Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 10, 2024, 12:28 p.m.	Aug. 10, 2024, 1:05 p.m.

Size	1.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`54a4376350631493186f19dfd5120d7b`
SHA256	`339ecbd542931717c9eeb57f2f04de3b0354505343cbc3c4d4a364f92ec9ec40`
CRC32	`DB53A3AC`
ssdeep	`49152:OVEsINgNKSq+LC0plWnwJcqOYCV6bbWdhzs:DZNgNfu0plYEd8VdHI`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

nino.exe "C:\Users\test22\AppData\Local\Temp\nino.exe"
2548
- explorti.exe "C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
  2824
  - 88322d291b.exe "C:\Users\test22\AppData\Local\Temp\1000036001\88322d291b.exe"
    3052
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
      2196
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        2316
  - 7bf67a058c.exe "C:\Users\test22\1000037002\7bf67a058c.exe"
    1964
    - RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2108
  - 131432ddf8.exe "C:\Users\test22\AppData\Local\Temp\1000038001\131432ddf8.exe"
    2564
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.215.113.100	Active	Moloch
185.215.113.16	Active	Moloch
185.215.113.19	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.19:80 -> 192.168.56.101:49165	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 185.215.113.16:80 -> 192.168.56.101:49166	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49166 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49166	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.215.113.16:80 -> 192.168.56.101:49166	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.101:49166	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49166	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49170	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.101:49170	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49170	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49170	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49170	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.100:80 -> 192.168.56.101:49177	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49177 -> 185.215.113.100:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 185.215.113.100:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 185.215.113.100:80 -> 192.168.56.101:49177	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 185.215.113.100:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.100:80 -> 192.168.56.101:49177	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 185.215.113.100:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.100:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.100:80 -> 192.168.56.101:49177	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.100:80 -> 192.168.56.101:49177	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.100:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49177 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.100:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49177 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.100:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49177 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.100:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49177 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.100:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameA Aug. 10, 2024, 12:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 10, 2024, 12:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 10, 2024, 12:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 10, 2024, 12:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 10, 2024, 12:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 10, 2024, 12:29 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 101 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 10, 2024, 12:28 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:28 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:28 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:28 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:30 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:30 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:30 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:30 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:30 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:30 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:30 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:30 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:30 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:30 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:30 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:30 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:30 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:30 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:30 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:30 p.m.			0	0

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayVersion
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 10, 2024, 12:29 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	abvhhmys
section	ycigddzl
section	.taggant

One or more processes crashed (50 out of 265 events)

