenna-prod.socorro.prod.webservices.mozgcp.net	34.49.45.138

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.215.113.16	Active	Moloch
185.215.113.19	Active	Moloch
185.215.113.24	Active	Moloch
34.49.45.138	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.19:80 -> 192.168.56.103:49164	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 185.215.113.16:80 -> 192.168.56.103:49165	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.103:49165 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.103:49165	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.215.113.16:80 -> 192.168.56.103:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.103:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.103:49165	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.103:49168	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.215.113.16:80 -> 192.168.56.103:49168	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.103:49168	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.103:49168	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 185.215.113.24:80 -> 192.168.56.103:49175	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.103:49175 -> 185.215.113.24:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 185.215.113.24:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.24:80 -> 192.168.56.103:49175	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 185.215.113.24:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.24:80 -> 192.168.56.103:49175	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 185.215.113.24:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 185.215.113.24:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 185.215.113.24:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.24:80 -> 192.168.56.103:49175	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.24:80 -> 192.168.56.103:49175	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 185.215.113.24:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 185.215.113.24:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.24:80 -> 192.168.56.103:49178	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.24:80 -> 192.168.56.103:49178	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 185.215.113.24:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 185.215.113.24:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49198 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49197 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49201 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49203 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.215.113.24:80 -> 192.168.56.103:49178	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 185.215.113.24:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 185.215.113.24:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 185.215.113.24:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49178 -> 185.215.113.24:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 185.215.113.24:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49178 -> 185.215.113.24:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 185.215.113.24:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameA Aug. 6, 2024, 9:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 6, 2024, 9:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 6, 2024, 9:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 6, 2024, 9:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 6, 2024, 9:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 6, 2024, 9:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 6, 2024, 9:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 6, 2024, 9:19 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 80 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 6, 2024, 9:17 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:17 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:17 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:17 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:17 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:18 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Aug. 6, 2024, 9:19 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 6, 2024, 9:18 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	empipoju
section	ojixoypn
section	.taggant

One or more processes crashed (50 out of 272 events)

