Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 11, 2024, 2:24 p.m.	Aug. 11, 2024, 3:14 p.m.

Size	1.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d6612f5d347fb3a1e9b74b324271a5d3`
SHA256	`539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87`
CRC32	`CC63F15B`
ssdeep	`24576:A68w4WvvycyQHGq1hr1TEOx73tJf0r82jfSr+x2KQIr8QgEM/EEugO00V1EThFgT:RyclHGM1TEWTtJi82rSr+xCcNO/Hui`
Yara	PE_Header_Zero - PE File Signature anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description)

ramos.exe "C:\Users\test22\AppData\Local\Temp\ramos.exe"
1676
- explorti.exe "C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
  2344
  - b88210b97d.exe "C:\Users\test22\AppData\Local\Temp\1000036001\b88210b97d.exe"
    2820
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
      2060
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        2308
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\dfdf8a39-e218-4823-a9f3-9f42dbedbb4f.dmp"
        2840
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\dfdf8a39-e218-4823-a9f3-9f42dbedbb4f.dmp"
        1700
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
        3060
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        2992
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\4f979e04-9859-42de-9bd9-8488598079bb.dmp"
        2372
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\4f979e04-9859-42de-9bd9-8488598079bb.dmp"
        1520
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
        536
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        1132
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
        2516
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        2660
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
        2228
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        1000
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\f8e524a8-c28c-4a04-b227-175b7a39bc79.dmp"
        2920
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\f8e524a8-c28c-4a04-b227-175b7a39bc79.dmp"
        3012
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
        1448
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        1876
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
        2916
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        1808
  - 6ea479c011.exe "C:\Users\test22\1000037002\6ea479c011.exe"
    2900
    - RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      3000
  - dc83e0ea42.exe "C:\Users\test22\AppData\Local\Temp\1000038001\dc83e0ea42.exe"
    2188
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
crash-reports.mozilla.com	A 34.49.45.138 CNAME antenna-prod.socorro.prod.webservices.mozgcp.net	34.49.45.138

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.215.113.100	Active	Moloch
185.215.113.16	Active	Moloch
185.215.113.19	Active	Moloch
34.49.45.138	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.16:80 -> 192.168.56.103:49166	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.103:49166 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.103:49166	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.215.113.16:80 -> 192.168.56.103:49166	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.103:49166	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.103:49166	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.19:80 -> 192.168.56.103:49165	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.103:49168 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.103:49169	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.103:49169	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.103:49169	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 185.215.113.100:80 -> 192.168.56.103:49178	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.103:49178 -> 185.215.113.100:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 185.215.113.100:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.100:80 -> 192.168.56.103:49178	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 185.215.113.100:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.100:80 -> 192.168.56.103:49178	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.103:49169	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.103:49169	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 185.215.113.100:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 185.215.113.100:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.100:80 -> 192.168.56.103:49178	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.100:80 -> 192.168.56.103:49178	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 185.215.113.100:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49178 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 185.215.113.100:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49178 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49182 -> 185.215.113.100:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.103:49193 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49192 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49220 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49221 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49235 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49214 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49216 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49229 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49188 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49178 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 185.215.113.100:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49178 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 185.215.113.100:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49178 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 185.215.113.100:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49189 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49230 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49234 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameA Aug. 11, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 11, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 11, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 11, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 11, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 11, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 11, 2024, 2:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 11, 2024, 2:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 11, 2024, 2:18 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 110 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 11, 2024, 2:24 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:24 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:24 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:24 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:24 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:24 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:24 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:24 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:24 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:24 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:24 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:24 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:24 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:24 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:24 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:24 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:24 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:24 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:24 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:25 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:26 p.m.			0	0
IsDebuggerPresent Aug. 11, 2024, 2:26 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayVersion
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 11, 2024, 2:24 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	ghiblird
section	vhsroyxc
section	.taggant

One or more processes crashed (50 out of 254 events)