Time & API	Arguments	Status
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: nino+0x3240b9 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 3293369 exception.address: 0x10e40b9 registers.esp: 1637064 registers.edi: 0 registers.eax: 1 registers.ebp: 1637080 registers.edx: 19456000 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 55 89 e5 81 c5 04 00 00 00 83 ed 04 87 2c 24 exception.symbol: nino+0x6d355 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 447317 exception.address: 0xe2d355 registers.esp: 1637032 registers.edi: 234729 registers.eax: 26797 registers.ebp: 4004884500 registers.edx: 14417920 registers.ebx: 4294943884 registers.esi: 14890557 registers.ecx: 1969094656	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb e9 eb fb ff ff 59 81 ec 04 00 00 00 89 1c 24 exception.symbol: nino+0x6e523 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 451875 exception.address: 0xe2e523 registers.esp: 1637032 registers.edi: 234729 registers.eax: 14871577 registers.ebp: 4004884500 registers.edx: 0 registers.ebx: 4294943884 registers.esi: 14890557 registers.ecx: 1259	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 31 c0 e9 79 f8 ff ff f7 de 51 b9 a1 f7 ff 7b exception.symbol: nino+0x1ee405 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2024453 exception.address: 0xfae405 registers.esp: 1637032 registers.edi: 16469600 registers.eax: 29835 registers.ebp: 4004884500 registers.edx: 425984 registers.ebx: 425984 registers.esi: 16439251 registers.ecx: 2130509824	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 55 54 8b 2c 24 83 c4 04 52 89 04 24 b8 bd 78 exception.symbol: nino+0x1ee1ba exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2023866 exception.address: 0xfae1ba registers.esp: 1637032 registers.edi: 16469600 registers.eax: 4294940272 registers.ebp: 4004884500 registers.edx: 425984 registers.ebx: 425984 registers.esi: 16439251 registers.ecx: 607422803	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 53 bb 54 8e f6 1f 81 ee a2 1c db 77 81 ee 00 exception.symbol: nino+0x1f3ae4 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2046692 exception.address: 0xfb3ae4 registers.esp: 1637028 registers.edi: 0 registers.eax: 27524 registers.ebp: 4004884500 registers.edx: 3596612136 registers.ebx: 16461318 registers.esi: 16463576 registers.ecx: 796476497	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb e9 55 f8 ff ff 5a f7 d1 49 c1 e9 03 e9 8f 00 exception.symbol: nino+0x1f4067 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2048103 exception.address: 0xfb4067 registers.esp: 1637032 registers.edi: 0 registers.eax: 27524 registers.ebp: 4004884500 registers.edx: 3596612136 registers.ebx: 16461318 registers.esi: 16491100 registers.ecx: 796476497	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb e9 52 fd ff ff 5e 01 fa e9 d3 ff ff ff 68 13 exception.symbol: nino+0x1f3c40 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2047040 exception.address: 0xfb3c40 registers.esp: 1637032 registers.edi: 0 registers.eax: 50665 registers.ebp: 4004884500 registers.edx: 4294942824 registers.ebx: 16461318 registers.esi: 16491100 registers.ecx: 796476497	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb e9 05 fa ff ff b8 34 ec dd 65 f7 d0 0d 92 f7 exception.symbol: nino+0x1f79d8 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2062808 exception.address: 0xfb79d8 registers.esp: 1637028 registers.edi: 5713422 registers.eax: 16479091 registers.ebp: 4004884500 registers.edx: 1832119826 registers.ebx: 313254972 registers.esi: 16491100 registers.ecx: 313254972	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 00 00 00 00 89 2c 24 c7 exception.symbol: nino+0x1f7c41 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2063425 exception.address: 0xfb7c41 registers.esp: 1637032 registers.edi: 0 registers.eax: 16482100 registers.ebp: 4004884500 registers.edx: 1832119826 registers.ebx: 134889 registers.esi: 16491100 registers.ecx: 313254972	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 53 89 e3 81 ec 04 00 00 exception.symbol: nino+0x1fd78f exception.instruction: in eax, dx exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2086799 exception.address: 0xfbd78f registers.esp: 1637024 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 4004884500 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 16501343 registers.ecx: 20	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: nino+0x1fd6eb exception.address: 0xfbd6eb exception.module: nino.exe exception.exception_code: 0xc000001d exception.offset: 2086635 registers.esp: 1637024 registers.edi: 0 registers.eax: 1 registers.ebp: 4004884500 registers.edx: 22104 registers.ebx: 0 registers.esi: 16501343 registers.ecx: 20	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 2e 2e 2d 12 01 exception.symbol: nino+0x201949 exception.instruction: in eax, dx exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2103625 exception.address: 0xfc1949 registers.esp: 1637024 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 4004884500 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 16501343 registers.ecx: 10	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 53 e8 03 00 00 00 20 5b c3 5b exception.symbol: nino+0x20531b exception.instruction: int 1 exception.module: nino.exe exception.exception_code: 0xc0000005 exception.offset: 2118427 exception.address: 0xfc531b registers.esp: 1636992 registers.edi: 0 registers.eax: 1636992 registers.ebp: 4004884500 registers.edx: 27381 registers.ebx: 16536875 registers.esi: 4026424398 registers.ecx: 2130558464	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 68 0c 48 25 12 ff 34 24 ff 34 24 8b 0c 24 83 exception.symbol: nino+0x206096 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2121878 exception.address: 0xfc6096 registers.esp: 1637032 registers.edi: 0 registers.eax: 16565817 registers.ebp: 4004884500 registers.edx: 16536957 registers.ebx: 4294941864 registers.esi: 2283 registers.ecx: 2130509981	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 68 c8 89 81 51 89 2c 24 89 04 24 89 1c 24 57 exception.symbol: nino+0x20d505 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2151685 exception.address: 0xfcd505 registers.esp: 1637032 registers.edi: 0 registers.eax: 31667 registers.ebp: 4004884500 registers.edx: 16550542 registers.ebx: 4294941864 registers.esi: 2283 registers.ecx: 16599257	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 56 51 e9 e9 00 00 00 81 f7 e5 45 09 61 e9 f3 exception.symbol: nino+0x20ce35 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2149941 exception.address: 0xfcce35 registers.esp: 1637032 registers.edi: 604277079 registers.eax: 0 registers.ebp: 4004884500 registers.edx: 16550542 registers.ebx: 4294941864 registers.esi: 2283 registers.ecx: 16570809	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 31 ff ff ff 68 57 a4 d9 exception.symbol: nino+0x2176a3 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2193059 exception.address: 0xfd76a3 registers.esp: 1637032 registers.edi: 14856598 registers.eax: 16639898 registers.ebp: 4004884500 registers.edx: 6 registers.ebx: 21662034 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 52 e9 7d 01 00 00 89 f2 5e e9 7f 04 00 00 81 exception.symbol: nino+0x2173c4 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2192324 exception.address: 0xfd73c4 registers.esp: 1637032 registers.edi: 14856598 registers.eax: 16611958 registers.ebp: 4004884500 registers.edx: 112105 registers.ebx: 21662034 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb e9 61 01 00 00 59 89 c3 8b 04 24 e9 ad 06 00 exception.symbol: nino+0x21906a exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2199658 exception.address: 0xfd906a registers.esp: 1637028 registers.edi: 14856598 registers.eax: 16616866 registers.ebp: 4004884500 registers.edx: 112105 registers.ebx: 21662034 registers.esi: 1968968720 registers.ecx: 112105	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 8e f8 ff ff ff 04 24 e9 exception.symbol: nino+0x2195c5 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2201029 exception.address: 0xfd95c5 registers.esp: 1637032 registers.edi: 14856598 registers.eax: 16648890 registers.ebp: 4004884500 registers.edx: 112105 registers.ebx: 21662034 registers.esi: 1968968720 registers.ecx: 112105	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb e9 32 00 00 00 5d e9 db fb ff ff 81 c4 04 00 exception.symbol: nino+0x2192cc exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2200268 exception.address: 0xfd92cc registers.esp: 1637032 registers.edi: 1179202795 registers.eax: 16620162 registers.ebp: 4004884500 registers.edx: 0 registers.ebx: 21662034 registers.esi: 1968968720 registers.ecx: 112105	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 81 c6 d1 39 cf 61 51 e9 af fe ff ff b8 49 65 exception.symbol: nino+0x21cd20 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2215200 exception.address: 0xfdcd20 registers.esp: 1637020 registers.edi: 1179202795 registers.eax: 30916 registers.ebp: 4004884500 registers.edx: 1721108801 registers.ebx: 1605781592 registers.esi: 16632068 registers.ecx: 992955180	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 57 bf d7 e0 ed 49 bb b3 57 f2 83 83 ec 04 89 exception.symbol: nino+0x21d2d9 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2216665 exception.address: 0xfdd2d9 registers.esp: 1637024 registers.edi: 1179202795 registers.eax: 0 registers.ebp: 4004884500 registers.edx: 1721108801 registers.ebx: 1605781592 registers.esi: 16635176 registers.ecx: 84201	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 56 be 37 ff 7f 6f 81 c6 25 a1 e6 4b 81 ee 21 exception.symbol: nino+0x22fe36 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2293302 exception.address: 0xfefe36 registers.esp: 1637020 registers.edi: 16708907 registers.eax: 27518 registers.ebp: 4004884500 registers.edx: 2130566132 registers.ebx: 16697447 registers.esi: 0 registers.ecx: 2130509824	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 56 89 04 24 68 00 60 93 34 8b 04 24 e9 57 01 exception.symbol: nino+0x230072 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2293874 exception.address: 0xff0072 registers.esp: 1637024 registers.edi: 16712181 registers.eax: 1358981728 registers.ebp: 4004884500 registers.edx: 2130566132 registers.ebx: 