Time & API	Arguments	Status
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: herso+0x30e0b9 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 3203257 exception.address: 0x12fe0b9 registers.esp: 4193044 registers.edi: 0 registers.eax: 1 registers.ebp: 4193060 registers.edx: 21594112 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 31 f6 ff 34 3e ff 34 24 ff 34 24 e9 24 01 00 exception.symbol: herso+0x6d6d5 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 448213 exception.address: 0x105d6d5 registers.esp: 4193012 registers.edi: 17186793 registers.eax: 29101 registers.ebp: 4007178260 registers.edx: 16711680 registers.ebx: 129 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb e9 35 07 00 00 5d 55 89 e5 81 c5 04 00 00 00 exception.symbol: herso+0x6ce61 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 446049 exception.address: 0x105ce61 registers.esp: 4193012 registers.edi: 17186793 registers.eax: 29101 registers.ebp: 4007178260 registers.edx: 16711680 registers.ebx: 80171347 registers.esi: 4294941284 registers.ecx: 1971388416	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 52 ba cb 0c ed 4f 50 68 f5 49 c9 22 89 1c 24 exception.symbol: herso+0x6e3a0 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 451488 exception.address: 0x105e3a0 registers.esp: 4193008 registers.edi: 17186793 registers.eax: 32220 registers.ebp: 4007178260 registers.edx: 293041014 registers.ebx: 17161278 registers.esi: 4294941284 registers.ecx: 2060724334	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 57 89 e7 81 c7 04 00 00 00 e9 87 02 00 00 01 exception.symbol: herso+0x6e2ee exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 451310 exception.address: 0x105e2ee registers.esp: 4193012 registers.edi: 0 registers.eax: 32220 registers.ebp: 4007178260 registers.edx: 293041014 registers.ebx: 17164438 registers.esi: 235753 registers.ecx: 2060724334	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 53 89 3c 24 89 e7 e9 b2 03 00 00 58 55 bd ae exception.symbol: herso+0x1e652d exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 1991981 exception.address: 0x11d652d registers.esp: 4193012 registers.edi: 17197679 registers.eax: 18729726 registers.ebp: 4007178260 registers.edx: 2130566132 registers.ebx: 62456761 registers.esi: 18686230 registers.ecx: 953	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 68 d0 ae 93 4f 89 14 24 c7 04 24 7d 29 ff 22 exception.symbol: herso+0x1e66f5 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 1992437 exception.address: 0x11d66f5 registers.esp: 4193012 registers.edi: 17197679 registers.eax: 18729726 registers.ebp: 4007178260 registers.edx: 623849 registers.ebx: 4294943584 registers.esi: 18686230 registers.ecx: 953	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 52 89 04 24 68 21 a3 31 75 89 0c 24 e9 70 fa exception.symbol: herso+0x1e84aa exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2000042 exception.address: 0x11d84aa registers.esp: 4193012 registers.edi: 17197679 registers.eax: 18741723 registers.ebp: 4007178260 registers.edx: 623849 registers.ebx: 1709887346 registers.esi: 18686230 registers.ecx: 1084890819	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 55 c7 04 24 64 f5 ef 7f 81 ec 04 00 00 00 89 exception.symbol: herso+0x1e7bae exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 1997742 exception.address: 0x11d7bae registers.esp: 4193012 registers.edi: 4294937888 registers.eax: 18741723 registers.ebp: 4007178260 registers.edx: 623849 registers.ebx: 50665 registers.esi: 18686230 registers.ecx: 1084890819	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 f7 ef 3e 70 89 3c 24 89 14 24 89 exception.symbol: herso+0x1ea2c4 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2007748 exception.address: 0x11da2c4 registers.esp: 4193012 registers.edi: 8662759 registers.eax: 1259 registers.ebp: 4007178260 registers.edx: 0 registers.ebx: 0 registers.esi: 205839809 registers.ecx: 18721439	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 ec 04 89 1c 24 e9 e9 exception.symbol: herso+0x1f69b7 exception.instruction: in eax, dx exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2058679 exception.address: 0x11e69b7 registers.esp: 4193004 registers.edi: 8662759 registers.eax: 1447909480 registers.ebp: 4007178260 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 18748226 registers.ecx: 20	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: herso+0x1f6fc2 exception.address: 0x11e6fc2 exception.module: herso.exe exception.exception_code: 0xc000001d exception.offset: 2060226 registers.esp: 4193004 registers.edi: 8662759 registers.eax: 1 registers.ebp: 4007178260 registers.edx: 22104 registers.ebx: 0 registers.esi: 18748226 registers.ecx: 20	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 df 3a 2d 12 01 exception.symbol: herso+0x1f29f0 exception.instruction: in eax, dx exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2042352 exception.address: 0x11e29f0 registers.esp: 4193004 registers.edi: 8662759 registers.eax: 1447909480 registers.ebp: 4007178260 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 18748226 registers.ecx: 10	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb e9 92 fa ff ff ff 34 24 58 83 c4 04 50 89 e0 exception.symbol: herso+0x1fa0f0 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2072816 exception.address: 0x11ea0f0 registers.esp: 4193008 registers.edi: 8662759 registers.eax: 29224 registers.ebp: 4007178260 registers.edx: 2130566132 registers.ebx: 40914187 registers.esi: 10 registers.ecx: 18782895	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb e9 a7 00 00 00 89 f0 52 68 00 00 00 00 5a 55 exception.symbol: herso+0x1f9f79 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2072441 exception.address: 0x11e9f79 registers.esp: 4193012 registers.edi: 8662759 registers.eax: 29224 registers.ebp: 4007178260 registers.edx: 2130566132 registers.ebx: 40914187 registers.esi: 10 registers.ecx: 18812119	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 68 9b 6d 78 1b 89 04 24 68 0e 8d 7f 67 ff 34 exception.symbol: herso+0x1fa39c exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2073500 exception.address: 0x11ea39c registers.esp: 4193012 registers.edi: 8662759 registers.eax: 29224 registers.ebp: 4007178260 registers.edx: 6379 registers.ebx: 40914187 registers.esi: 4294941264 registers.ecx: 18812119	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 e8 14 00 00 00 36 f4 2f 20 da fa 3e exception.symbol: herso+0x1facba exception.instruction: int 1 exception.module: herso.exe exception.exception_code: 0xc0000005 exception.offset: 2075834 exception.address: 0x11eacba registers.esp: 4192972 registers.edi: 0 registers.eax: 4192972 registers.ebp: 4007178260 registers.edx: 44501 registers.ebx: 18787797 registers.esi: 18787381 registers.ecx: 504897376	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 53 89 e3 50 b8 25 35 e9 56 35 21 35 e9 56 01 exception.symbol: herso+0x209530 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2135344 exception.address: 0x11f9530 registers.esp: 4193012 registers.edi: 17150914 registers.eax: 32504 registers.ebp: 4007178260 registers.edx: 6 registers.ebx: 18878707 registers.esi: 1971262480 registers.ecx: 0	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb e9 5c 00 00 00 56 ff 74 24 04 5e e9 d4 fc ff exception.symbol: herso+0x209d19 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2137369 exception.address: 0x11f9d19 registers.esp: 4193012 registers.edi: 17150914 registers.eax: 32504 registers.ebp: 4007178260 registers.edx: 4294938144 registers.ebx: 18878707 registers.esi: 1971262480 registers.ecx: 98601296	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 ea bf 76 63 e9 87 03 00 00 81 c7 exception.symbol: herso+0x20f146 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2158918 exception.address: 0x11ff146 registers.esp: 4193000 registers.edi: 18870020 registers.eax: 29282 registers.ebp: 4007178260 registers.edx: 774241995 registers.ebx: 167815814 registers.esi: 1988413394 registers.ecx: 774241995	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 55 89 3c 24 bf 8b 1e ee 5f 47 50 56 e9 06 ff exception.symbol: herso+0x20f2f2 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2159346 exception.address: 0x11ff2f2 registers.esp: 4193004 registers.edi: 18873014 registers.eax: 604277078 registers.ebp: 4007178260 registers.edx: 774241995 registers.ebx: 167815814 registers.esi: 0 registers.ecx: 774241995	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb e9 ad 01 00 00 81 f5 9b 38 4a 5a 31 e8 5d 05 exception.symbol: herso+0x21164a exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2168394 exception.address: 0x120164a registers.esp: 4193000 registers.edi: 4022815394 registers.eax: 29576 registers.ebp: 4007178260 registers.edx: 2142270149 registers.ebx: 18879041 registers.esi: 18873014 registers.ecx: 2161147548	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 51 e9 74 f8 ff ff ff 34 1a ff 34 24 e9 63 00 exception.symbol: herso+0x211b7c exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2169724 exception.address: 0x1201b7c registers.esp: 4193004 registers.edi: 4022815394 registers.eax: 29576 registers.ebp: 4007178260 registers.edx: 2142270149 registers.ebx: 18908617 registers.esi: 18873014 registers.ecx: 2161147548	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 3c 24 c7 04 24 87 83 f2 exception.symbol: herso+0x211daa exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2170282 exception.address: 0x1201daa registers.esp: 4193004 registers.edi: 322689 registers.eax: 29576 registers.ebp: 4007178260 registers.edx: 4294940800 registers.ebx: 18908617 registers.esi: 18873014 registers.ecx: 2161147548	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 00 00 00 00 89 04 24 e9 exception.symbol: herso+0x214523 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2180387 exception.address: 0x1204523 registers.esp: 4193000 registers.edi: 322689 registers.eax: 26784 registers.ebp: 4007178260 registers.edx: 4294940800 registers.ebx: 1128402562 registers.esi: 18873014 registers.ecx: 18889908	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 53 50 68 88 1d 6f 7f 58 2d 41 e0 b7 07 e9 03 exception.symbol: herso+0x213d1e exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2178334 exception.address: 0x1203d1e registers.esp: 4193004 registers.edi: 4294943372 registers.eax: 84201 registers.ebp: 4007178260 registers.edx: 4294940800 registers.ebx: 1128402562 registers.esi: 18873014 registers.ecx: 18916692	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 68 2e 0f c3 7b e9 02 05 00 00 