Time & API	Arguments	Status
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: ramos+0x32c0b9 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 3326137 exception.address: 0x4cc0b9 registers.esp: 9042736 registers.edi: 0 registers.eax: 1 registers.ebp: 9042752 registers.edx: 6791168 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 30 dd 7f 7c 81 0c 24 ec 5a ed 7b exception.symbol: ramos+0x6d814 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 448532 exception.address: 0x20d814 registers.esp: 9042704 registers.edi: 4294938628 registers.eax: 31693 registers.ebp: 3992170516 registers.edx: 2181532 registers.ebx: 236777 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb e9 b0 02 00 00 f7 de 50 b8 86 cd fd 4d 01 c6 exception.symbol: ramos+0x6e28f exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 451215 exception.address: 0x20e28f registers.esp: 9042700 registers.edi: 2154190 registers.eax: 26148 registers.ebp: 3992170516 registers.edx: 2181532 registers.ebx: 856126931 registers.esi: 3 registers.ecx: 332407206	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 2c 24 c7 04 24 a7 b8 ff exception.symbol: ramos+0x6e80b exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 452619 exception.address: 0x20e80b registers.esp: 9042704 registers.edi: 2156666 registers.eax: 26148 registers.ebp: 3992170516 registers.edx: 2181532 registers.ebx: 0 registers.esi: 1259 registers.ecx: 332407206	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 1c 24 bb ed e4 ff 77 53 exception.symbol: ramos+0x1f86da exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2066138 exception.address: 0x3986da registers.esp: 9042700 registers.edi: 3767719 registers.eax: 31336 registers.ebp: 3992170516 registers.edx: 2130566132 registers.ebx: 43975327 registers.esi: 3751804 registers.ecx: 671	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 55 e9 58 fe ff ff 5e 59 09 d9 8b 1c 24 83 c4 exception.symbol: ramos+0x1f81cb exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2064843 exception.address: 0x3981cb registers.esp: 9042704 registers.edi: 3799055 registers.eax: 31336 registers.ebp: 3992170516 registers.edx: 2130566132 registers.ebx: 43975327 registers.esi: 3751804 registers.ecx: 671	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 50 b8 71 85 94 73 f7 d0 52 ba df d6 67 64 81 exception.symbol: ramos+0x1f8542 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2065730 exception.address: 0x398542 registers.esp: 9042704 registers.edi: 3799055 registers.eax: 31336 registers.ebp: 3992170516 registers.edx: 416745 registers.ebx: 43975327 registers.esi: 3751804 registers.ecx: 4294938860	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 68 e8 72 54 17 89 2c 24 68 a1 72 eb 7c 5d 52 exception.symbol: ramos+0x1fa4f2 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2073842 exception.address: 0x39a4f2 registers.esp: 9042704 registers.edi: 4294939676 registers.eax: 3806608 registers.ebp: 3992170516 registers.edx: 50665 registers.ebx: 3773678 registers.esi: 0 registers.ecx: 3775250	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 31 f6 e9 d1 f7 ff ff 52 ba a0 96 f7 7f e9 44 exception.symbol: ramos+0x1ff6a1 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2094753 exception.address: 0x39f6a1 registers.esp: 9042704 registers.edi: 4294939676 registers.eax: 27277 registers.ebp: 3992170516 registers.edx: 50665 registers.ebx: 3823788 registers.esi: 0 registers.ecx: 14288	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 fd 03 00 00 4f 81 f7 49 fa 3d 64 exception.symbol: ramos+0x1ff057 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2093143 exception.address: 0x39f057 registers.esp: 9042704 registers.edi: 4294939676 registers.eax: 27277 registers.ebp: 3992170516 registers.edx: 50665 registers.ebx: 3823788 registers.esi: 4294942468 registers.ecx: 202985	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 1e 01 00 00 8b 14 24 exception.symbol: ramos+0x207d29 exception.instruction: in eax, dx exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2129193 exception.address: 0x3a7d29 registers.esp: 9042696 registers.edi: 9187047 registers.eax: 1447909480 registers.ebp: 3992170516 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 3813027 registers.ecx: 20	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: ramos+0x20762e exception.address: 0x3a762e exception.module: ramos.exe exception.exception_code: 0xc000001d exception.offset: 2127406 registers.esp: 9042696 registers.edi: 9187047 registers.eax: 1 registers.ebp: 3992170516 registers.edx: 22104 registers.ebx: 0 registers.esi: 3813027 registers.ecx: 20	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 ad 2b 2d 12 01 exception.symbol: ramos+0x203667 exception.instruction: in eax, dx exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2111079 exception.address: 0x3a3667 registers.esp: 9042696 registers.edi: 9187047 registers.eax: 1447909480 registers.ebp: 3992170516 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 3813027 registers.ecx: 10	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 60 81 c3 3b 53 be 05 81 f3 00 e5 b6 exception.symbol: ramos+0x20b79d exception.instruction: int 1 exception.module: ramos.exe exception.exception_code: 0xc0000005 exception.offset: 2144157 exception.address: 0x3ab79d registers.esp: 9042664 registers.edi: 0 registers.eax: 9042664 registers.ebp: 3992170516 registers.edx: 3847902 registers.ebx: 3848374 registers.esi: 3848374 registers.ecx: 0	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 50 b8 a9 a2 7f 7b 05 82 56 ed 6a f7 d8 2d 15 exception.symbol: ramos+0x20c551 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2147665 exception.address: 0x3ac551 registers.esp: 9042700 registers.edi: 9187047 registers.eax: 32492 registers.ebp: 3992170516 registers.edx: 3850152 registers.ebx: 3849846 registers.esi: 10 registers.ecx: 4294957526	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 51 e9 ec fa ff ff 29 f1 5e e9 59 00 00 00 53 exception.symbol: ramos+0x20c7ba exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2148282 exception.address: 0x3ac7ba registers.esp: 9042704 registers.edi: 9187047 registers.eax: 0 registers.ebp: 3992170516 registers.edx: 3850152 registers.ebx: 3852698 registers.esi: 2283 registers.ecx: 4294957526	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 2c 24 c7 04 24 c6 f4 f7 exception.symbol: ramos+0x21b372 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2208626 exception.address: 0x3bb372 registers.esp: 9042704 registers.edi: 2145526 registers.eax: 3939598 registers.ebp: 3992170516 registers.edx: 6 registers.ebx: 31316534 registers.esi: 1971262480 registers.ecx: 0	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 68 84 29 b9 18 e9 5e 00 00 00 c1 e2 08 81 c2 exception.symbol: ramos+0x21b758 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2209624 exception.address: 0x3bb758 registers.esp: 9042704 registers.edi: 1179202795 registers.eax: 3939598 registers.ebp: 3992170516 registers.edx: 6 registers.ebx: 31316534 registers.esi: 4294941800 registers.ecx: 0	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 68 00 ab e6 74 ff 34 24 e9 29 00 00 00 bd 9a exception.symbol: ramos+0x21db81 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2218881 exception.address: 0x3bdb81 registers.esp: 9042704 registers.edi: 3951089 registers.eax: 29446 registers.ebp: 3992170516 registers.edx: 6 registers.ebx: 1346482850 registers.esi: 4294940744 registers.ecx: 262633	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 1c 24 83 ec 04 89 2c 24 exception.symbol: ramos+0x220a9b exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2230939 exception.address: 0x3c0a9b registers.esp: 9042692 registers.edi: 3951089 registers.eax: 27924 registers.ebp: 3992170516 registers.edx: 6 registers.ebx: 1961274112 registers.esi: 3934574 registers.ecx: 1337342782	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 31 ff e9 23 02 00 00 87 0c 24 5c c1 e0 08 35 exception.symbol: ramos+0x221024 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2232356 exception.address: 0x3c1024 registers.esp: 9042696 registers.edi: 3951089 registers.eax: 27924 registers.ebp: 3992170516 registers.edx: 6 registers.ebx: 1961274112 registers.esi: 3962498 registers.ecx: 1337342782	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 68 a7 2f fd 36 ff 34 24 5b 81 c4 04 00 00 00 exception.symbol: ramos+0x220b42 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2231106 exception.address: 0x3c0b42 registers.esp: 9042696 registers.edi: 4294941944 registers.eax: 27924 registers.ebp: 3992170516 registers.edx: 6 registers.ebx: 1961274112 registers.esi: 3962498 registers.ecx: 710121	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 56 89 04 24 c7 04 24 9e a1 13 exception.symbol: ramos+0x227fe4 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2260964 exception.address: 0x3c7fe4 registers.esp: 9042692 registers.edi: 302787820 registers.eax: 30543 registers.ebp: 3992170516 registers.edx: 2130566132 registers.ebx: 305949951 registers.esi: 3937146 registers.ecx: 3963783	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 56 89 e6 81 c6 04 00 00 00 55 bd 04 00 00 00 exception.symbol: ramos+0x228541 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2262337 exception.address: 0x3c8541 registers.esp: 9042696 registers.edi: 302787820 registers.eax: 30543 registers.ebp: 3992170516 registers.edx: 30185 registers.ebx: 4294940024 registers.esi: 3937146 registers.ecx: 3994326	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 0c 24 b9 cc 1d 7b 5d 29 ce 59 52 exception.symbol: ramos+0x237618 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2323992 exception.address: 0x3d7618 registers.esp: 9042692 registers.edi: 3989714394 registers.eax: 30281 registers.ebp: 3992170516 registers.edx: 2130566132 registers.ebx: 555273472 registers.esi: 4027199 registers.ecx: 2134590413	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb e9 cd 00 00 00 bf 1f 70 3f 67 21 fa 5f 55 e9 exception.symbol: ramos+0x2378b7 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2324663 exception.address: 0x3d78b7 registers.esp: 9042696 registers.edi: 3989714394 registers.eax: 30281 registers.ebp: 3992170516 registers.edx: 2130566132 registers.ebx: 555273472 registers.esi: 4057480 registers.ecx: 2134590413	