16697447 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 68 db 36 ba 6b 89 3c 24 89 04 24 e9 c5 f5 ff exception.symbol: nino+0x2420fb exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2367739 exception.address: 0x10020fb registers.esp: 1636988 registers.edi: 16782618 registers.eax: 29851 registers.ebp: 4004884500 registers.edx: 2130566132 registers.ebx: 2130509824 registers.esi: 16782924 registers.ecx: 0	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 03 25 c4 2c ff 34 24 8b 04 24 68 exception.symbol: nino+0x241b67 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2366311 exception.address: 0x1001b67 registers.esp: 1636992 registers.edi: 178096992 registers.eax: 29851 registers.ebp: 4004884500 registers.edx: 4294940516 registers.ebx: 2130509824 registers.esi: 16812775 registers.ecx: 0	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 29 f6 ff 34 32 e9 1e 01 00 00 81 e5 52 04 f7 exception.symbol: nino+0x242e96 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2371222 exception.address: 0x1002e96 registers.esp: 1636992 registers.edi: 178096992 registers.eax: 30040 registers.ebp: 4004884500 registers.edx: 16817597 registers.ebx: 1519169404 registers.esi: 16812775 registers.ecx: 886358302	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 68 34 79 db 4c 89 1c 24 c7 04 24 5a 32 5f 72 exception.symbol: nino+0x2430b2 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2371762 exception.address: 0x10030b2 registers.esp: 1636992 registers.edi: 178096992 registers.eax: 10938710 registers.ebp: 4004884500 registers.edx: 16817597 registers.ebx: 1519169404 registers.esi: 4294940024 registers.ecx: 886358302	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 68 f2 d0 10 35 89 3c 24 c7 04 24 05 00 df 3e exception.symbol: nino+0x243b90 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2374544 exception.address: 0x1003b90 registers.esp: 1636992 registers.edi: 178096992 registers.eax: 27584 registers.ebp: 4004884500 registers.edx: 16817597 registers.ebx: 16818128 registers.esi: 4294940024 registers.ecx: 744800113	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 50 89 14 24 ba 60 bc ff 5f f7 d2 81 ea 6f 92 exception.symbol: nino+0x243a98 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2374296 exception.address: 0x1003a98 registers.esp: 1636992 registers.edi: 178096992 registers.eax: 27584 registers.ebp: 4004884500 registers.edx: 16817597 registers.ebx: 16793380 registers.esi: 722902413 registers.ecx: 0	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb e9 79 f7 ff ff e9 ae 00 00 00 60 66 8c da f6 exception.symbol: nino+0x249c3c exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2399292 exception.address: 0x1009c3c registers.esp: 1636992 registers.edi: 3827841908 registers.eax: 16817214 registers.ebp: 4004884500 registers.edx: 0 registers.ebx: 576 registers.esi: 44777 registers.ecx: 16812617	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 51 e9 7b 03 00 00 81 c6 b0 f3 ec 3b 81 c6 09 exception.symbol: nino+0x24a0e4 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2400484 exception.address: 0x100a0e4 registers.esp: 1636988 registers.edi: 3827841908 registers.eax: 26682 registers.ebp: 4004884500 registers.edx: 814654036 registers.ebx: 1936328356 registers.esi: 16817703 registers.ecx: 16812617	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb b9 5e 91 bf 6c c1 e1 05 50 c7 04 24 5a b6 bb exception.symbol: nino+0x24a666 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2401894 exception.address: 0x100a666 registers.esp: 1636992 registers.edi: 24811 registers.eax: 26682 registers.ebp: 4004884500 registers.edx: 814654036 registers.ebx: 4294943424 registers.esi: 16844385 registers.ecx: 16812617	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 0c 24 52 ba d1 0d f7 66 52 81 2c exception.symbol: nino+0x24c9c2 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2410946 exception.address: 0x100c9c2 registers.esp: 1636988 registers.edi: 16828163 registers.eax: 26128 registers.ebp: 4004884500 registers.edx: 985629728 registers.ebx: 4294943424 registers.esi: 16844385 registers.ecx: 697784127	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 51 e9 25 06 00 00 01 f8 e9 f5 fc ff ff 5e 81 exception.symbol: nino+0x24cbcf exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2411471 exception.address: 0x100cbcf registers.esp: 1636992 registers.edi: 16831391 registers.eax: 26128 registers.ebp: 4004884500 registers.edx: 0 registers.ebx: 4294943424 registers.esi: 3939837675 registers.ecx: 697784127	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 34 24 e9 41 fa ff ff 01 f2 ff 34 exception.symbol: nino+0x24f4c6 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2421958 exception.address: 0x100f4c6 registers.esp: 1636992 registers.edi: 157417 registers.eax: 16870535 registers.ebp: 4004884500 registers.edx: 16832424 registers.ebx: 4 registers.esi: 4294938004 registers.ecx: 33669207	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 81 e9 21 08 07 77 03 0c 24 55 bd 93 da 1e 5a exception.symbol: nino+0x255d7c exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2448764 exception.address: 0x1015d7c registers.esp: 1636988 registers.edi: 157417 registers.eax: 29383 registers.ebp: 4004884500 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 16844957 registers.ecx: 16864632	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb e9 91 00 00 00 68 ee a8 a1 79 89 14 24 ba d6 exception.symbol: nino+0x255edf exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2449119 exception.address: 0x1015edf registers.esp: 1636992 registers.edi: 157417 registers.eax: 29383 registers.ebp: 4004884500 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 16844957 registers.ecx: 16894015	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 50 89 3c 24 68 10 a5 0a 60 e9 9d ff ff ff 81 exception.symbol: nino+0x25569e exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2447006 exception.address: 0x101569e registers.esp: 1636992 registers.edi: 0 registers.eax: 29383 registers.ebp: 4004884500 registers.edx: 2130566132 registers.ebx: 1877129553 registers.esi: 16844957 registers.ecx: 16867299	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 14 24 c7 04 24 72 87 ce 7f 81 04 exception.symbol: nino+0x256642 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2451010 exception.address: 0x1016642 registers.esp: 1636992 registers.edi: 0 registers.eax: 28642 registers.ebp: 4004884500 registers.edx: 1819926600 registers.ebx: 583910454 registers.esi: 16844957 registers.ecx: 16896155	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 57 54 e9 f7 f9 ff ff 89 d3 5a f7 d3 c1 eb 01 exception.symbol: nino+0x2566c2 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2451138 exception.address: 0x10166c2 registers.esp: 1636992 registers.edi: 604292950 registers.eax: 28642 registers.ebp: 4004884500 registers.edx: 1819926600 registers.ebx: 0 registers.esi: 16844957 registers.ecx: 16870235	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb e9 70 ff ff ff 83 c4 04 e9 16 07 00 00 01 cd exception.symbol: nino+0x272d5a exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2567514 exception.address: 0x1032d5a registers.esp: 1636988 registers.edi: 16973145 registers.eax: 27493 registers.ebp: 4004884500 registers.edx: 2130566132 registers.ebx: 16938314 registers.esi: 16938310 registers.ecx: 16984473	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb e9 02 ff ff ff 01 f9 5f 49 49 52 57 bf 2f a8 exception.symbol: nino+0x273254 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2568788 exception.address: 0x1033254 registers.esp: 1636992 registers.edi: 16973145 registers.eax: 27493 registers.ebp: 4004884500 registers.edx: 2130566132 registers.ebx: 16938314 registers.esi: 16938310 registers.ecx: 17011966	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 68 d8 3e 08 0d e9 70 01 00 00 81 ea 25 91 98 exception.symbol: nino+0x272b42 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2566978 exception.address: 0x1032b42 registers.esp: 1636992 registers.edi: 4294942588 registers.eax: 1470107752 registers.ebp: 4004884500 registers.edx: 2130566132 registers.ebx: 16938314 registers.esi: 16938310 registers.ecx: 17011966	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 56 89 0c 24 b9 ec 96 fe 7f 56 e9 10 02 00 00 exception.symbol: nino+0x280840 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2623552 exception.address: 0x1040840 registers.esp: 1636988 registers.edi: 2130321843 registers.eax: 27143 registers.ebp: 4004884500 registers.edx: 17040880 registers.ebx: 17017973 registers.esi: 4440328 registers.ecx: 0	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb e9 e8 fb ff ff 43 c1 e3 04 c1 eb 03 e9 4c 02 exception.symbol: nino+0x280e2d exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2625069 exception.address: 0x1040e2d registers.esp: 1636992 registers.edi: 2130321843 registers.eax: 27143 registers.ebp: 4004884500 registers.edx: 17068023 registers.ebx: 17017973 registers.esi: 4440328 registers.ecx: 0	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb 50 89 2c 24 e9 cc 02 00 00 8f 04 24 e9 27 00 exception.symbol: nino+0x280806 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2623494 exception.address: 0x1040806 registers.esp: 1636992 registers.edi: 2130321843 registers.eax: 2179434839 registers.ebp: 4004884500 registers.edx: 17043979 registers.ebx: 0 registers.esi: 4440328 registers.ecx: 0	1
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: fb e9 09 05 00 00 09 d8 e9 0d 05 00 00 87 04 24 exception.symbol: nino+0x281961 exception.instruction: sti exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2627937 exception.address: 0x1041961 registers.esp: 1636992 registers.edi: 2130321843 registers.eax: 28565 registers.ebp: 4004884500 registers.edx: 17043979 registers.ebx: 22145360 registers.esi: 17047757 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (13 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.19/Vi9leo/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/well/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/steam/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/num/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.100/e2b1563c6670f193.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/vcruntime140.dll