58 81 c5 a4 9f exception.symbol: herso+0x225881 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2250881 exception.address: 0x1215881 registers.esp: 4193004 registers.edi: 3278334944 registers.eax: 18992767 registers.ebp: 4007178260 registers.edx: 2130566132 registers.ebx: 3278339044 registers.esi: 4294939748 registers.ecx: 116969	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb e9 d4 f9 ff ff 87 2c 24 5c 89 14 24 89 e2 55 exception.symbol: herso+0x23c304 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2343684 exception.address: 0x122c304 registers.esp: 4192972 registers.edi: 19081385 registers.eax: 28667 registers.ebp: 4007178260 registers.edx: 2130566132 registers.ebx: 2147485317 registers.esi: 2313063264 registers.ecx: 4294941396	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 1c 24 83 ec 04 89 0c 24 exception.symbol: herso+0x23ceb9 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2346681 exception.address: 0x122ceb9 registers.esp: 4192972 registers.edi: 4294939004 registers.eax: 30950 registers.ebp: 4007178260 registers.edx: 1325214180 registers.ebx: 772068874 registers.esi: 19089113 registers.ecx: 604801362	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 52 ba 04 69 f6 3d 55 bd 12 f7 cf 3e e9 eb 02 exception.symbol: herso+0x23dbe8 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2350056 exception.address: 0x122dbe8 registers.esp: 4192968 registers.edi: 4294939004 registers.eax: 29272 registers.ebp: 4007178260 registers.edx: 1975250091 registers.ebx: 772068874 registers.esi: 19061041 registers.ecx: 604801362	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 2c 24 e9 b8 fc ff ff 89 exception.symbol: herso+0x23dd36 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2350390 exception.address: 0x122dd36 registers.esp: 4192972 registers.edi: 4294939004 registers.eax: 4294940540 registers.ebp: 4007178260 registers.edx: 1002937741 registers.ebx: 772068874 registers.esi: 19090313 registers.ecx: 604801362	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 55 89 0c 24 89 04 24 89 e0 e9 b9 0b 00 00 89 exception.symbol: herso+0x241ee4 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2367204 exception.address: 0x1231ee4 registers.esp: 4192972 registers.edi: 4294939004 registers.eax: 27123 registers.ebp: 4007178260 registers.edx: 0 registers.ebx: 65804 registers.esi: 19105926 registers.ecx: 1969225870	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 1e 05 00 00 83 c7 04 87 3c 24 5c exception.symbol: herso+0x242194 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2367892 exception.address: 0x1232194 registers.esp: 4192972 registers.edi: 4294939004 registers.eax: 322689 registers.ebp: 4007178260 registers.edx: 4294943784 registers.ebx: 65804 registers.esi: 19105926 registers.ecx: 1969225870	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 81 c6 34 8b 5f 7f 03 34 24 52 68 da 03 a5 6a exception.symbol: herso+0x244477 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2376823 exception.address: 0x1234477 registers.esp: 4192968 registers.edi: 287777128 registers.eax: 29776 registers.ebp: 4007178260 registers.edx: 871407392 registers.ebx: 287784299 registers.esi: 19088068 registers.ecx: 890493803	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 ac 8a 6d 12 89 04 24 c7 04 24 e6 exception.symbol: herso+0x244769 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2377577 exception.address: 0x1234769 registers.esp: 4192972 registers.edi: 287777128 registers.eax: 24811 registers.ebp: 4007178260 registers.edx: 871407392 registers.ebx: 0 registers.esi: 19091036 registers.ecx: 890493803	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 34 24 89 e6 e9 d5 01 00 00 54 8b exception.symbol: herso+0x24799c exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2390428 exception.address: 0x123799c registers.esp: 4192968 registers.edi: 19100995 registers.eax: 19101693 registers.ebp: 4007178260 registers.edx: 836032545 registers.ebx: 1 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 2d fc 21 5d 89 2c 24 57 c7 04 24 exception.symbol: herso+0x248239 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2392633 exception.address: 0x1238239 registers.esp: 4192972 registers.edi: 19100995 registers.eax: 19104482 registers.ebp: 4007178260 registers.edx: 157417 registers.ebx: 1 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 55 e9 37 00 00 00 59 81 f7 5e 36 bf 7e 81 c7 exception.symbol: herso+0x248ac3 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2394819 exception.address: 0x1238ac3 registers.esp: 4192968 registers.edi: 19100995 registers.eax: 19105587 registers.ebp: 4007178260 registers.edx: 157417 registers.ebx: 1219189504 registers.esi: 1 registers.ecx: 1337876430	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 55 e9 c4 02 00 00 68 6d ea f6 00 e9 83 03 00 exception.symbol: herso+0x248d86 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2395526 exception.address: 0x1238d86 registers.esp: 4192972 registers.edi: 2173331560 registers.eax: 19108589 registers.ebp: 4007178260 registers.edx: 157417 registers.ebx: 1219189504 registers.esi: 0 registers.ecx: 1337876430	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 41 9a 9d 52 ff 34 24 ff 34 24 5a exception.symbol: herso+0x25bb9c exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2472860 exception.address: 0x124bb9c registers.esp: 4192972 registers.edi: 2298801283 registers.eax: 25849 registers.ebp: 4007178260 registers.edx: 18914776 registers.ebx: 19210308 registers.esi: 5881836 registers.ecx: 4294944304	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 68 c8 63 de 4b e9 be 05 00 00 55 bd a4 f8 02 exception.symbol: herso+0x264e5b exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2510427 exception.address: 0x1254e5b registers.esp: 4192972 registers.edi: 19188756 registers.eax: 30052 registers.ebp: 4007178260 registers.edx: 2130566132 registers.ebx: 19251340 registers.esi: 5881836 registers.ecx: 0	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 52 ef 71 25 89 3c 24 89 04 24 89 exception.symbol: herso+0x264cfd exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2510077 exception.address: 0x1254cfd registers.esp: 4192972 registers.edi: 0 registers.eax: 30052 registers.ebp: 4007178260 registers.edx: 2130566132 registers.ebx: 19224168 registers.esi: 9451 registers.ecx: 0	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 eb 01 00 00 81 cf 25 7d cd 0f f7 exception.symbol: herso+0x26c299 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2540185 exception.address: 0x125c299 registers.esp: 4192972 registers.edi: 19240230 registers.eax: 29073 registers.ebp: 4007178260 registers.edx: 0 registers.ebx: 25356626 registers.esi: 19254036 registers.ecx: 765722624	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 0c 24 e9 29 04 00 00 31 fe 31 f7 exception.symbol: herso+0x26fd61 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2555233 exception.address: 0x125fd61 registers.esp: 4192972 registers.edi: 19240230 registers.eax: 30986 registers.ebp: 4007178260 registers.edx: 2130566132 registers.ebx: 19297373 registers.esi: 19254036 registers.ecx: 765722624	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb e9 70 00 00 00 ff 74 24 04 8b 04 24 83 c4 04 exception.symbol: herso+0x2700db exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2556123 exception.address: 0x12600db registers.esp: 4192972 registers.edi: 19240230 registers.eax: 3923872081 registers.ebp: 4007178260 registers.edx: 0 registers.ebx: 19269589 registers.esi: 19254036 registers.ecx: 765722624	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 81 ef e8 03 0d 7a 55 bd 5c f5 d3 1b e9 94 06 exception.symbol: herso+0x281b54 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2628436 exception.address: 0x1271b54 registers.esp: 4192968 registers.edi: 19338971 registers.eax: 31195 registers.ebp: 4007178260 registers.edx: 11 registers.ebx: 19310155 registers.esi: 5881836 registers.ecx: 12	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 57 89 34 24 c7 04 24 8b 7f b5 0b 81 2c 24 51 exception.symbol: herso+0x2822bc exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2630332 exception.address: 0x12722bc registers.esp: 4192972 registers.edi: 19370166 registers.eax: 31195 registers.ebp: 4007178260 registers.edx: 11 registers.ebx: 19310155 registers.esi: 5881836 registers.ecx: 12	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb e9 63 02 00 00 52 53 81 ec 04 00 00 00 e9 f3 exception.symbol: herso+0x281ef6 exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2629366 exception.address: 0x1271ef6 registers.esp: 4192972 registers.edi: 19370166 registers.eax: 2112443472 registers.ebp: 4007178260 registers.edx: 4294939180 registers.ebx: 19310155 registers.esi: 5881836 registers.ecx: 12	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 53 51 e9 4d 01 00 00 5d e9 13 01 00 00 83 ee exception.symbol: herso+0x28b66e exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2668142 exception.address: 0x127b66e registers.esp: 4192972 registers.edi: 19370166 registers.eax: 31333 registers.ebp: 4007178260 registers.edx: 2130566132 registers.ebx: 352302288 registers.esi: 2005598220 registers.ecx: 19408390	1
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: fb 51 89 14 24 89 0c 24 52 ba 64 c5 f9 4d 81 f2 exception.symbol: herso+0x28abdd exception.instruction: sti exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2665437 exception.address: 0x127abdd registers.esp: 4192972 registers.edi: 19370166 registers.eax: 31333 registers.ebp: 4007178260 registers.edx: 0 registers.ebx: 352302288 registers.esi: 13887824 registers.ecx: 19380342	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (13 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.19/Vi9leo/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/well/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/steam/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/num/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.24/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.24/e2b1563c6670f193.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.24/0d60be0de163924d/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.24/0d60be0de163924d/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.24/0d60be0de163924d/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.24/0d60be0de163924d/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.24/0d60be0de163924d/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.24/0d60be0de163924d/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.24/0d60be0de163924d/vcruntime140.dll