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 68 9c 2b 3a 29 89 34 24 55 bd 48 1f ff 3f 81 exception.symbol: ramos+0x237e1e exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2326046 exception.address: 0x3d7e1e registers.esp: 9042696 registers.edi: 3989714394 registers.eax: 30281 registers.ebp: 3992170516 registers.edx: 1392536160 registers.ebx: 4294940008 registers.esi: 4057480 registers.ecx: 2134590413	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 52 e9 35 01 00 00 c1 e8 08 57 51 68 55 a9 5f exception.symbol: ramos+0x24b1ba exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2404794 exception.address: 0x3eb1ba registers.esp: 9042664 registers.edi: 2005532672 registers.eax: 33407 registers.ebp: 3992170516 registers.edx: 4140632 registers.ebx: 2008982430 registers.esi: 2012422882 registers.ecx: 2134671250	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 57 e9 cf fe ff ff 81 c4 04 00 00 00 33 34 24 exception.symbol: ramos+0x24b0d6 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2404566 exception.address: 0x3eb0d6 registers.esp: 9042664 registers.edi: 0 registers.eax: 33407 registers.ebp: 3992170516 registers.edx: 4110788 registers.ebx: 2008982430 registers.esi: 2012422882 registers.ecx: 1000157536	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 56 be 6e 13 cc 7f 46 c1 ee 08 c1 ee 02 c1 ee exception.symbol: ramos+0x24c5b1 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2409905 exception.address: 0x3ec5b1 registers.esp: 9042664 registers.edi: 0 registers.eax: 4114984 registers.ebp: 3992170516 registers.edx: 2045728987 registers.ebx: 685021755 registers.esi: 22747 registers.ecx: 1342204512	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 50 89 34 24 54 5e 81 c6 04 00 00 00 81 ee 04 exception.symbol: ramos+0x24d77d exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2414461 exception.address: 0x3ed77d registers.esp: 9042664 registers.edi: 0 registers.eax: 27000 registers.ebp: 3992170516 registers.edx: 2045728987 registers.ebx: 1890907018 registers.esi: 22747 registers.ecx: 4144210	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 53 89 14 24 68 96 4a 2e 56 89 0c 24 b9 b6 90 exception.symbol: ramos+0x24ddcc exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2416076 exception.address: 0x3eddcc registers.esp: 9042664 registers.edi: 4294943600 registers.eax: 27000 registers.ebp: 3992170516 registers.edx: 44777 registers.ebx: 1890907018 registers.esi: 22747 registers.ecx: 4144210	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 05 92 e6 ce 23 2d 92 09 6f 79 03 04 24 e9 c4 exception.symbol: ramos+0x24ea25 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2419237 exception.address: 0x3eea25 registers.esp: 9042660 registers.edi: 4294943600 registers.eax: 4121082 registers.ebp: 3992170516 registers.edx: 434137598 registers.ebx: 1191066187 registers.esi: 22747 registers.ecx: 1230334695	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 68 a6 94 cc 69 89 34 24 89 04 24 e9 ea fe ff exception.symbol: ramos+0x24e576 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2418038 exception.address: 0x3ee576 registers.esp: 9042664 registers.edi: 4294943600 registers.eax: 4148945 registers.ebp: 3992170516 registers.edx: 434137598 registers.ebx: 1191066187 registers.esi: 22747 registers.ecx: 1230334695	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb e9 0a fd ff ff 87 14 24 e9 e5 06 00 00 29 cd exception.symbol: ramos+0x24e5cf exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2418127 exception.address: 0x3ee5cf registers.esp: 9042664 registers.edi: 4294943600 registers.eax: 4124265 registers.ebp: 3992170516 registers.edx: 0 registers.ebx: 1191066187 registers.esi: 604292949 registers.ecx: 1230334695	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 56 e9 35 fd ff ff 58 56 89 2c 24 bd c4 68 6e exception.symbol: ramos+0x25339b exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2438043 exception.address: 0x3f339b registers.esp: 9042664 registers.edi: 4294943600 registers.eax: 26543 registers.ebp: 3992170516 registers.edx: 0 registers.ebx: 4142676 registers.esi: 24811 registers.ecx: 1969225870	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 50 e9 00 00 00 00 68 fa a6 0e 28 e9 7f 00 00 exception.symbol: ramos+0x257cfa exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2456826 exception.address: 0x3f7cfa registers.esp: 9042660 registers.edi: 306148216 registers.eax: 29847 registers.ebp: 3992170516 registers.edx: 4159157 registers.ebx: 306148216 registers.esi: 4158196 registers.ecx: 1716099331	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 68 4f 42 48 5a 89 14 24 50 c7 04 24 da f9 b1 exception.symbol: ramos+0x257cc0 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2456768 exception.address: 0x3f7cc0 registers.esp: 9042664 registers.edi: 59735 registers.eax: 29847 registers.ebp: 3992170516 registers.edx: 4189004 registers.ebx: 306148216 registers.esi: 4294940056 registers.ecx: 1716099331	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb ba af 3c de 79 e9 11 08 00 00 53 bb e1 b1 bf exception.symbol: ramos+0x2583ac exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2458540 exception.address: 0x3f83ac registers.esp: 9042664 registers.edi: 4165171 registers.eax: 32626 registers.ebp: 3992170516 registers.edx: 640082212 registers.ebx: 0 registers.esi: 4294940056 registers.ecx: 2270642536	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 55 68 c2 4f 2a 5d 89 04 24 b8 98 a8 bf 47 bd exception.symbol: ramos+0x25e2ff exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2482943 exception.address: 0x3fe2ff registers.esp: 9042660 registers.edi: 4185831 registers.eax: 27819 registers.ebp: 3992170516 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 4166784 registers.ecx: 1441857536	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 50 89 3c 24 c7 04 24 ed 9d 75 7e 81 34 24 ed exception.symbol: ramos+0x25e48a exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2483338 exception.address: 0x3fe48a registers.esp: 9042664 registers.edi: 4213650 registers.eax: 27819 registers.ebp: 3992170516 registers.edx: 4294942140 registers.ebx: 2147483650 registers.esi: 4166784 registers.ecx: 21817683	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb e9 61 01 00 00 81 eb 40 78 e0 6d 29 cb 81 c3 exception.symbol: ramos+0x2742c3 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2572995 exception.address: 0x4142c3 registers.esp: 9042664 registers.edi: 49132 registers.eax: 31094 registers.ebp: 3992170516 registers.edx: 4308003 registers.ebx: 4235636 registers.esi: 35307500 registers.ecx: 1481399576	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 2c 24 57 bf 03 f0 96 6f exception.symbol: ramos+0x274b3d exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2575165 exception.address: 0x414b3d registers.esp: 9042664 registers.edi: 49132 registers.eax: 2179041617 registers.ebp: 3992170516 registers.edx: 4308003 registers.ebx: 4235636 registers.esi: 35307500 registers.ecx: 4294939296	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 53 bb 97 5d bf 7f e9 bf 04 00 00 29 cb 59 e9 exception.symbol: ramos+0x27aa47 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2599495 exception.address: 0x41aa47 registers.esp: 9042660 registers.edi: 4301898 registers.eax: 29819 registers.ebp: 3992170516 registers.edx: 2130566132 registers.ebx: 4235636 registers.esi: 35307500 registers.ecx: 1441857536	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 31 db ff 34 3b 8b 14 24 83 ec 04 89 04 24 55 exception.symbol: ramos+0x27aba3 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2599843 exception.address: 0x41aba3 registers.esp: 9042664 registers.edi: 4331717 registers.eax: 29819 registers.ebp: 3992170516 registers.edx: 2130566132 registers.ebx: 4235636 registers.esi: 35307500 registers.ecx: 1441857536	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 1c 24 68 e7 b9 83 50 89 04 24 e9 exception.symbol: ramos+0x27a866 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2599014 exception.address: 0x41a866 registers.esp: 9042664 registers.edi: 4331717 registers.eax: 29819 registers.ebp: 3992170516 registers.edx: 604277078 registers.ebx: 4294940292 registers.esi: 35307500 registers.ecx: 1441857536	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 53 e9 4c f7 ff ff 89 df e9 46 00 00 00 89 fb exception.symbol: ramos+0x27eb2d exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2616109 exception.address: 0x41eb2d registers.esp: 9042660 registers.edi: 4317568 registers.eax: 27538 registers.ebp: 3992170516 registers.edx: 2130566132 registers.ebx: 128572196 registers.esi: 35307500 registers.ecx: 1441857536	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 56 52 e9 0c 00 00 00 33 0c 24 5c 89 34 24 e9 exception.symbol: ramos+0x27eca1 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2616481 exception.address: 0x41eca1 registers.esp: 9042664 registers.edi: 4345106 registers.eax: 27538 registers.ebp: 3992170516 registers.edx: 2130566132 registers.ebx: 128572196 registers.esi: 35307500 registers.ecx: 1441857536	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 56 be e8 e5 fb 39 ba 32 42 ef 15 81 ea 7e 9d exception.symbol: ramos+0x27e7c6 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2615238 exception.address: 0x41e7c6 registers.esp: 9042664 registers.edi: 4345106 registers.eax: 27538 registers.ebp: 3992170516 registers.edx: 2130566132 registers.ebx: 4294942728 registers.esi: 604292947 registers.ecx: 1441857536	1
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: fb 51 b9 d2 52 fb 7f e9 2e 00 00 00 05 59 04 ff exception.symbol: ramos+0x29161c exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2692636 exception.address: 0x43161c registers.esp: 9042664 registers.edi: 49132 registers.eax: 4398228 registers.ebp: 3992170516 registers.edx: 0 registers.ebx: 4366022 registers.esi: 3963792744 registers.ecx: 12	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (13 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.19/Vi9leo/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/well/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/steam/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/num/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.100/e2b1563c6670f193.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/vcruntime140.dll