Performs some HTTP requests (13 events)

request	POST http://185.215.113.19/Vi9leo/index.php
request	GET http://185.215.113.16/well/random.exe
request	GET http://185.215.113.16/steam/random.exe
request	GET http://185.215.113.16/num/random.exe
request	GET http://185.215.113.100/
request	POST http://185.215.113.100/e2b1563c6670f193.php
request	GET http://185.215.113.100/0d60be0de163924d/sqlite3.dll
request	GET http://185.215.113.100/0d60be0de163924d/freebl3.dll
request	GET http://185.215.113.100/0d60be0de163924d/mozglue.dll
request	GET http://185.215.113.100/0d60be0de163924d/msvcp140.dll
request	GET http://185.215.113.100/0d60be0de163924d/nss3.dll
request	GET http://185.215.113.100/0d60be0de163924d/softokn3.dll
request	GET http://185.215.113.100/0d60be0de163924d/vcruntime140.dll

Sends data using the HTTP POST Method (2 events)

request	POST http://185.215.113.19/Vi9leo/index.php
request	POST http://185.215.113.100/e2b1563c6670f193.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 202 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dc1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73402000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x032c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01021000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2824 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2824 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2824 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:28 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process firefox.exe with pid 2316 crashed
__exception__ Aug. 10, 2024, 12:29 p.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9105256 registers.r15: 8791562032752 registers.rcx: 48 registers.rsi: 8791561964416 registers.r10: 0 registers.rbx: 0 registers.rsp: 9104888 registers.r11: 9108272 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 14927888 registers.rbp: 9105008 registers.rdi: 66172576 registers.rax: 13442816 registers.r13: 9105848	1	0	0

Application Crash

Process firefox.exe with pid 2316 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 10, 2024, 12:29 p.m.

stacktrace:

0xcd1f04
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 9105256
registers.r15: 8791562032752
registers.rcx: 48
registers.rsi: 8791561964416
registers.r10: 0
registers.rbx: 0
registers.rsp: 9104888
registers.r11: 9108272
registers.r8: 1994752396
registers.r9: 0
registers.rdx: 8796092883536
registers.r12: 14927888
registers.rbp: 9105008
registers.rdi: 66172576
registers.rax: 13442816
registers.r13: 9105848

Steals private information from local Internet browsers (50 out of 4440 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\fldfpgipfncgndfolcbkdeeknbbbnhcc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\te\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\am\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\fr\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\uk\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\fr\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliob\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\nb\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\zh_CN\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\es_419\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Current Tabs\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\topbar_floating_button_close.png\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es_419\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\manifest.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\lo\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\03019df3fd85a69a8ebd1facc6da9ba73e469774fe77f579fc5a08b8328c1d6b.sth\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\cs\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\ar\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\fr_CA\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\52\manifest.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\ka\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT

Creates executable files on the filesystem (9 events)

file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\1000038001\131432ddf8.exe
file	C:\Users\test22\1000037002\7bf67a058c.exe
file	C:\ProgramData\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\1000036001\88322d291b.exe
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 10, 2024, 12:28 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	1	1
ShellExecuteExW Aug. 10, 2024, 12:29 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000036001\88322d291b.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000036001\88322d291b.exe	1	1
ShellExecuteExW Aug. 10, 2024, 12:29 p.m.	show_type: 0 filepath_r: C:\Users\test22\1000037002\7bf67a058c.exe parameters: filepath: C:\Users\test22\1000037002\7bf67a058c.exe	1	1
ShellExecuteExW Aug. 10, 2024, 12:29 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000038001\131432ddf8.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000038001\131432ddf8.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 events)

Time & API	Arguments	Status	Return
Process32NextW Aug. 10, 2024, 12:29 p.m.	snapshot_handle: 0x000002f8 process_name: explorti.exe process_identifier: 2824	1	1
Process32NextW Aug. 10, 2024, 12:29 p.m.	snapshot_handle: 0x000002f8 process_name: 88322d291b.exe process_identifier: 3052	1	1
Process32NextW Aug. 10, 2024, 12:29 p.m.	snapshot_handle: 0x000002f8 process_name: RegAsm.exe process_identifier: 2108	1	1
Process32NextW Aug. 10, 2024, 12:29 p.m.	snapshot_handle: 0x000002f8 process_name: firefox.exe process_identifier: 2196	1	1
Process32NextW Aug. 10, 2024, 12:29 p.m.	snapshot_handle: 0x000002f8 process_name: firefox.exe process_identifier: 2316	1	1
Process32NextW Aug. 10, 2024, 12:29 p.m.	snapshot_handle: 0x000002f8 process_name: 131432ddf8.exe process_identifier: 2564	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 10, 2024, 12:29 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000003c00000 process_handle: 0xffffffffffffffff	1	0	0