Performs some HTTP requests (13 events)

request	POST http://185.215.113.19/Vi9leo/index.php
request	GET http://185.215.113.16/well/random.exe
request	GET http://185.215.113.16/steam/random.exe
request	GET http://185.215.113.16/num/random.exe
request	GET http://185.215.113.24/
request	POST http://185.215.113.24/e2b1563c6670f193.php
request	GET http://185.215.113.24/0d60be0de163924d/sqlite3.dll
request	GET http://185.215.113.24/0d60be0de163924d/freebl3.dll
request	GET http://185.215.113.24/0d60be0de163924d/mozglue.dll
request	GET http://185.215.113.24/0d60be0de163924d/msvcp140.dll
request	GET http://185.215.113.24/0d60be0de163924d/nss3.dll
request	GET http://185.215.113.24/0d60be0de163924d/softokn3.dll
request	GET http://185.215.113.24/0d60be0de163924d/vcruntime140.dll

Sends data using the HTTP POST Method (2 events)

request	POST http://185.215.113.19/Vi9leo/index.php
request	POST http://185.215.113.24/e2b1563c6670f193.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 284 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ff1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ed0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:18 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x013d1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2232 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2232 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2232 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (2 events)

description	6e18515bc8.exe tried to sleep 278 seconds, actually delayed analysis time by 278 seconds
description	explorti.exe tried to sleep 1097 seconds, actually delayed analysis time by 1097 seconds

An application raised an exception which may be indicative of an exploit crash (6 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process firefox.exe with pid 2868 crashed
Application Crash	Process firefox.exe with pid 2600 crashed
Application Crash	Process firefox.exe with pid 1712 crashed
__exception__ Aug. 6, 2024, 9:18 a.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10219112 registers.r15: 8791540668016 registers.rcx: 48 registers.rsi: 8791540599680 registers.r10: 0 registers.rbx: 0 registers.rsp: 10218744 registers.r11: 10222128 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 14925488 registers.rbp: 10218864 registers.rdi: 249667616 registers.rax: 13442816 registers.r13: 10219704	1	0	0
__exception__ Aug. 6, 2024, 9:19 a.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8973992 registers.r15: 8791415428720 registers.rcx: 48 registers.rsi: 8791415360384 registers.r10: 0 registers.rbx: 0 registers.rsp: 8973624 registers.r11: 8977008 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14922608 registers.rbp: 8973744 registers.rdi: 252813344 registers.rax: 13442816 registers.r13: 8974584	1	0	0
__exception__ Aug. 6, 2024, 9:18 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9894704 registers.r15: 9894208 registers.rcx: 48 registers.rsi: 14759008 registers.r10: 0 registers.rbx: 0 registers.rsp: 9893256 registers.r11: 9895456 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9894039 registers.rbp: 9893376 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0

Steals private information from local Internet browsers (50 out of 5864 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\apenkfbbpmhihehmihndmmcdanacolnh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\ciojocpkclfflombbcfigcijjcbkmhaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opfgelmcmbiajamepnmloijbpoleiama\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\fiikommddbeccaoicoejoniammnalkfa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCK\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\fa\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000001\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\naepdomgkenhinolocfifgehidddafch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch\CURRENT

Creates executable files on the filesystem (9 events)

file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\Users\test22\1000037002\8bc9ea3c13.exe
file	C:\ProgramData\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\1000036001\6e18515bc8.exe
file	C:\Users\test22\AppData\Local\Temp\1000038001\356feeff4e.exe
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
file	C:\Users\test22\AppData\Local\Temp\1000036001\6e18515bc8.exe
file	C:\Users\test22\1000037002\8bc9ea3c13.exe
file	C:\Users\test22\AppData\Local\Temp\1000038001\356feeff4e.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
file	C:\Users\test22\AppData\Local\Temp\1000038001\356feeff4e.exe
file	C:\Users\test22\AppData\Local\Temp\1000036001\6e18515bc8.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 6, 2024, 9:17 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	1	1
ShellExecuteExW Aug. 6, 2024, 9:17 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000036001\6e18515bc8.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000036001\6e18515bc8.exe	1	1
ShellExecuteExW Aug. 6, 2024, 9:18 a.m.	show_type: 0 filepath_r: C:\Users\test22\1000037002\8bc9ea3c13.exe parameters: filepath: C:\Users\test22\1000037002\8bc9ea3c13.exe	1	1
ShellExecuteExW Aug. 6, 2024, 9:18 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000038001\356feeff4e.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000038001\356feeff4e.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (37 events)

Time & API	Arguments	Status	Return
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: smss.exe process_identifier: 232	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: csrss.exe process_identifier: 308	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: wininit.exe process_identifier: 344	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: csrss.exe process_identifier: 356	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: winlogon.exe process_identifier: 392	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: services.exe process_identifier: 436	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: lsass.exe process_identifier: 452	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: svchost.exe process_identifier: 560	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: svchost.exe process_identifier: 636	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: svchost.exe process_identifier: 716	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: svchost.exe process_identifier: 780	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: svchost.exe process_identifier: 824	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: audiodg.exe process_identifier: 896	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: svchost.exe process_identifier: 984	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: svchost.exe process_identifier: 340	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: spoolsv.exe process_identifier: 1060	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: taskhost.exe process_identifier: 1112	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: svchost.exe process_identifier: 1120	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: dwm.exe process_identifier: 1192	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: svchost.exe process_identifier: 1744	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: pw.exe process_identifier: 1888	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: SearchIndexer.exe process_identifier: 1652	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: pw.exe process_identifier: 516	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: taskhost.exe process_identifier: 1940	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: SearchProtocolHost.exe process_identifier: 1932	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: SearchFilterHost.exe process_identifier: 1704	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: explorti.exe process_identifier: 2232	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: 6e18515bc8.exe process_identifier: 2484	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: svchost.exe process_identifier: 2612	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: mscorsvw.exe process_identifier: 2640	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: mscorsvw.exe process_identifier: 2680	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: sppsvc.exe process_identifier: 2732	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: firefox.exe process_identifier: 2868	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: 8bc9ea3c13.exe process_identifier: 2976	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000298 process_name: 356feeff4e.exe process_identifier: 3048	1	1
Process32NextW Aug. 6, 2024, 9:18 a.m.	snapshot_handle: 0x00000440 process_name: crashreporter.exe process_identifier: 2060	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 6, 2024, 9:18 a.m.	process_identifier: 2868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000000d48bf00000 process_handle: 0xffffffffffffffff	1	0	0

An executable file was downloaded by the processes explorti.exe, 356feeff4e.exe (10 events)