Performs some HTTP requests (13 events)

request	POST http://185.215.113.19/Vi9leo/index.php
request	GET http://185.215.113.16/well/random.exe
request	GET http://185.215.113.16/steam/random.exe
request	GET http://185.215.113.16/num/random.exe
request	GET http://185.215.113.100/
request	POST http://185.215.113.100/e2b1563c6670f193.php
request	GET http://185.215.113.100/0d60be0de163924d/sqlite3.dll
request	GET http://185.215.113.100/0d60be0de163924d/freebl3.dll
request	GET http://185.215.113.100/0d60be0de163924d/mozglue.dll
request	GET http://185.215.113.100/0d60be0de163924d/msvcp140.dll
request	GET http://185.215.113.100/0d60be0de163924d/nss3.dll
request	GET http://185.215.113.100/0d60be0de163924d/softokn3.dll
request	GET http://185.215.113.100/0d60be0de163924d/vcruntime140.dll

Sends data using the HTTP POST Method (2 events)

request	POST http://185.215.113.19/Vi9leo/index.php
request	POST http://185.215.113.100/e2b1563c6670f193.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 238 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001a1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03110000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:17 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 2344 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 2344 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02370000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 2344 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02380000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (2 events)

description	explorti.exe tried to sleep 1177 seconds, actually delayed analysis time by 1177 seconds
description	b88210b97d.exe tried to sleep 280 seconds, actually delayed analysis time by 280 seconds

An application raised an exception which may be indicative of an exploit crash (8 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process firefox.exe with pid 2308 crashed
Application Crash	Process firefox.exe with pid 2992 crashed
Application Crash	Process firefox.exe with pid 1000 crashed
Application Crash	Process firefox.exe with pid 2660 crashed
__exception__ Aug. 11, 2024, 2:17 p.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9892488 registers.r15: 8791538177648 registers.rcx: 48 registers.rsi: 8791538109312 registers.r10: 0 registers.rbx: 0 registers.rsp: 9892120 registers.r11: 9895504 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 14926208 registers.rbp: 9892240 registers.rdi: 247570464 registers.rax: 13442816 registers.r13: 9893080	1	0	0
__exception__ Aug. 11, 2024, 2:18 p.m.	stacktrace: 0xcc1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcc1f04 registers.r14: 10087864 registers.r15: 8791536735856 registers.rcx: 48 registers.rsi: 8791536667520 registers.r10: 0 registers.rbx: 0 registers.rsp: 10087496 registers.r11: 10090880 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092879440 registers.r12: 15970704 registers.rbp: 10087616 registers.rdi: 253861920 registers.rax: 13377280 registers.r13: 10088456	1	0	0
__exception__ Aug. 11, 2024, 2:18 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10353728 registers.r15: 10353232 registers.rcx: 48 registers.rsi: 14760928 registers.r10: 0 registers.rbx: 0 registers.rsp: 10352280 registers.r11: 10354480 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 10353063 registers.rbp: 10352400 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0
__exception__ Aug. 11, 2024, 2:19 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8977472 registers.r15: 8976976 registers.rcx: 48 registers.rsi: 14760736 registers.r10: 0 registers.rbx: 0 registers.rsp: 8976024 registers.r11: 8978224 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 8976807 registers.rbp: 8976144 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0

Steals private information from local Internet browsers (50 out of 5867 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\apenkfbbpmhihehmihndmmcdanacolnh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\ciojocpkclfflombbcfigcijjcbkmhaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opfgelmcmbiajamepnmloijbpoleiama\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\fiikommddbeccaoicoejoniammnalkfa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCK\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\fa\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000001\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\naepdomgkenhinolocfifgehidddafch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch\CURRENT

Creates executable files on the filesystem (9 events)

file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\Users\test22\1000037002\6ea479c011.exe
file	C:\ProgramData\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\1000036001\b88210b97d.exe
file	C:\Users\test22\AppData\Local\Temp\1000038001\dc83e0ea42.exe
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
file	C:\Users\test22\AppData\Local\Temp\1000036001\b88210b97d.exe
file	C:\Users\test22\1000037002\6ea479c011.exe
file	C:\Users\test22\AppData\Local\Temp\1000038001\dc83e0ea42.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\1000036001\b88210b97d.exe
file	C:\Users\test22\AppData\Local\Temp\1000038001\dc83e0ea42.exe
file	C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 11, 2024, 2:24 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	1	1
ShellExecuteExW Aug. 11, 2024, 2:24 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000036001\b88210b97d.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000036001\b88210b97d.exe	1	1
ShellExecuteExW Aug. 11, 2024, 2:24 p.m.	show_type: 0 filepath_r: C:\Users\test22\1000037002\6ea479c011.exe parameters: filepath: C:\Users\test22\1000037002\6ea479c011.exe	1	1
ShellExecuteExW Aug. 11, 2024, 2:24 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000038001\dc83e0ea42.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000038001\dc83e0ea42.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (13 events)

Time & API	Arguments	Status	Return
Process32NextW Aug. 11, 2024, 2:24 p.m.	snapshot_handle: 0x000002f0 process_name: taskhost.exe process_identifier: 1372	1	1
Process32NextW Aug. 11, 2024, 2:24 p.m.	snapshot_handle: 0x000002f0 process_name: conhost.exe process_identifier: 1000	1	1
Process32NextW Aug. 11, 2024, 2:24 p.m.	snapshot_handle: 0x000002f0 process_name: pw.exe process_identifier: 2084	1	1
Process32NextW Aug. 11, 2024, 2:24 p.m.	snapshot_handle: 0x000002f0 process_name: explorti.exe process_identifier: 2344	1	1
Process32NextW Aug. 11, 2024, 2:24 p.m.	snapshot_handle: 0x000002f0 process_name: svchost.exe process_identifier: 2672	1	1
Process32NextW Aug. 11, 2024, 2:24 p.m.	snapshot_handle: 0x000002f0 process_name: mscorsvw.exe process_identifier: 2724	1	1
Process32NextW Aug. 11, 2024, 2:24 p.m.	snapshot_handle: 0x000002f0 process_name: sppsvc.exe process_identifier: 2772	1	1
Process32NextW Aug. 11, 2024, 2:24 p.m.	snapshot_handle: 0x000002f0 process_name: RegAsm.exe process_identifier: 3000	1	1
Process32NextW Aug. 11, 2024, 2:24 p.m.	snapshot_handle: 0x000002f0 process_name: firefox.exe process_identifier: 2308	1	1
Process32NextW Aug. 11, 2024, 2:24 p.m.	snapshot_handle: 0x000002f0 process_name: dc83e0ea42.exe process_identifier: 2188	1	1
Process32NextW Aug. 11, 2024, 2:24 p.m.	snapshot_handle: 0x00000498 process_name: cmd.exe process_identifier: 2312	1	1
Process32NextW Aug. 11, 2024, 2:24 p.m.	snapshot_handle: 0x00000498 process_name: conhost.exe process_identifier: 872	1	1
Process32NextW Aug. 11, 2024, 2:24 p.m.	snapshot_handle: 0x00000498 process_name: pw.exe process_identifier: 2612	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 11, 2024, 2:17 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000003c5e1fb0000 process_handle: 0xffffffffffffffff	1	0	0

An executable file was downloaded by the processes explorti.exe, regasm.exe (10 events)