An executable file was downloaded by the processes explorti.exe, regasm.exe (10 events)

Time & API	Arguments	Status	Return
InternetReadFile Aug. 10, 2024, 12:28 p.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPELïØ¶fà"¬ Æ5À @P¶@ P uÈ,LÐè0 ° @àÀ ò@àÀö@à@ öú@àPbð @à.rsrcÐR@@x`(à@à.data`!ð\!@à>r% >©KO¦æ/v'!4?Ó=e7H«ø>èMÔe¥Íp¯!÷â,ûMbñÄÃ¹¦å^hFbÄ(ûEÝo&ªªLmö%·÷r±;æäÞñÜá+n4ÝÀÙ/«z_ôØýHñhÝ0DLõ~ÂséTtùTô%x+AØqFYðîò«BéÃdg=éZÏª4°HQ'ªè'gÓYl¸ô£Ô±þff²18ý¨ÚíéYÃ×DJ&:¿UïÆgÓÄsF¨Ië?§ûËø·&G;ë^ËËq²QYÀËuµ0NòYmnQ8¦Lí¾ã®º[Ì±yÕ<ú³X`ºB¶3Ç«O·ì0Ð¼õÐÜµþÿ{â_9ZÂ½oþ^E:ZçRÆ®) à]ù=£Ò{ÏØßßÊ Ó;FFB;¨{~·[TWhCÈUÂúÛÓÝâÜÕï1HÜTÖïF\|¡[:^¿ù¿ü¶\åóïQ3 Â xáÖa¢ÆÄ6?Yiüµ7¶C¥³Yé Ó±4rhfm CoÚö`SÏöTaú¢fXÍ©.¥?ÌD±ÄÛèl°þâ÷Ë(µ·wMSÁã}Ûp[V¹ÌÖõïsM¶l°rÄ èc·ÇÏ¤y=Lø±Ë0®=ÖL0ÑpûIH]kMÌô©mËõO%?µö1t÷SFP¬hÉ9&Ïhä£s¯ÜÙ9_Jì³}ú¶mÄÜ>È¨ëç7É;N+©Aô¨§Çz9h-&ãLÞ +üH£»õg0 ¹Ð¦/[LI0(Qm ÌGÓ ßU~§ê©E¥&]WæÌp4÷ %¡&k³Yà2/)p´ÜêTbº¯"áa/%½ÙÖóftÌÍtûâ¨g¿N2@ënE(ipî´TLe¶ùñ§ÔfZéG´g°â'yG÷!EG-,Ë.>ïÂÿ)§<ö V%]ä¿×%^TÜ`tWO&mD'r4û2:óø¨sýWNüÒìÊFÉñD"ìLfJ^¦¾öB¦uÑ\æªhSRÏË±m®lcã={ÆÃbOVI@Ë]áØÊ[,Æß$FCý(&KH(È³ÙòÙ8&·7ù»Ï¾6äÊYuäxT -$x <taøf®¨õçXíú$ê ËðµÄØ âd£Ï[bçt=^äÀ 0GÄø Æp×qK5\,îßÅÀVÅ4ê.Hg¢+´D³2ÊZÓ#ßÒÉÕÖg4¬óÒ?\|ù!gd_ 9hîv¥3bËíÓ\|ÚaµªJÛÍvR¥½@¨Y9~YÝúà¢ùâ V¶`YN%ëFr`K4'ª#Ý§[îop+ú°>ûyñÍè¾wÿ«²cÀõt ézý!i0¡<9Õ6-5dû4 ÓyØ²Gå9ðÏ!Ñ¼Y~T)X¶ÐgPv½é¶â±Îz)ü~ÙÄì±uæ%Ù¬v?tãò¹)Ppj"kûÓ¾¨ñ¹:I£ ºÙ¦ý×¯ù·¦ª¹G.ØøÜR¾kOÊ´OæØÈQk£Po¸Ì¨Ò·Ù:Z<ÒdÇ %üaeÂ¶ë(nüædÒÂÙëÀªÉ´f$¨7ÖjFpûéL}èÓ"çãb~÷;¨Aµ©7o¾Ã«`f½kÄ«»« Ðü¼Nà°Ëð>7¯ðDq'`\us$J¹sôÇÓºsjÏ»¸ZÀJÕã`Á¥Ï¶BXYÀÃ#Ê±[#«r%6Ç2ÀHÕ®:\Hý.¡WÍÔöMÁýõuO3íc%ÿeÑTy'ÉÂFu.Íýd^è(11IW²5¶7¿íUYGwÉçD%("µàµ×ýè^®±f¼¶$ÒONy(P# ¹}êj?'üøØÌ -Ñm<Ï \|à/>$ MäÂã{Ò9Ú»D·>{þuÞfbSõGèzÛýåÛwøÄåO»~Éó».1åªËN JÆæÀyQÏúqhgV¤6ÊÆøÉ]61ÍÐô#<¸Î]w¿ÇQÒÓ?Hnª¶ÄS¶ØÓ0®)j}g8¨üBJP2òÙ, ¦WX´(ÃªsjéÁ·ø{a ÎÙ¤©çù Gkàvù»êdèî ½£a=Ü{=udòóffYº}!qUEc1½O)ú2ê Æ<UV"¿i7"ÀI2L¹=[ÕIñËÚv8¡l@;Öù7W´Ð»âÇÒ0Ò¾¿=çëoè.èæèöÆT)#÷û±Rejnc©·Óè-ò®t ¦-SÖzU/oíÁ¥uøEá¸ÑÂ/XÑ)S Ëq^Ô«;Àw°åúBF7EÛûË¦ÐåÉ2eÂïE÷Î¶éa #.ù¢Çq,»qèoÀ±<K{pCh$ikjÄ9BûPsÒä¸Wô¹÷r[&úi\|ÃÑÃîÌ-ôWP4ý¾µnùAç©(ë¬y#¦jÈÞd£ÙÀüXE:u?ÿ»ÛëSÈÒuØIÊùþ°®5=2Qõmx£<XÚi)¡äbjÚ_#ì&âh]¥¯©üR¦g®W©/,ÈÁ¬ä1! E^ê":PIhqQ/³KÜrw±FMÛ [òëò¶ãF9áÿ©.GõÂ0úÓªù-·C6eU³ 9P§pÇ«¶0l~}òàÈukÿf81!~ÚÁÇb¦u» `<ªé´±òk÷HR´ÊÎÞ¶w:X·ßÜÅéU¿Ù¤ÿÄVÂ7&IFXÀ=[»p\J& ªÐ=¢ër(Xp¢ÂqY ×NzsÍoê)X¿/{9eÜ.ùé¦æeqS11=NkÝ×ÃBÔ¹<Øu¥eÀèSã(Ï÷Æ27îµxÞ\|Ìk3ªy 8¢ÛÍñø[ YÏ¸ú"± ½SÜ ¶dØ1õ;mÃR c»iqÕ_{QØ·pIñÝÐ«&¬EÇGÊóÔ¶°Ù!L=jS2¯ZGrT¥JaIàöA³¯çý5gaòÐ¿ÉÌ«B«·3Y¥L÷¤Q,µò1t-w]6À¡ôø #Kal÷#ÕbAÓÐÒ¯ÆÌ$í»²ÂlÔÖ\--k@q ûÀ³ñó9iv 4}¤W\oì¯¬è½@~ÿ<kËïãÉçÍÉaeâ¤Í:Ñahf#TZDÑÍ;î; e¨¶OZ C¶ªk¾\'9ºÑJøÓ7Ò`ÑA·d:>ßØàRVéJè_ßðOGÑãâRÜÅÉ¾Ænê8§yõÍ¹;Ü×º×jÃc 9$ówµYÖÊwW`&n¨ÏRÎä@Ü&C3pº×¤!ÈêõÁ)x\õ¬DG×ð(0TOu!qè¸ÔåC3nM?úÔP^UpöÄtuº±Ï>ãPYö]çHæéûqñ¡zìùm×¥~ò=¤TÅ p+o~ög[wÞ#dÞF¨rÖú}«Æe÷F.Äçñpké;DòF7þ¶¡U}$ä_ý U8?ï:nüÒàþÔU§$Íl¢Úî0ÏªMç±6[óÝåú¢VS¾vÊwì²¿¤ request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 10, 2024, 12:29 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELëå¶fàÎ* @@ `K@(&`< H.textÔ `.rsrc@@@.reloc`@B°H4Ê`DD0V~:K( è s ( þþ ( ( ?rps z.(,(F(,(( ò(,(%Ð( î%Ð( 0C(,(( qa² } a~Ä{\a(.( ( (( 0-8o ( Xo ?âÿÿÿ( 0 8.( s i]o i]X ?Çÿÿÿ 8n XX ] ÝEo! o >, ú 6 ¾a~Ä{za(.o! (" ( Ý X ?ÿÿÿ 8 úp? Wõ )¬; pÉD ßÙ1 ½´¤O ³L %ýy Ó, M#: RCk î[ Go { ñ/b ×¥ JóÅ 1ºË/ Ö±&n #ÿ Ö]` Ôo( ý= ` n jaijnXmX YnjYmj nYm Z[X ] X ] ! ! X ]" nj<Znj[m jnZmZ \nj[i njZiZj nYm a%q"aÒXi?Vþÿÿ_tE'0á( °¸ ©pêa~Ä{¤a(.s 91o9& cÎ w<CY z¹×¾a~Ä{_a(.