Time & API	Arguments	Status	Return
InternetReadFile Aug. 6, 2024, 9:17 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPELo±fà"¬ Æß®À @¯Òì@ PPâ4_LÐè0PP° @àÀ ò@àÀö@à@ öú@àPbð @à.rsrcÐR@@Àx`(à@à.dataà" Ö"@à¹Xr(¯Ç÷¼\³¦2 =)P ¢«Î]Tu×y¢ÄÄDÌfÎCØ~\|ÐÍñÒr£Ä÷ù~¹±\©FÖpËàf+Æwy¸Qí tù+uþH5î$·½J»m^5ÞÚD²iÜ¸\|\|EËjf÷vÇ@ê½'å"µJm 'Å¶_rÎZSGubúÅããâÃ?!ZRD¥wÅÀ]-ýfÝÏ&õN#3°¬34Ü~Z11Ñ-[èfÍKaJ__ud½'ªbçÎ9Ã©xíÈðì¯ýc=~øØ¸óêï+'qm%0>ZM¾Øs²QFÂ)ö@¼ì{æl&-Q#w¼bïíi»rt«h?^ÂÔ_vë;ô &L$óL§BáEÍÝ+è´Q0Ñ"ï¢ Êøªm©vþ ÊÚÿùLcæC9Ï,L÷,Ó 1×Uyý÷É%ªºYÙo3íh¿½2ïÌ'®äEò¯÷þ\Û5©L0:Úeå]1³ï©5³Oà,,#¢uåN®n¹áí¶ò¦ÞÛÑ^B±ÂÓ£Õ¥S"]¤ÞJk£m,3Åârq7«LöZòÃ²Ä»@¡¢¶õ!YØûú/Ø59hè,R:N9øogC~PAæÏ wÚúá¹°Õwé1%ÁRâ9Ðlºd8+VYX$ËSvclñÕ½âuXùÐtE³åtÐùKÑO@xÂj!ÔF±Z0Ç÷Gª±nFçÓôºñx½êÑ½¿ïÌêh^6ÿ÷8Åvyß²ÿ[ùYòaHâ«¸È\MËvZfÄoÐ-»QÓÌýå¯`ZøAZ;ÿ¬(DcyÌhíÉslZ2ìÁp 3ìMØy°} êâm¤Ï20Ì]Àð»bÇ©ìÆuæhHÇj?t÷VWfp6£>õ½8Ù¼ÏdÄV 2"R¾vdþ÷Û(> ÃºÕã¿é¨éxÅ´hHéìøsSÊâ¤¹fQ3Ñl;ª?·l.¥»`å<ZtµN®wcîß cÏ÷o&qÃ"b<] Z® à$§j¯CCÁkmÜùÛ1¹'+c¸Oð>_u«Èûíp4'ÀU¡6# J;üGQ`5Ú S÷qå 9@(>(4ç(â®¯Qq=¼Æ¶kÕtÆÚ-xJvØûºK®°òÅÏMî Vq<¶ßQ."Ä."ø)ÓD÷dixÎF(¸2RÈ¡G7óµ_Õ#¸?=G¬&-Cxæô])$ RyÂ½ýlL§6]·2ØÌª&ó±÷çàg;¸Oªµü÷yûýÀù¯Ö¯ÚÒ;Æ¢õr@¥K£wÅê]²m´q,@ê#-ÅÁøæÕ ä%<zºµ ~ß0~Ó1)ÉöY3m°¬éÍy§Tµk@-!czèêÚY.~Â%âÜ%m.!EGOëEj'ÎÉ>õÃÿOçHëÁÿyºÓjv"P¡ 4Ý¤ø)¾¼1¢Øg=áUÖP¾Dp³=ObQ4t}þ§ëTÔ±ø~þ")¡ÔLÚôHòO<sB'gVOø&µ×c:8c8l~x:o;_£Û þ«ÎZÄlL¹Í¯»]¤Eÿ¤¥÷ùã µb-¢Ìf~I8cÍIäÏr¨¨ k+;w¢Î`ÜÖóiX]8=ÄÝLØ3ÇÛ®kñ?Q[Ub\e®m@¹ìHB5±õ H%BçLy\|Å«¾²yà~¥÷t.«6!&!)N%X)¿£q½Ç{Ó\|±(4NfëÌýßçzÝ¶#óDëv÷ ðôg(ep<0qY UÇõºC`¦¿JNóû"S5Rr æý>\>'îÝÖDçtCí s·%CèðZÅ½¥Ó}½£k¥ók¿ÃNB=éÎªòJ¦»¹0ES&@;ã\~×¢:©¶1`ädµ>=¨ïÞ~ ruør¶}wz?¦²Ôsdkñk'8ó&wP^BªL"þk/¬AnTµMVûå®4oßËÚZC4o©]üÚ³;y9yhdGÁ]äO"ß7ä+{ç°"7Ä>À!°áÈO"Û n¨AoY¼àÃñ@d;óoUg";(kýNn¯:å9»D`û¥ãb¢@®èbáÍ¯DïM_ðüÑæÛ0GbîàZyÅo+ôì¶ÌïÞ8£T'6N ÆzFi[ÁÓÄ%Ø·£þÜÀ¿à;T"¹Å¯í«âZÓ·¢8½yl)ÌßæÚrþU?âk@ï6è 5î\¨ì""³)¾$p4ìvdä´õó¨ÀÈæÔþEò ¢a¾:AW¤Wó.ï-fÙî§S$:×¹ ¸ÿZ¦wRí2Ëø2åQéñ2NEwÂ?1Cdä?ìW®Èhu8Lf¢D7Ü¸Aâ2EDäJÈç7ßOd Hk´·'õï¬A!w?ÈRjÍDR(ç©¤wvê¹<¾ý!ÄaÛ cJs¢8»æ£í½@B ÐÑbÈûbA9ø@S(:ÑïFå"{÷×J ·üKÖ·VvgÓí0Ý<íg¶¿{Bàbaüé:ìHbF¼ÖXö- '¶ UÃ@ºÓôIO?7êØf¼teÇI±jZGöÊ<LH±Ä¸lÌºXßÈå¨¹éq,³®êéït tûë0¦Û',¿aÆ=Xæú++qvû]Ü6üéàîÓï8´¹Þv££réb A3b~æ¥\ó®´¾,R\|2Ó·ëa<}£Ê[üi9bZ¨i?y¹Ã³±¯%õ .RºR³ôÒ/ºTûÍÙ¢Eþ¥5\½Xýjê4éo³åØïÞSRé±vF JWùúR}úÚbR[ËtaqÊòùr]xÃ¥wÚÅ;ñ³~KÕí]Ê\õXÍÈL£ÊÀy"(Ø!¥Y]·yÙ3²lRù,fÅZ¹3¬~HHÚ>nëod!eÐcÏí°øpW£ºNÞP>X(z#±Èf¤©Í6=ìòøJ9u¿¼®ÕZØR¹¦à§¨]E¥ú_Xu\|0iËk±\T8²0}¢Êï¾6'HCø¤¯ïUñè~õ2çÎ¿ö2Î½È÷üA¯D09æäª§¼u¯EìcéÔu#rAKÇòrä^¿¥Õ 1$7Õ{Ïü'BTj;%ÔxJsIC¢°ÿ·rHûÂd«Ï<»¡R²pûíÖEÃÊÝcßeøÝ¼Gqm¨µb¸mE ¢D«7(=F@o ÏJY~j ¥?ÒãúØ¦Béò9´'A1¸!B3¥@òÆ:°5üÛ;yxÿ ôÎôBénª»6Ú¿F·¤Æ9³â¼ku"fidçG©ØPàëjÉÿDéMÖ)ãj}Ä¯6bqÉIÒ]nû®Æ}§?Þ2JÂöÚª¢;A*ã`qFQä}¯rÏmç;ÊW¤ÒWd( å;gØûðû§§ö&´ÇVp¢BKæ:}ô8hÚç(ÊgJßð²ìÈÚo request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 6, 2024, 9:18 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $k]öÓ 3¥Ó 3¥Ó 3¥nE¥¥Ò 3¥ÍX·¥Í 3¥ÍX¦¥Ã 3¥ÍX°¥· 3¥ôÌH¥Ô 3¥Ó 2¥ 3¥ÍX¹¥Ò 3¥ÍX§¥Ò 3¥ÍX¢¥Ò 3¥RichÓ 3¥PELAYHeà æpÜ¿@Às? \ \ Ü0$Xað@à0 @à00@àÐ`@à.rsrcp0$b"@@0y $(@à.data0"Ð""¬@à¡éc ípé1Ã<ºiìfË"ã1¤»V,ÃxP´¥3Þhú#~b\¿V" T8/«Ù^j;êäçÒO ¾>[êJ¿Büqz>ÈKZÙ}nh°¤yõ §ÝóÔÿ,©é1â¨±»` 3kì3äºã£´øÐëDðÙ]Âµo´îÀH¤Ö¼nJØê.ÿíÚ^¦Äx´wÍ)¡TDý$oó-ãTQÅ-Mk&m¸gc=¥BTÞÁ¯ßÀØP.ø°¡o) dbqÑÌ¨dÈþµ ¹ÎzÓì;ÊôÌåé¡_¡ìÕæfáÙ@T³Ô¾ënÜ·<:T)¡;H1c?6ô7Í¹µdÈë®c_8åhY¿wwÏáüÕïÑß¹ûft¤³þ²¹TO3¯1ú£Ý¼u¥ºKû¿¶à3÷´æq¦«z]ÓâÐð?g(ùC'§{IÂÖypXðjBa·¬¡5_ñ÷ò"{;SrRE¢tÃ®ÑÏ§Xw¹i '\}ììÂ¦Óíra¼Å0¾XóÏP$ÙòørØ½ÕåC©I®rÐ%¢4{óWß¹ýÔË]]¦Èw¸nLL:àÉ6Æ]§$(q/;³Ã5"L3Þù´jT¾Åæ¸CÛEAø#({óãã¡N¦ÄÍÅÌDw<)ï`mQ?âcyÿK= 2¦y±tÿ>à(~¥\|-¼M015¡ËçõÃÛKT¸ÅP²b.·¾öÊ^¬`4YåÏÞÞ¨ã¡'ß G\|/Ðy4§qj-¦Ç<²Ò¸OÛÎW¹«ÚÂc{]I»]+Ï §^Eè{ÁJI,¿à°îDòÇÙÝlh×}î¯º´4._«¯¢JH÷~øyYñ1¼U "l¤a³ý&¶´È®¯éJ¡cô¬HZ Üé8)®Ýç5âÐñIðNÕ¹ïÿcAì¹8çÀácvkÐ.ºcòbü goQèÒ$~$0¿=9jÇY¼»ÕþÖÊãmÍd?íïhJ~ðÀBB×¿1ÓÝàÙ4«9Mô:!9NUÞ©áBd¸·XW[Æ>×Å5è£ÕËò3¡<zgåÆ¨ãÍ\|ùÊÙ¨ÇõýONø§ÝHDp½ æ#ÉqÀt¬Þ\|<P±³ý÷ zá´OpW¹Cµq}qu\gOµîJ°Ö<MåÐ¦;Z\éràâK>V©@M;}°²qæ1Ìá3ñã®ò±°Huêi=Ö«c=ÙB²rcÝ^Ëª&%ÒP¬AÙ8Æ¦/,\|µzÀ%Ã½ÆþÃþè¶ f@ø·^t]ÍSðW¶8ß!ÍX~ÛÜX4b÷k¥Ocó6YÊê l¹~¶i°MÞá;ßµVCÆl#Ú÷euü0b4f>Ü¨sV[®åiJ¸¶_åT~ùÔç ¢Þoè=h%tÙ/½Â3Óåp=bóæ`Õ"cMxê1ê<4Û$Ñm=PPN®¤))K -S4öÞêá¾fõkç0Óù&¦pÔÏ@CUÓ\ùþQ\|åÖMÅ 0¥ C0Ró]¬ù{KZ¤BIr,çÌ õp¦:/Q¤XX¡Õg«ÆgÀ,ùIÙ¹Dq±ü\|¢t/ç×x©ë:¨¢±n Õ,÷P,þqÍ³TÖ8å^\|iÕmÓö>ÿk}z\+lô@ï"ÂÍÿÐ0Ä±¼ÁD%iÎÐ´z;O®¸r·Þ)}~´¦QSïLüÞpX4xGYÇþÃ®CWzuÀ`%.,.)DÌZ1äjµg>kY$ëÈ +ÖAdZÝc¯ÜJ=ßåØ9w£ GÐÆ)WßGû+~¹+ÜgRNþ/þzì«ûãÔ_Ô7^JÛ¹¤ÑjZÐ90~R¤¼A)²ÚËT=`§w&ëR}!