Time & API	Arguments	Status	Return
InternetReadFile Aug. 11, 2024, 2:24 p.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPELU¸fà"¬ ÆÌ7®À @P®zu@ PppÀ\|LÐè0pp° @àÀ ò@àÀö@à@ öú@àPbð @à.rsrcÐR@@àx`(à@à.data"@"@àÏ=îëÑPÓ1}Úñ¯Æÿr+]Îç½Aó¨WË½äCgÞÄnÅ·g6W6:èâñÌo{iY>{^ O°9¦^×Ê6Í¥LCNÁÙYO¯Ep.ñ¯:Ð£QmeÊ´¤'æ4¸r´³FÕdºXbÝÒÏÎå«îh0àúVÜê+-®³bÈÍrÏ7Ï¦'@ýê^õìv?ö Ä¶6o¶.uß+9ÉqØÈ1AÏßñÂxË?BéÅÞoÛ¤Tû±é\|KÌøÌÖÏbWMSËDûMÃµé´gÑokúOS3F Ùßî÷ ªî7>îÛWðÔ6ÃîÎpOR^ø¿ÈÃ:8Â<#eÖ(ÛÇ cQk»· %+hÚ¦Âi¬ÓV»¨Þ<p[ÇS,Ýyp_ìÙº.ìåÙe$þ¥TVêXÆnmí\|o ²¤ßÓvQ+9àÌSxÇÀê5òSõ:Ý¼¦ õC©pý&#ns¬S¹/2§¦ó©þõ5W¦â~3aíóÑõ#³ÍÄJóãzR"VQz¹¤yðA:p6Z9,õÍÐH~C'c¯ø¶S¹ ¶<Áõ÷:T÷®£!#Ëàúi3'½ÛIñì¡Z£Ñ?ÒÔ»ïJw³AwTX~5Ì_Ë¦Fb¾zZ§¼hhèýÒ¨4¿^»añá:9`º5ÿßMnäêk+¨DuàÙÆdiÇ® é/ÙÕú3«à}ä^8bE9ÇÙyf\|l½(ÝðQöëËAA&e[8½è,µò¶õ®àV;¢ ×Iéõ«ÍÚ~¨~¥FOÄÆÓáæ£·´úpïlâDh»Ø[uBræ4+}cõÑL ü [ÿà¬¢IùÝ$¦Yµ<&Ã½^%o¡à~ÍCßÎ}ÜÇ÷¡ArL²5>ñþu3¹ðwÛïCY J:åÁCÍCºân_¾õ{³;ÌLüLaTêýP¶óõTÖ1Ï$ò°OóñÏááG%MâñHæÞIzÄi`ÅøâA{bg¶?4DÀ,Ï£+Áao1ê? jÆÓöb¼ñW)z÷í¦ ³xÞêî<ÊbÓrì¼ô0ø!Þ¼xPÿû'7wPB²É-MÿÈ"gõÞÎo¦Ø3mâ6ï¸éUÈy Ì¿£sç¿¾Éÿ·lÆ` ¿rVO`Ë±}ÇÂ;nè¥<uÏéíIë®_ÒhÒCÆþ`h.YpK\¶@³§íy.GØøæ·H¼ì«± 0C=«©ð ÜÕUºV+üe±§Çè\o ãÜ4ù¹LGzX?¢yY>e'Rò,Ù\µ8ø¡C1îÚpQFÃrÞPÃ£ß'Ù¶_êÝlªTmÂ&êt(8Ö/È¤ßî{W@6Ô¡ØMÅô¤¦ÇNfQ_tDùÈÄæ Ð ö 2¬Ü¨Bæfkx\«FgmëOæ{4²wª ;=öÄj0BEßZÔVrsB½~ç(T#z^°ë¼RFÎò!¥,íuãóF2õáðvgx'Ý¨#Ëo÷Dø«knÑÂ¹Ã\ =Ùµ8p2 äÙôUk<ÕýÔ¥ÜõÅN²l1¼¼P¤1%oPG²æ¨!èÅ¼¹Ìw<³8øÌñÖ°ÅO°8>»¿êAÄüÕk°×m=åèü-5x·ÏQ?DN)ÂrFj²jG¼4¦94ÃæHIlôP}_òz(B-æ±n>L¿(AÃÿ IAª»ÇÐ»Xõç¹âªSdçæÂf6Þ´àÖ"óßÕpT·w!!$¿¹à÷²uVîÕIÇgáû³Ün¦T/Â\|GVÄ.¼AØQ)pV<2q¾Kuäõ¹=ïoBµ6B¹NéVMøï¶ê.(õ}Y}¨Sè¨Gå¾ÒLÊ M§j1hÙÜ>VmÝ"öü)ûÃà1(¥ª~÷~mßÞÍ6¨EÍÊÐõK2þ¶êÑA¦d>Ãf`pwiÉS£èþ¥Cáúâ\|aÞâgíë' Ù¥mþ cí`îÙ_ßöÁ:Qe¤ÃT¬£ñÀó{éÔ¼ÒÛ<¦Bã6H¼Ä£Te66nÊ÷læ=\|ä÷Í\Hä2yÒh1'+Á¼Ùz_$[ÿ,áN1¬²L¨,S´e ix àÄPwÕ¾C¤;ò Ü9Hæ¨ ùÒÆQ7Âc}FfÞ[äUöªSã³¸97[ Ré@~Ã6}vÏt÷îR¹Ût ÍHúwÒ½ó,Îÿ6^éÇ7rÖjB}¡tLDHßà8E©Ú)7OÄöÈÀÃÊ=ò`ä[+SKÆ½à8í&PÍYu¡,£ª#`ýZëÁÏ¬ÁíI^ùÂÊóOkîk5"=cR`îç3UÓÜÎéö¨í/ZÉ¨ÿ¡ÓMaÜ£GûO°æB)±Þ^³o#RÆnÿ¤x J©ËßÁÇêÐµ¼¯ª3wíµ¶¾g@PGõ¼Muë9C»>~îüî@xñå®ôÖ°lÈÿÛPº<[q6ûô:+!õ K¹vh çt%Cò/\²{®sïR08¥V ´¡åSÁGaJÃ t§5ùo#lÆËMãÏ<ÊCC\|LãlVé-]JëÚ©.éáÎþ=kOHÙ«xq¦^D#9:RØ¿3ÅPØ1)VEt¸Açq±2P®«F5Çº¯µö'é£õWW©QlÒÂVV¿;Z¸º{}ùÖ¡ÉTÏîuï[÷EòÇÃòoC-\±¾©Ö>rÂ7¤Ss7ëúÔ-icz¦ÜíËyÿt&a»@þ?Ö¹&»,+Ûm&Éa¹É1ÓK½»yyUéx<t[ÛIÃC³KH¿MÓ!w] ;¦f 1«WëfàÝí\|5oûùÒmn°ÚgqL n,ÁYàó4áv4âà+HGå¼P7,ö 84E?KV¬ØßÛôLâ=ã+õ>= 42Ì$5M¦Ã»ÂM<Á"4ÓªKDÄáÙFÖÎ»,cKâ³+2ã¤4MûMÆÞò l¬Ë÷"^o®8x^»{`°iQ4¶¹ÎËô¾pY¦¹ÉRÇ)"ÌR$Ù~¶ºÒýÒ´pÀ¬áEùÈf!ÆÒD&·´¤ÙÚ¸&a!³nîï.yËS×ÆÎ DeÉ²>ã½Ñ/¸Õ.ã=¹¯ Íð$¥Mé9E?ÒS\î5{Mf5afÛ·IuÅëB Y´Ð;Cñn³Ë$4Û½Ú\ÍêÓÍ:leL¯=ækörÌ_Ý(ÉÏ(2³ëV1lF$Î×1à7=K>Âå¼ÌöÄ-Àxý©¿CJ¸<[_mÙ4nEK«6k'DAÂá39è¾E½Bu2ÿ]3é¨#$Â+ ÝEÌªµqxhBz¡PugKMúÈuÇÐÑ/$£Vÿ·ÁÄ+nGå3VT@¦Ôgh3fmä.ÂÕüæ~2 æ6ó´£ûýäÝSåzIc ÂFwÄ$ì} ® request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 11, 2024, 2:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELQ¸fàî% @@ `%W@à`\$ H.textô `.rsrcà@@@.reloc`@BÐ%HD å]ÕMeàW®ÊÉê!)Aï,½ygSÿ»?l?