( s# 9v~~( eo$ &~~i@(&~~( ~ ~((&F(,(( 0A(,((%Ð( ¬%Ð ( 0c~ Xo% o& 89 ~ o' Xo( t, () to* Xi?¾ÿÿÿF(,(( (,(Ð (+ o, o- 0W#Ð(+ o, @$%Ð?( $"s 2&s (+,~. ~. 's/ )j!0j1./~. s0 -%~. (1 Ý&ÝEP0 W$ ÀiZ ]Y X ]: ij\nXjXm ijjZ 8Xi?èÿÿÿi%G `ÒR8$ njYÔ YZ?_d ÿj_ÒY=ÔÿÿÿiZ \ #Eg «Íï þÜº vT2 8 b89dXXbXXb`XXb`X`X=D¾ÿÿÿ ( ( ( (( ( ( ( ( ( ( ( ( ( ( (( ( ( (( ( ( ( ( ( ( ( ( ( ( (!( "( #( $(%( &( '( (( )( *( +( ,( -( .( /( 0(1( 2( 3( 4(5( 6( 7( 8(9( :( ;( <(=( >( ?( @( X XXX X \Dâúÿÿ (2 (3 (2 request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 10, 2024, 12:29 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL¡Â´fà ÈB"dà@0$@Ð©<à#\|$àô.textJÆÈ à.rdataæÎàÐÌ@@.data+!°@À.relocDà#F¨@By¹ApÈAÙÈAUìQEEü}tMüÆUüÂUüEèEëàEå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìEèExMÿUMMMëä]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQSjh0hÀAÈjÿ$ÐbEüPøtÀüÉÀøX}üt,ÀhÀæEüPèNsSÉÉü[hhÀAÈMüQÿdÏb[å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQÇEüjj@h0hÐjÿØÐbPÿÐbEü}üujÿìÏbèRÿÿÿå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì(EÜPÿtÏbMðMØ}ØsjÿìÏbå]ÃÌÌÌÌÌÌÌÌUì¡@ÍbPèâaPè,sÄÀu! ÎbQè9aPèsÄÀujÿìÏb]ÃÌÌUììjjj¡ÐÈbPÿ,ÐbEôj MôQÿÐÏbEøUôRjÿpÐb}ø}jÿìÏbå]ÃÌÌÌÌÌUììHj@jE¸PèrÇE¸@M¸QÿÑbøujhUÄREÀPèÁjhRPèÁEøUüëÇEøÇEü}üwr }øWsjÿìÏbå]ÃÌÌUììÇEøÿhjÿÀÐbPÿXÐbEôEüPhjMQURÿ¬ÏbÀuEøPMôQjjUREüPÿÏbMüQÿ(ÐbEôå]ÃÌÌÌÌUìì\hèjüÿÿPÿäàAÄh4MBhäMBhè\ÿÿÿÄPüÿÿQÿlÐbüÿÿRÿÏbøÊhbBüÿÿPÿlÐbhÿ Büÿÿèh¬NBàûÿÿQðÉbRìûÿÿPüÿÿèÎÈèÇPüÿÿè«àûÿÿèìûÿÿèõhBøûÿÿè%jÈûÿÿQèrÄP¼ûÿÿR¡¤ÌbPÔûÿÿQøûÿÿèdÈèÍPøûÿÿèA¼ûÿÿèÔûÿÿèÈûÿÿèjøûÿÿèCPüÿÿRÿ0ÏbüÿÿPüÿÿQìÌøûÿÿRèæèÄÀtMüÿÿPüÿÿQìÌüÿÿRè»ìÌEPèÊ¤ûÿÿQè7Ä ¤ûÿÿèíøûÿÿè²PÿÏbøûÿÿèüÿÿèjjüÿÿRÿäàAÄøûÿÿè¦üÿÿèMèå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQMüMüÁ\|ènMüÁHècMüÁ<èXMüÁ0èMMüèåå]ÃÌUìQMüEPMüè MÁ0QMüÁ0è»UÂ<RMüÁ<è©EÀHPMüÁHèMüUBTATMüUBXAXMüUB\A\MüUB`A`MüUBdAdMüUBhAhMüUBlAlMüUBpApMüUBtAtMüUBxAxMÁ\|QMüÁ\|è Eüå]ÂÌÌÌÌUìQMüMüÁ$èNMüÁèCMüÁè8Müè0å]ÃÌÌÌÌÌÌÌÌÌÌÌÌUìQMüEPMüèMÁQMüÁèUÂRMüÁèEÀ$PMüÁ$èwEüå]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUììthBMèèêhBMôèÝEüÿÿ½üÿÿt½üÿÿtW½üÿÿéÇjhþÿÿQèqÄP\þÿÿRMèèoPMèèæ\þÿÿè;hþÿÿè0éjPþÿÿPèÍpÄPDþÿÿQMèèPMèè¡DþÿÿèöPþÿÿèëë@j(8þÿÿRèpÄP,þÿÿPMèèèPMèè_,þÿÿè´8þÿÿè©}0hbBüýÿÿQURþÿÿPhdOBþÿÿQUèR þÿÿPMôèÈèÈè{ÈèPMôèëüýÿÿè@þÿÿè5þÿÿè þÿÿèéM$QÀýÿÿRh´PBÌýÿÿPMQØýÿÿRhPBäýÿÿPMèQðýÿÿRMôèùÈèÈèëÈètÈèÝPMôèTÀýÿÿè©ÌýÿÿèØýÿÿèäýÿÿèðýÿÿè} þÿÿPMôè>PÿÑbEä}äÿu5MôèVMèèNMèFMè>M$è6M4è®ûÿÿéh\QBÌþÿÿQÿÐbÀthRBÌþÿÿRÿÐbÀué}hBþÿÿè(}0æE$PlýÿÿQhüSBxýÿÿRÌþÿÿPýÿÿQhTSBýÿÿREPýÿÿQh¬RB¨ýÿÿREèP´ýÿÿQþÿÿè Èè)ÈèÈèÈèÈè ÈèvPþÿÿèêlýÿÿè?xýÿÿè4ýÿÿè)ýÿÿèýÿÿè¨ýÿÿè´ýÿÿèýé¦ÌþÿÿR0ýÿÿPhLUB<ýÿÿQURHýÿÿPh¤TBTýÿÿQUèR`ýÿÿPþÿÿèÑÈèZÈèÃÈèLÈèEPþÿÿè)0ýÿÿè~<ýÿÿèsHýÿÿèhTýÿÿè]`ýÿÿèRìÌþÿÿRèáèlÄÀ«h BþÿÿèahVBüüÿÿPMQýÿÿRhôUBýÿÿP ðÉbQ ýÿÿRþÿÿèÈèÈè÷Èè request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 10, 2024, 12:29 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 10, 2024, 12:29 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 10, 2024, 12:29 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 10, 2024, 12:29 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 10, 2024, 12:29 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 10, 2024, 12:29 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 10, 2024, 12:29 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002dc00', u'virtual_address': u'0x00001000', u'entropy': 7.9819160092800105, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.98191600928