Ý/Jlblf#² þ ÏãüÞº)+ùü×°UQ xíZç<þdÂßdJô·³=üSgG8@ÿk XpRo[Bí´çßvZÎÝ, hõmWå»¶½éµ÷`ôí)ÜB#dQÈ±ÞNãðÖvôo ºÙßymørÊ)sÄI.c3u0{%ÆØ³(}1BGé/±\|iWDKºû~}º«1§^ð4÷doY[¬\YÍFi ê(÷¶ ÇÏÔF[Ö)Iþ#ë<^ý½Ê«7ôë?<pzsÆðîÒGç·B!´ø9fKRâô&Xö»Kæ£VÄõQ¤ÁjGo+Ô¢=A1¢5ªoLc)´ZÁ¿QÈHiaä¢vè(æÝüù2é«5WÏáÚÇËÁQ¬Þ±_Ft³[®9éÔ¬é½Y?ôFXÎãÅ0EË"ê ëÕ(EdúÅ.ê f"<t9Ìð'"45ÊfºKf=ØðÞII4zU¿V îÆ~iß`LÛ5/ÌH¢-6¹çÎm¶ e}~çwWfñgîÀgOZ¯·áuÔ¡B/Sp0Ýxi. Úø7ø¨ÒPÒ.fiÇ$fIpqï]'ÒÚÖVë°ÍçVkÏ )IOjz/²Ê( ÜNbÌdZÒîêNÓÖ0ÓÒü ¡:«(8\|8ØOëðï'ilABØó9Ûní¾Í¨àµ«!Õs¿Íw½ríù%â÷ísðb=££êá¼òÇw?,`¸s`Û$=øÄ.Ç3ªÂuVû{¶«¼äû-i9gçù`)ÊÐà:8d EX¨hu8/4uÄ(ß~¨½u¡òÂÙýªÅ\söà¯ìg\Y$RAÝ¤ZQª\|¦ãÝÇ¥nôÔ¡:yÖHô+$cHìá´èüÃedWg56j\|Ê;K3 Û; w7.B0éfß£¹QnÜ-är0pì2JIáà¥±÷þkòJ.ë~µ)±®ÙLK:Ï&5Ïñ©â]\|g,×;Í&aß¹;g<F7&;ðTjUzµÑÍ².$¦âÆ(tV?¯W~%ÖWÃÝ3ÒÌÏ²ô.JÞ4zÚ8 ¨åZr çUÔZçNÅ7¨ï©ÉÀxÌHì ¯·Ësì$¤Ôçìï¬MèXj?t/«µàù§@oLïIxmü4;ZëZPYÞíù3S·Èâa¿Êå[ åáÚúËc`.H:f±ÈÄ6[hm)ïØº3¹tNÒ`k\|²ó¾3O¿~Ì<.è0Ú9ôÊÀÑ$³ÐØÍ:ÇÚU.Û;¶±AG¼ÌíQd$ºPýÜ[Hnõ^WÑO¿Ñ×Èõ<Ê²ZjÚ3Ö¥º[C«±Xùdû1õSi·'M1Ð¨B5úÙè#UÛÕÚU> àØWûåÈõHÿl÷Sá$GRÚi2 àk"Ôh£ è¸j:-m¹,i\F?Miþ ÈDáø°ÚF»äm¯±@N®\° Ü÷ÝÓú7ó:7K2Ô¥ís?´ËÛ´ëñ¹z°KåxH&°¹hbZÈP1÷¦9aWû0chõ¶¦R¤$>f]z request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 6, 2024, 9:18 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PELN««fà ÈB"dà@0$@Ð©<à#\|$àô.textJÆÈ à.rdataæÎàÐÌ@@.data+!°@À.relocDà#F¨@By¹ApÈAÙÈAUìQEEü}tMüÆUüÂUüEèEëàEå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìEèExMÿUMMMëä]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQSjh0hÀAÈjÿ$ÐbEüPøtÀüÉÀøX}üt,ÀhÀæEüPèNsSÉÉü[hhÀAÈMüQÿdÏb[å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQÇEüjj@h0hÐjÿØÐbPÿÐbEü}üujÿìÏbèRÿÿÿå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì(EÜPÿtÏbMðMØ}ØsjÿìÏbå]ÃÌÌÌÌÌÌÌÌUì¡@ÍbPèâaPè,sÄÀu! ÎbQè9aPèsÄÀujÿìÏb]ÃÌÌUììjjj¡ÐÈbPÿ,ÐbEôj MôQÿÐÏbEøUôRjÿpÐb}ø}jÿìÏbå]ÃÌÌÌÌÌUììHj@jE¸PèrÇE¸@M¸QÿÑbøujhUÄREÀPèÁjhRPèÁEøUüëÇEøÇEü}üwr }øWsjÿìÏbå]ÃÌÌUììÇEøÿhjÿÀÐbPÿXÐbEôEüPhjMQURÿ¬ÏbÀuEøPMôQjjUREüPÿÏbMüQÿ(ÐbEôå]ÃÌÌÌÌUìì\hèjüÿÿPÿäàAÄh4MBhäMBhè\ÿÿÿÄPüÿÿQÿlÐbüÿÿRÿÏbøÊhbBüÿÿPÿlÐbhÿ Büÿÿèh¬NBàûÿÿQðÉbRìûÿÿPüÿÿèÎÈèÇPüÿÿè«àûÿÿèìûÿÿèõhBøûÿÿè%jÈûÿÿQèrÄP¼ûÿÿR¡¤ÌbPÔûÿÿQøûÿÿèdÈèÍPøûÿÿèA¼ûÿÿèÔûÿÿèÈûÿÿèjøûÿÿèCPüÿÿRÿ0ÏbüÿÿPüÿÿQìÌøûÿÿRèæèÄÀtMüÿÿPüÿÿQìÌüÿÿRè»ìÌEPèÊ¤ûÿÿQè7Ä ¤ûÿÿèíøûÿÿè²PÿÏbøûÿÿèüÿÿèjjüÿÿRÿäàAÄøûÿÿè¦üÿÿèMèå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQMüMüÁ\|ènMüÁHècMüÁ<èXMüÁ0èMMüèåå]ÃÌUìQMüEPMüè MÁ0QMüÁ0è»UÂ<RMüÁ<è©EÀHPMüÁHèMüUBTATMüUBXAXMüUB\A\MüUB`A`MüUBdAdMüUBhAhMüUBlAlMüUBpApMüUBtAtMüUBxAxMÁ\|QMüÁ\|è Eüå]ÂÌÌÌÌUìQMüMüÁ$èNMüÁèCMüÁè8Müè0å]ÃÌÌÌÌÌÌÌÌÌÌÌÌUìQMüEPMüèMÁQMüÁèUÂRMüÁèEÀ$PMüÁ$èwEüå]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUììthBMèèêhBMôèÝEüÿÿ½üÿÿt½üÿÿtW½üÿÿéÇjhþÿÿQèqÄP\þÿÿRMèèoPMèèæ\þÿÿè;hþÿÿè0éjPþÿÿPèÍpÄPDþÿÿQMèèPMèè¡DþÿÿèöPþÿÿèëë@j(8þÿÿRèpÄP,þÿÿPMèèèPMèè_,þÿÿè´8þÿÿè©}0hbBüýÿÿQURþÿÿPhdOBþÿÿQUèR þÿÿPMôèÈèÈè{ÈèPMôèëüýÿÿè@þÿÿè5þÿÿè þÿÿèéM$QÀýÿÿRh´PBÌýÿÿPMQØýÿÿRhPBäýÿÿPMèQðýÿÿRMôèùÈèÈèëÈètÈèÝPMôèTÀýÿÿè©ÌýÿÿèØýÿÿèäýÿÿèðýÿÿè} þÿÿPMôè>PÿÑbEä}äÿu5MôèVMèèNMèFMè>M$è6M4è®ûÿÿéh\QBÌþÿÿQÿÐbÀthRBÌþÿÿRÿÐbÀué}hBþÿÿè(}0æE$PlýÿÿQhüSBxýÿÿRÌþÿÿPýÿÿQhTSBýÿÿREPýÿÿQh¬RB¨ýÿÿREèP´ýÿÿQþÿÿè Èè)ÈèÈèÈèÈè ÈèvPþÿÿèêlýÿÿè?xýÿÿè4ýÿÿè)ýÿÿèýÿÿè¨ýÿÿè´ýÿÿèýé¦ÌþÿÿR0ýÿÿPhLUB<ýÿÿQURHýÿÿPh¤TBTýÿÿQUèR`ýÿÿPþÿÿèÑÈèZÈèÃÈèLÈèEPþÿÿè)0ýÿÿè~<ýÿÿèsHýÿÿèhTýÿÿè]`ýÿÿèRìÌþÿÿRèáèlÄÀ«h BþÿÿèahVBüüÿÿPMQýÿÿRhôUBýÿÿP ðÉbQ ýÿÿRþÿÿèÈèÈè÷Èè request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 6, 2024, 9:18 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 6, 2024, 9:18 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 6, 2024, 9:18 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 6, 2024, 9:18 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 6, 2024, 9:18 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 6, 2024, 9:18 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 6, 2024, 9:18 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002dc00', u'virtual_address': u'0x00001000', u'entropy': 7.980902791862893, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.98090279186