ät¶¼÷ÀrUØÜ\ñP\|Ld¼O¶Üý']cýqGaNSÞÍ"6(ÂWBR:ÂëóÕô¤×«ñM2õßàîÏûJÌ×¯û£\|³Ý]ãC5~»p?I°^l0iáqmÉ¦¬Ç.¡á¡CÿÛ\6çòÉ«C=Á5ûàý(g¢¾¡û>z3ª£³ÌRú¤¿k3-¦¯~ÚIÖ(Ã]¬#(ììËqÏk=¡±°®ä¦a°N»J\ãm\,pióøK.7Z×±ëÐÏ=ÂØcÒµv(lÖJ_ xzôÊÁÖò±ÞxO?ð¶¸öJö¸\\Ô=³ì½,?7vY ¡B;lAvmW.±ýD)¾\ØçðS[ý£¦ì»è·I '!wzjyï:ºÝì)<è½¹eæÖèG<F@¥8F%uÕËcG!²Ô Eº¯äÞÙÔ]³Ü@ÂÄò<)ÂÔ®ôÁ³LÎY´¹åQZì¬gÁôZÒ}IÙ4?-@gêGNdoÚV]´amj¥%â 48DX±Eª$ÌT²HÙð¬#äÄÅkðRÑâä÷¸ ·I½~l~¬¹sì/¤Q² 2-õkº}Í?GØñÝÀ¡ÇÑè?Mèö¼ÿ9{{2å½é¯rÕoTëR¾4@o)SÆ1Ëf,hfH©ûË¡µXj©¨ TÑ/Ø@ðz9`O»«'â#À<-K%¯,ß9ÓsS>ÖÁ¸Jþ¼ptRé[\|´\© BÉ,&/y óQr&ó±b¥âÚàµ°¸®¿û»ÔÏÊ<ÆPi rh¥¥¸I½lö«á<ðI1eÃEH´(\$ \|©e¼{ÔZ2Ozï¿Ìèå¡IUöÌó®oÕÌe¬Ù$m¸Û<^ ªU¦YÔùî¥õ@Â³NÆ¯ïØKóã³hY°xWäùõ1ßæØË'®/ACaþ\|ÿîey/ù¸ÉY½;?«e¢gÞf;éèf>N.::Ä¾::B;¡Þ3Ô·En<Þ];ÙIT.á~c- =K©7JÄò(Ç§®±éwÐ«st®V8^ÊOGGQ~¤ m%óâ&ãeï×ß®ÃæùÅûJp!{^¥0ªî48<õx½¤J}C/qâ¼Ñ9oûÒÙ/Jä¬ëûYâÃñWVé¯7túØ¼á"nÿýótÚZÙçúFËÐ<lLÐEó« 6ÉßoúWx\~jiGA+(ÞæþS%]MpÖh"ÌÁ»rqÆ;äl0L#ó&ä¿ëlÐ ½êä·PDÝ_\|CùlùÈ±'t^0+µV£ì_=Çy5-\o-wö>wÙ[íb¾SÆ-ðñ.)Ä³éA uµÄf-×clëóÜ]20sB\ásø§7VN}¿W:®Gø£ü³ (ìóÞ2æ°Í®UF>iÑ's[ÝnS+÷í5©hR4tóá#C ¶¦1®º,?«SgµïÙÑ(tî;åÖ¤!]PIÅ ½.n {²kfÞ¬Mtig¿$éÏWöMG~Iß·ÍSt¹k%á¹ñZÆÏ¿¡¹YUN\|D¡Ç&à?ö#jÂâsYQ¬þâðeGÅB4î2¾A,?ä\|3ÊwßÝµËø u¦xZ îÙ#Ò¨Ìò¸³Ï$v2üÖ§ r&Âz¶%"² ß¥W b¨\|òm÷[3mÍº\Ñ Üf¤¹×Ý³¢{iQ£@ÈÑÁéIVöù8´i.ôlÍyP¬@5[U³üó¹ãË20% lÑ/ EÌâAxÈ¾Ë"dtÞ%è¥);¦ µÈö?Ê°Å5½6)Jã»HçgCÑ¾KÏîôv8³I¢«£8,Vù=tW<zèrtpÌÁ~Ç÷7ï¡\|àweåé¨ZøIDÅ2mÊí+qRå Å`o>ç²DT""¹4òP¸ä¨ ¸2ù×ªâÄÓ(®y^ç4p@±§LÒö½FDÃÄ1`ÓîÓÐx"^º<eM¾`¯<zã gxr¶øÌ.ÊÞÉÕ/==)Ó'Ë]ÃòU÷1¥úë'ØüëéIÛþ±fêÉ0 ÞÈ=`±Ýñ2¼HÜàxü¡LZ¥± ®_@XÅ;v<µ3ÆÚî¼5[÷(uÛêLãÜNõâtéFÚÞ¹ÒTH ò}cvæ{?§óþßiSÛ½Mæ+ ë¡ÆÝWq$âÎ¿Ì¢Æ¾×R~D¹zÿ©#©#Ó>S;XõÔüé+°xûgx«Îf£Ù!´(sÌsGÈðÃÑ² V:¨CgJk^/Àr6eß©/;}üÙî¼La ø+ÃµQÉu\=%ÁhäB£Ú-iw¼y¼:mA¨¯±¼/î³@ë5(¦òÅpe%ç(1r½BA¼`X\|ì[Î´DíVQf±^è69_ UUþS]«¶tÊrØhzúeOÉìporÔØ®t¦Y¾#ÕOîmÑ¢^åðûZeAªø,Ä¬¦T0BsåU§ÿ6è¹Q$°÷õ` ;AJ,¶Å\|èeè5\|\¡W¨_¯ØMF@5-ÊØwa$Ròâ>u£l(£°_Po×Dÿà9VÜJ>Fø}8±Û¯-Wwfæ¬ÝÍË¶Ü'Ë}J4û) ù7# @ðò¦XÌZäbç./=ùV]ÝGÉLßÄ¹ªd¦iæ ¶.Àâñc=·Ìÿín´f7Oz(ð6êYÛÐí½\`Ì÷çsÐ`Þ·~%ÇBD¹'ôJópÍ]ÏÂËæØ¿>noøRç^¾«¨.ûX[2ÁB9Øuo§tËXFËÆÌ¿üî¾æcÞ³]â%¨ÔÐø7;v?DÚï7"8mw¥Ì»¨AÀ¿:Ùå+Il&XìLÁåE;.ñ¨ £ð=Ö\|!;<öúdBÔ»'÷³ë§x "d&fV®çêêB¢D4Z¤/÷ß²»Ï:ÍgÎ¼s¶ì wæáÇåV¬8§Í EËDjOàè[z5Û1hæv<¥´ÓG<Y0&Ù·òS\pð]WÙÅÄmö¾W 1ß.E+1-¦¥ P¤&-zÈã]wÃ8úTx(Ymï+¨rn²4.ð³:+Fa/,,S!s9ÐÎwÝ·nÃ à£UoDGòzT2s}x¥zlÂÿw&Y ØÕÅ'I¹\|ï©=3ôBÙl2Tþx3àÙáÎ")-ÌÁY»}·¶[ ³õØùfi¦»ÖW´s²Ms¼¬¿þ¶ì²ñ³cÈ+QêBÉ»0ºo}ßídh"5#î§ñ?n6`i!:04ÆÊçôì?HÅ±Øø\|Ñ9d¿9{ÿï+)²ùªIß&¯@^ìm±6öµMOÀ&¾!ïrå ½»`eä§Óµòq/·×£þ\|ØÄû¦ùa'YDðÌ»LÍiÔÍd¥õ5ìBÊï¿E M&â«ò%l×áÇ¶@Ø(\|bAöA{ bdÊ3:dÚÇP$b°úRÌ(Ú\|ï$ÙÒVó6è8°¦ ,$D²!ív,èéUV±ë7Ø;ð]¿®àédÚßÈÆ6Ä,9Øãør\aÒ9ØúÉOòµDÊ«lÎ.Î ÇÉÁ=¾"¨1ãÈÏ5]%è¨ÜÚ®õ[:§£°"§³M=_Gc9wWèwÐÚ ö}? ¢]Ë9y&ÚZ¤¥¤ÅÈèïÖÊÑòØ¾É¨É£Òm`û+¥#ª"/ëÅD©®Ö\|÷TÄ3÷J¶ 6<EëàÀXü±d´a.¬Ì HÎ6ïæPZçïÛÉ23ùL(»ì£Ð÷u«Y¢ªþº·ÄéQ8£W+\|?læÐ"§iÔÒ¯*Çp¾"{c©þÈp¶£wiÀï¹,` request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 11, 2024, 2:24 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL¡Â´fà ÈB"dà@0$@Ð©<à#\|$àô.textJÆÈ à.rdataæÎàÐÌ@@.data+!