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001a8c00', u'virtual_address': u'0x00324000', u'entropy': 7.953993161003166, u'name': u'abvhhmys', u'virtual_size': u'0x001a9000'}

entropy

7.953993161

description

A section with a high entropy has been found

entropy

0.994189117802

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url	https://crash-reports.mozilla.com/submit?id=
url	https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c

Yara rule detected in process memory (30 events)

description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	ftp clients info stealer	rule	infoStealer_ftpClients_Zero
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (3 events)

host	185.215.113.100
host	185.215.113.16
host	185.215.113.19

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 10, 2024, 12:29 p.m.	process_identifier: 2108 region_size: 2371584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f4	1
NtProtectVirtualMemory Aug. 10, 2024, 12:29 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Aug. 10, 2024, 12:29 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 526 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 10, 2024, 12:28 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 10, 2024, 12:29 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 10, 2024, 12:29 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 10, 2024, 12:29 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 10, 2024, 12:29 p.m.	class_name: OLLYDBG window_name:		0	0

A process attempted to delay the analysis task. (4 events)

description	88322d291b.exe tried to sleep 448 seconds, actually delayed analysis time by 448 seconds
description	explorti.exe tried to sleep 1735 seconds, actually delayed analysis time by 1735 seconds
description	131432ddf8.exe tried to sleep 162 seconds, actually delayed analysis time by 162 seconds
description	explorer.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\88322d291b.exe				reg_value	C:\Users\test22\AppData\Local\Temp\1000036001\88322d291b.exe
file	C:\Windows\Tasks\explorti.job