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00198200', u'virtual_address': u'0x0030e000', u'entropy': 7.953561389499389, u'name': u'empipoju', u'virtual_size': u'0x00199000'}

entropy

7.9535613895

description

A section with a high entropy has been found

entropy

0.993977552696

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url	https://crash-reports.mozilla.com/submit?id=
url	https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c

Yara rule detected in process memory (36 events)

description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 52 events)

Time & API	Arguments	Status
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExA Aug. 6, 2024, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Communicates with host for which no DNS query was performed (3 events)

host	185.215.113.16
host	185.215.113.19
host	185.215.113.24

Allocates execute permission to another process indicative of possible code injection (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 6, 2024, 9:18 a.m.	process_identifier: 2868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Aug. 6, 2024, 9:18 a.m.	process_identifier: 2868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Aug. 6, 2024, 9:18 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Aug. 6, 2024, 9:18 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Aug. 6, 2024, 9:18 a.m.	process_identifier: 1712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Aug. 6, 2024, 9:18 a.m.	process_identifier: 1712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 343 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 6, 2024, 9:17 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 6, 2024, 9:18 a.m.	class_name: OLLYDBG window_name:		0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 6, 2024, 9:18 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\6e18515bc8.exe				reg_value	C:\Users\test22\AppData\Local\Temp\1000036001\6e18515bc8.exe
file	C:\Windows\Tasks\explorti.job