°@À.relocDà#F¨@By¹ApÈAÙÈAUìQEEü}tMüÆUüÂUüEèEëàEå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìEèExMÿUMMMëä]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQSjh0hÀAÈjÿ$ÐbEüPøtÀüÉÀøX}üt,ÀhÀæEüPèNsSÉÉü[hhÀAÈMüQÿdÏb[å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQÇEüjj@h0hÐjÿØÐbPÿÐbEü}üujÿìÏbèRÿÿÿå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì(EÜPÿtÏbMðMØ}ØsjÿìÏbå]ÃÌÌÌÌÌÌÌÌUì¡@ÍbPèâaPè,sÄÀu! ÎbQè9aPèsÄÀujÿìÏb]ÃÌÌUììjjj¡ÐÈbPÿ,ÐbEôj MôQÿÐÏbEøUôRjÿpÐb}ø}jÿìÏbå]ÃÌÌÌÌÌUììHj@jE¸PèrÇE¸@M¸QÿÑbøujhUÄREÀPèÁjhRPèÁEøUüëÇEøÇEü}üwr }øWsjÿìÏbå]ÃÌÌUììÇEøÿhjÿÀÐbPÿXÐbEôEüPhjMQURÿ¬ÏbÀuEøPMôQjjUREüPÿÏbMüQÿ(ÐbEôå]ÃÌÌÌÌUìì\hèjüÿÿPÿäàAÄh4MBhäMBhè\ÿÿÿÄPüÿÿQÿlÐbüÿÿRÿÏbøÊhbBüÿÿPÿlÐbhÿ Büÿÿèh¬NBàûÿÿQðÉbRìûÿÿPüÿÿèÎÈèÇPüÿÿè«àûÿÿèìûÿÿèõhBøûÿÿè%jÈûÿÿQèrÄP¼ûÿÿR¡¤ÌbPÔûÿÿQøûÿÿèdÈèÍPøûÿÿèA¼ûÿÿèÔûÿÿèÈûÿÿèjøûÿÿèCPüÿÿRÿ0ÏbüÿÿPüÿÿQìÌøûÿÿRèæèÄÀtMüÿÿPüÿÿQìÌüÿÿRè»ìÌEPèÊ¤ûÿÿQè7Ä ¤ûÿÿèíøûÿÿè²PÿÏbøûÿÿèüÿÿèjjüÿÿRÿäàAÄøûÿÿè¦üÿÿèMèå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQMüMüÁ\|ènMüÁHècMüÁ<èXMüÁ0èMMüèåå]ÃÌUìQMüEPMüè MÁ0QMüÁ0è»UÂ<RMüÁ<è©EÀHPMüÁHèMüUBTATMüUBXAXMüUB\A\MüUB`A`MüUBdAdMüUBhAhMüUBlAlMüUBpApMüUBtAtMüUBxAxMÁ\|QMüÁ\|è Eüå]ÂÌÌÌÌUìQMüMüÁ$èNMüÁèCMüÁè8Müè0å]ÃÌÌÌÌÌÌÌÌÌÌÌÌUìQMüEPMüèMÁQMüÁèUÂRMüÁèEÀ$PMüÁ$èwEüå]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUììthBMèèêhBMôèÝEüÿÿ½üÿÿt½üÿÿtW½üÿÿéÇjhþÿÿQèqÄP\þÿÿRMèèoPMèèæ\þÿÿè;hþÿÿè0éjPþÿÿPèÍpÄPDþÿÿQMèèPMèè¡DþÿÿèöPþÿÿèëë@j(8þÿÿRèpÄP,þÿÿPMèèèPMèè_,þÿÿè´8þÿÿè©}0hbBüýÿÿQURþÿÿPhdOBþÿÿQUèR þÿÿPMôèÈèÈè{ÈèPMôèëüýÿÿè@þÿÿè5þÿÿè þÿÿèéM$QÀýÿÿRh´PBÌýÿÿPMQØýÿÿRhPBäýÿÿPMèQðýÿÿRMôèùÈèÈèëÈètÈèÝPMôèTÀýÿÿè©ÌýÿÿèØýÿÿèäýÿÿèðýÿÿè} þÿÿPMôè>PÿÑbEä}äÿu5MôèVMèèNMèFMè>M$è6M4è®ûÿÿéh\QBÌþÿÿQÿÐbÀthRBÌþÿÿRÿÐbÀué}hBþÿÿè(}0æE$PlýÿÿQhüSBxýÿÿRÌþÿÿPýÿÿQhTSBýÿÿREPýÿÿQh¬RB¨ýÿÿREèP´ýÿÿQþÿÿè Èè)ÈèÈèÈèÈè ÈèvPþÿÿèêlýÿÿè?xýÿÿè4ýÿÿè)ýÿÿèýÿÿè¨ýÿÿè´ýÿÿèýé¦ÌþÿÿR0ýÿÿPhLUB<ýÿÿQURHýÿÿPh¤TBTýÿÿQUèR`ýÿÿPþÿÿèÑÈèZÈèÃÈèLÈèEPþÿÿè)0ýÿÿè~<ýÿÿèsHýÿÿèhTýÿÿè]`ýÿÿèRìÌþÿÿRèáèlÄÀ«h BþÿÿèahVBüüÿÿPMQýÿÿRhôUBýÿÿP ðÉbQ ýÿÿRþÿÿèÈèÈè÷Èè request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 11, 2024, 2:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 11, 2024, 2:24 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 11, 2024, 2:24 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 11, 2024, 2:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 11, 2024, 2:24 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 11, 2024, 2:24 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 11, 2024, 2:24 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002dc00', u'virtual_address': u'0x00001000', u'entropy': 7.986145588110248, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.98614558811