Potential code injection by writing to the memory of another process (12 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 10, 2024, 12:29 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL¡Â´fà ÈB"dà@0$@Ð©<à#\|$àô.textJÆÈ à.rdataæÎàÐÌ@@.data+!°@À.reloc*Dà#F¨@B base_address: 0x00400000 process_identifier: 2108 process_handle: 0x000001f4	1	1
WriteProcessMemory Aug. 10, 2024, 12:29 p.m.	buffer: LáA.?AVtype_info@@Næ@»±¿D ! 5A CPR S WYl m pr ) ¡¤§ ·Î× ÿÿÿÿÿÿÿÿÈAÈAÈAÈAÈAÈAÈAÈAÈAÈAC$÷A ÷A÷A÷A÷A÷A÷A÷AüöAôöAèöAÜöAÔöAÈöAÄöAÀöA¼öA¸öA´öA°öA¬öA¨öA¤öA öAöAöAöAöA\|öAtöA´öAlöAdöA\öAPöAHöA<öA0öA,öA(öAöAöAüõA ôõAìõAäõAÜõAÔõAÌõAÄõA´õA¤õAõAõAlõA\õAHõA@õA8õA0õA(õA õAõAõAõAõAøôAðôAèôAØôAÄôA¸ôA¬ôA õA ôAôAôApôA`ôALôA8ôA0ôA(ôAôAìóAØóA³B³B³B³B³BÈºB¨øA0ýA°þA³Bx´B abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZXµB¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÿÿÿÿ þÿÿÿ¬úA..ÀºBÈBÈBÈBÈBÈBÈBÈBÈBÈBÄºBÈBÈBÈBÈBÈBÈBÈBÈºB¨øAªúA.LáA.?AVlogic_error@std@@LáA.?AVlength_error@std@@LáA.?AVout_of_range@std@@LáA.?AVexception@std@@LáA.?AVbad_alloc@std@@ base_address: 0x0042b000 process_identifier: 2108 process_handle: 0x000001f4	1	1
WriteProcessMemory Aug. 10, 2024, 12:29 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2108 process_handle: 0x000001f4	1	1
WriteProcessMemory Aug. 10, 2024, 12:29 p.m.	buffer: base_address: 0x000000013f8a22b0 process_identifier: 2316 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 10, 2024, 12:29 p.m.	buffer: base_address: 0x000000013f8b0d88 process_identifier: 2316 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 10, 2024, 12:29 p.m.	buffer: I»`#?Aÿã base_address: 0x0000000076d81590 process_identifier: 2316 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 10, 2024, 12:29 p.m.	buffer: 8y base_address: 0x000000013f8b0d78 process_identifier: 2316 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 10, 2024, 12:29 p.m.	buffer: I» ?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2316 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 10, 2024, 12:29 p.m.	buffer: 8y base_address: 0x000000013f8b0d70 process_identifier: 2316 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 10, 2024, 12:29 p.m.	buffer: ÏT base_address: 0x000000013f850108 process_identifier: 2316 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 10, 2024, 12:29 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f8aaae8 process_identifier: 2316 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 10, 2024, 12:29 p.m.	buffer: base_address: 0x000000013f8b0c78 process_identifier: 2316 process_handle: 0x000000000000004c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 10, 2024, 12:29 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL¡Â´fà ÈB"dà@0$@Ð©<à#\|$àô.textJÆÈ à.rdataæÎàÐÌ@@.data+!°@À.reloc*Dà#F¨@B base_address: 0x00400000 process_identifier: 2108 process_handle: 0x000001f4	1	1	0

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Aug. 10, 2024, 12:29 p.m.	key_handle: 0x000002fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1964 called NtSetContextThread to modify thread in remote process 2108
NtSetContextThread Aug. 10, 2024, 12:29 p.m.	registers.eip: 1995571652 registers.esp: 2489424 registers.edi: 0 registers.eax: 4285584 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001f0 process_identifier: 2108	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

firefox.exe

martian_process

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

Appends a known multi-family ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3052 resumed a thread in remote process 2196
Process injection	Process 1964 resumed a thread in remote process 2108
Process injection	Process 2196 resumed a thread in remote process 2316
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x000002dc suspend_count: 1 process_identifier: 2196	1	0	0
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x000001f0 suspend_count: 1 process_identifier: 2108	1	0	0
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2316	1	0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 10, 2024, 12:28 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 53 89 e3 81 ec 04 00 00 exception.symbol: nino+0x1fd78f exception.instruction: in eax, dx exception.module: nino.exe exception.exception_code: 0xc0000096 exception.offset: 2086799 exception.address: 0xfbd78f registers.esp: 1637024 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 4004884500 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 16501343 registers.ecx: 20	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 94 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 10, 2024, 12:28 p.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 2548	1	0
CreateProcessInternalW Aug. 10, 2024, 12:28 p.m.	thread_identifier: 2828 thread_handle: 0x000003d8 process_identifier: 2824 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e0	1	1
NtResumeThread Aug. 10, 2024, 12:28 p.m.	thread_handle: 0x000001a0 suspend_count: 1 process_identifier: 2824	1	0
CreateProcessInternalW Aug. 10, 2024, 12:29 p.m.	thread_identifier: 3056 thread_handle: 0x00000474 process_identifier: 3052 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000036001\88322d291b.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000036001\88322d291b.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000036001\88322d291b.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000478	1	1
CreateProcessInternalW Aug. 10, 2024, 12:29 p.m.	thread_identifier: 908 thread_handle: 0x0000045c process_identifier: 1964 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\1000037002\7bf67a058c.exe track: 1 command_line: "C:\Users\test22\1000037002\7bf67a058c.exe" filepath_r: C:\Users\test22\1000037002\7bf67a058c.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000484	1	1
CreateProcessInternalW Aug. 10, 2024, 12:29 p.m.	thread_identifier: 2568 thread_handle: 0x000003ac process_identifier: 2564 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000038001\131432ddf8.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000038001\131432ddf8.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000038001\131432ddf8.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000480	1	1
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x000002b8 suspend_count: 1 process_identifier: 3052	1	0
CreateProcessInternalW Aug. 10, 2024, 12:29 p.m.	thread_identifier: 2204 thread_handle: 0x000002dc process_identifier: 2196 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002d0	1	1
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x000002dc suspend_count: 1 process_identifier: 2196	1	0
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:29 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:30 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:30 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:30 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:30 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:30 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:30 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:30 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:30 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:30 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:30 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:30 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:30 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:30 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:30 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:30 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:30 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:30 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:30 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:31 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:31 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:31 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:31 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:31 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:31 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0
NtResumeThread Aug. 10, 2024, 12:31 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 3052	1	0

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Gen:Variant.Kryptik.260
Cylance	Unsafe
VIPRE	Gen:Variant.Kryptik.260
BitDefender	Gen:Variant.Kryptik.260
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Gen:Variant.Kryptik.260
Rising	Trojan.Kryptik@AI.84 (RDML:myEsm/+Fuiy3L9fNBvp+Mw)
Emsisoft	Gen:Variant.Kryptik.260 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!54A437635063
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.54a4376350631493
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/Crypt.TPM.Gen
MAX	malware (ai score=88)
Kingsoft	malware.kb.a.760
Gridinsoft	Trojan.Heur!.038120A1
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Kryptik.260
Varist	W32/Agent.JDU.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R645974
BitDefenderTheta	Gen:NN.ZexaF.36810.2DWaau0mYZci
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Amadey
Zoner	Probably Heur.ExeHeaderL
Tencent	Trojan-DL.Win32.Deyma.kh
Fortinet	W32/Themida.HZB!tr
AVG	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (D)

nino.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All