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Potential code injection by writing to the memory of another process (27 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: base_address: 0x000000013f2622b0 process_identifier: 2868 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: base_address: 0x000000013f270d88 process_identifier: 2868 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: I»`##?Aÿã base_address: 0x0000000077711590 process_identifier: 2868 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: I{ base_address: 0x000000013f270d78 process_identifier: 2868 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: I» #?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2868 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: I{ base_address: 0x000000013f270d70 process_identifier: 2868 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: ÏT base_address: 0x000000013f210108 process_identifier: 2868 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f26aae8 process_identifier: 2868 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: base_address: 0x000000013f270c78 process_identifier: 2868 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: base_address: 0x000000013f7f22b0 process_identifier: 2600 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: base_address: 0x000000013f800d88 process_identifier: 2600 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: I»`#\|?Aÿã base_address: 0x0000000077711590 process_identifier: 2600 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: çH base_address: 0x000000013f800d78 process_identifier: 2600 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: I» \|?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2600 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: çH base_address: 0x000000013f800d70 process_identifier: 2600 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: ÏT base_address: 0x000000013f7a0108 process_identifier: 2600 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f7faae8 process_identifier: 2600 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: base_address: 0x000000013f800c78 process_identifier: 2600 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: base_address: 0x000000013f7f22b0 process_identifier: 1712 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: base_address: 0x000000013f800d88 process_identifier: 1712 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: I»`#\|?Aÿã base_address: 0x0000000077711590 process_identifier: 1712 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: » base_address: 0x000000013f800d78 process_identifier: 1712 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: I» \|?Aÿã base_address: 0x00000000776e7a90 process_identifier: 1712 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: » base_address: 0x000000013f800d70 process_identifier: 1712 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: ÏT base_address: 0x000000013f7a0108 process_identifier: 1712 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f7faae8 process_identifier: 1712 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: base_address: 0x000000013f800c78 process_identifier: 1712 process_handle: 0x0000000000000048	1	1

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA Aug. 6, 2024, 9:18 a.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\00000004
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	explorti.exe				useragent
process	crashreporter.exe				useragent	Breakpad/1.0 (Windows)

One or more non-whitelisted processes were created (6 events)

parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\714ebb42-5311-4f11-93fe-3625f15d0edd.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\854944f6-c863-4df9-957c-e39bb5ed1152.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\feb1d719-5d37-4d6f-814f-ef095b02b421.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

Appends a known multi-family ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2484 resumed a thread in remote process 2800
Process injection	Process 2800 resumed a thread in remote process 2868
Process injection	Process 2500 resumed a thread in remote process 2600
Process injection	Process 2932 resumed a thread in remote process 1712
NtResumeThread Aug. 6, 2024, 9:18 a.m.	thread_handle: 0x000002c0 suspend_count: 1 process_identifier: 2800	1	0	0
NtResumeThread Aug. 6, 2024, 9:18 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2868	1	0	0
NtResumeThread Aug. 6, 2024, 9:18 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2600	1	0	0
NtResumeThread Aug. 6, 2024, 9:18 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1712	1	0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 6, 2024, 9:17 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 ec 04 89 1c 24 e9 e9 exception.symbol: herso+0x1f69b7 exception.instruction: in eax, dx exception.module: herso.exe exception.exception_code: 0xc0000096 exception.offset: 2058679 exception.address: 0x11e69b7 registers.esp: 4193004 registers.edi: 8662759 registers.eax: 1447909480 registers.ebp: 4007178260 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 18748226 registers.ecx: 20	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 126 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 6, 2024, 9:17 a.m.	thread_handle: 0x000001e8 suspend_count: 1 process_identifier: 1676	1	0
CreateProcessInternalW Aug. 6, 2024, 9:17 a.m.	thread_identifier: 2236 thread_handle: 0x000003ec process_identifier: 2232 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003f4	1	1
NtResumeThread Aug. 6, 2024, 9:17 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2232	1	0
CreateProcessInternalW Aug. 6, 2024, 9:17 a.m.	thread_identifier: 2488 thread_handle: 0x00000460 process_identifier: 2484 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000036001\6e18515bc8.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000036001\6e18515bc8.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000036001\6e18515bc8.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000464	1	1
CreateProcessInternalW Aug. 6, 2024, 9:18 a.m.	thread_identifier: 2980 thread_handle: 0x00000428 process_identifier: 2976 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\1000037002\8bc9ea3c13.exe track: 1 command_line: "C:\Users\test22\1000037002\8bc9ea3c13.exe" filepath_r: C:\Users\test22\1000037002\8bc9ea3c13.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000480	1	1
CreateProcessInternalW Aug. 6, 2024, 9:18 a.m.	thread_identifier: 3052 thread_handle: 0x0000036c process_identifier: 3048 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000038001\356feeff4e.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000038001\356feeff4e.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000038001\356feeff4e.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000484	1	1
NtResumeThread Aug. 6, 2024, 9:17 a.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:18 a.m.	thread_handle: 0x000002b8 suspend_count: 1 process_identifier: 2484	1	0
CreateProcessInternalW Aug. 6, 2024, 9:18 a.m.	thread_identifier: 2804 thread_handle: 0x000002c0 process_identifier: 2800 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002e4	1	1
NtResumeThread Aug. 6, 2024, 9:18 a.m.	thread_handle: 0x000002c0 suspend_count: 1 process_identifier: 2800	1	0
NtResumeThread Aug. 6, 2024, 9:18 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:18 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:18 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:18 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:18 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:18 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:18 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:18 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:18 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:18 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:18 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:18 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:18 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:18 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:18 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:19 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:19 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:19 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:19 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:19 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:19 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:19 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:19 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:19 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:19 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:19 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:19 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
NtResumeThread Aug. 6, 2024, 9:19 a.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2484	1	0
CreateProcessInternalW Aug. 6, 2024, 9:18 a.m.	thread_identifier: 2872 thread_handle: 0x0000000000000044 process_identifier: 2868 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 1028 (CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 0 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: base_address: 0x000000013f2622b0 process_identifier: 2868 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: base_address: 0x000000013f270d88 process_identifier: 2868 process_handle: 0x000000000000004c	1	1
NtMapViewOfSection Aug. 6, 2024, 9:18 a.m.	section_handle: 0x0000000000000060 process_identifier: 2868 commit_size: 0 win32_protect: 32 (PAGE_EXECUTE_READ) buffer: base_address: 0x000000007b490000 allocation_type: 0 () section_offset: 0 view_size: 65536 process_handle: 0x0000000000000050	1	0
NtAllocateVirtualMemory Aug. 6, 2024, 9:18 a.m.	process_identifier: 2868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000000007b490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000050	1	0
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: I»`##?Aÿã base_address: 0x0000000077711590 process_identifier: 2868 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: I{ base_address: 0x000000013f270d78 process_identifier: 2868 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: I» #?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2868 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: I{ base_address: 0x000000013f270d70 process_identifier: 2868 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: ÏT base_address: 0x000000013f210108 process_identifier: 2868 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f26aae8 process_identifier: 2868 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 6, 2024, 9:18 a.m.	buffer: base_address: 0x000000013f270c78 process_identifier: 2868 process_handle: 0x000000000000004c	1	1

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.tc
Cylance	Unsafe
VIPRE	Gen:Variant.Kryptik.260
BitDefender	Gen:Variant.Kryptik.260
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Gen:Variant.Kryptik.260
Emsisoft	Gen:Variant.Kryptik.260 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!54DDA3A0F089
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.54dda3a0f0895906
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/Crypt.TPM.Gen
MAX	malware (ai score=84)
Gridinsoft	Trojan.Heur!.038120A1
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Kryptik.260
Varist	W32/Agent.JDU.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R645974
BitDefenderTheta	Gen:NN.ZexaF.36810.YDWaayGleLci
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Amadey
Zoner	Probably Heur.ExeHeaderL
Fortinet	W32/Themida.HZB!tr
AVG	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (D)

herso.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All