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001ace00', u'virtual_address': u'0x0032c000', u'entropy': 7.9542105833413945, u'name': u'ghiblird', u'virtual_size': u'0x001ad000'}

entropy

7.95421058334

description

A section with a high entropy has been found

entropy

0.994239329667

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url	https://crash-reports.mozilla.com/submit?id=
url	https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c

Yara rule detected in process memory (50 out of 84 events)

description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Aug. 11, 2024, 2:24 p.m.	status_code: 0x00000000 process_identifier: 2960 process_handle: 0x000001ec		0	0
NtTerminateProcess Aug. 11, 2024, 2:24 p.m.	status_code: 0x00000000 process_identifier: 2960 process_handle: 0x000001ec	1	0	0

Communicates with host for which no DNS query was performed (3 events)

host	185.215.113.100
host	185.215.113.16
host	185.215.113.19

Allocates execute permission to another process indicative of possible code injection (16 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 2960 region_size: 2371584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001ec		3221225496
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 3000 region_size: 2371584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f0	1	0
NtProtectVirtualMemory Aug. 11, 2024, 2:17 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1	0
NtProtectVirtualMemory Aug. 11, 2024, 2:17 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1	0
NtProtectVirtualMemory Aug. 11, 2024, 2:18 p.m.	process_identifier: 2992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1	0
NtProtectVirtualMemory Aug. 11, 2024, 2:18 p.m.	process_identifier: 2992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1	0
NtProtectVirtualMemory Aug. 11, 2024, 2:18 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1	0
NtProtectVirtualMemory Aug. 11, 2024, 2:18 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1	0
NtProtectVirtualMemory Aug. 11, 2024, 2:19 p.m.	process_identifier: 1132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1	0
NtProtectVirtualMemory Aug. 11, 2024, 2:19 p.m.	process_identifier: 1132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1	0
NtProtectVirtualMemory Aug. 11, 2024, 2:19 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1	0
NtProtectVirtualMemory Aug. 11, 2024, 2:19 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1	0
NtProtectVirtualMemory Aug. 11, 2024, 2:19 p.m.	process_identifier: 1876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1	0
NtProtectVirtualMemory Aug. 11, 2024, 2:19 p.m.	process_identifier: 1876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1	0
NtProtectVirtualMemory Aug. 11, 2024, 2:19 p.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1	0
NtProtectVirtualMemory Aug. 11, 2024, 2:19 p.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 360 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 11, 2024, 2:24 p.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\b88210b97d.exe				reg_value	C:\Users\test22\AppData\Local\Temp\1000036001\b88210b97d.exe
file	C:\Windows\Tasks\explorti.job

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2900 manipulating memory of non-child process 2960
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 2960 region_size: 2371584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001ec		3221225496	0

Potential code injection by writing to the memory of another process (50 out of 66 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 11, 2024, 2:24 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL¡Â´fà ÈB"dà@0$@Ð©<à#\|$àô.textJÆÈ à.rdataæÎàÐÌ@@.data+!°@À.reloc*Dà#F¨@B base_address: 0x00400000 process_identifier: 3000 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 11, 2024, 2:24 p.m.	buffer: LáA.?AVtype_info@@Næ@»±¿D ! 5A CPR S WYl m pr ) ¡¤§ ·Î× ÿÿÿÿÿÿÿÿÈAÈAÈAÈAÈAÈAÈAÈAÈAÈAC$÷A ÷A÷A÷A÷A÷A÷A÷AüöAôöAèöAÜöAÔöAÈöAÄöAÀöA¼öA¸öA´öA°öA¬öA¨öA¤öA öAöAöAöAöA\|öAtöA´öAlöAdöA\öAPöAHöA<öA0öA,öA(öAöAöAüõA ôõAìõAäõAÜõAÔõAÌõAÄõA´õA¤õAõAõAlõA\õAHõA@õA8õA0õA(õA õAõAõAõAõAøôAðôAèôAØôAÄôA¸ôA¬ôA õA ôAôAôApôA`ôALôA8ôA0ôA(ôAôAìóAØóA³B³B³B³B³BÈºB¨øA0ýA°þA³Bx´B abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZXµB¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÿÿÿÿ þÿÿÿ¬úA..ÀºBÈBÈBÈBÈBÈBÈBÈBÈBÈBÄºBÈBÈBÈBÈBÈBÈBÈBÈºB¨øAªúA.LáA.?AVlogic_error@std@@LáA.?AVlength_error@std@@LáA.?AVout_of_range@std@@LáA.?AVexception@std@@LáA.?AVbad_alloc@std@@ base_address: 0x0042b000 process_identifier: 3000 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 11, 2024, 2:24 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3000 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 11, 2024, 2:17 p.m.	buffer: base_address: 0x000000013f0e22b0 process_identifier: 2308 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 11, 2024, 2:17 p.m.	buffer: base_address: 0x000000013f0f0d88 process_identifier: 2308 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 11, 2024, 2:17 p.m.	buffer: I»`#?Aÿã base_address: 0x0000000077711590 process_identifier: 2308 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 11, 2024, 2:17 p.m.	buffer: »g base_address: 0x000000013f0f0d78 process_identifier: 2308 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 11, 2024, 2:17 p.m.	buffer: I» ?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2308 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 11, 2024, 2:17 p.m.	buffer: »g base_address: 0x000000013f0f0d70 process_identifier: 2308 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 11, 2024, 2:17 p.m.	buffer: ÏT base_address: 0x000000013f090108 process_identifier: 2308 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 11, 2024, 2:17 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f0eaae8 process_identifier: 2308 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 11, 2024, 2:17 p.m.	buffer: base_address: 0x000000013f0f0c78 process_identifier: 2308 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 11, 2024, 2:18 p.m.	buffer: base_address: 0x000000013f0b22b0 process_identifier: 2992 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:18 p.m.	buffer: base_address: 0x000000013f0c0d88 process_identifier: 2992 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:18 p.m.	buffer: I»`#?Aÿã base_address: 0x0000000077711590 process_identifier: 2992 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 11, 2024, 2:18 p.m.	buffer: î base_address: 0x000000013f0c0d78 process_identifier: 2992 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:18 p.m.	buffer: I» ?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2992 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 11, 2024, 2:18 p.m.	buffer: î base_address: 0x000000013f0c0d70 process_identifier: 2992 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:18 p.m.	buffer: ÏT base_address: 0x000000013f060108 process_identifier: 2992 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:18 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f0baae8 process_identifier: 2992 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:18 p.m.	buffer: base_address: 0x000000013f0c0c78 process_identifier: 2992 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:18 p.m.	buffer: base_address: 0x000000013f0b22b0 process_identifier: 1000 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:18 p.m.	buffer: base_address: 0x000000013f0c0d88 process_identifier: 1000 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:18 p.m.	buffer: I»`#?Aÿã base_address: 0x0000000077711590 process_identifier: 1000 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 11, 2024, 2:18 p.m.	buffer: p base_address: 0x000000013f0c0d78 process_identifier: 1000 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:18 p.m.	buffer: I» ?Aÿã base_address: 0x00000000776e7a90 process_identifier: 1000 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 11, 2024, 2:18 p.m.	buffer: p base_address: 0x000000013f0c0d70 process_identifier: 1000 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:18 p.m.	buffer: ÏT base_address: 0x000000013f060108 process_identifier: 1000 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:18 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f0baae8 process_identifier: 1000 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:18 p.m.	buffer: base_address: 0x000000013f0c0c78 process_identifier: 1000 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:19 p.m.	buffer: base_address: 0x000000013f4a22b0 process_identifier: 1132 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:19 p.m.	buffer: base_address: 0x000000013f4b0d88 process_identifier: 1132 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:19 p.m.	buffer: I»`#G?Aÿã base_address: 0x0000000077711590 process_identifier: 1132 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 11, 2024, 2:19 p.m.	buffer: K base_address: 0x000000013f4b0d78 process_identifier: 1132 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:19 p.m.	buffer: I» G?Aÿã base_address: 0x00000000776e7a90 process_identifier: 1132 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 11, 2024, 2:19 p.m.	buffer: K base_address: 0x000000013f4b0d70 process_identifier: 1132 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:19 p.m.	buffer: ÏT base_address: 0x000000013f450108 process_identifier: 1132 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:19 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f4aaae8 process_identifier: 1132 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:19 p.m.	buffer: base_address: 0x000000013f4b0c78 process_identifier: 1132 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:19 p.m.	buffer: base_address: 0x000000013f4a22b0 process_identifier: 2660 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:19 p.m.	buffer: base_address: 0x000000013f4b0d88 process_identifier: 2660 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:19 p.m.	buffer: I»`#G?Aÿã base_address: 0x0000000077711590 process_identifier: 2660 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 11, 2024, 2:19 p.m.	buffer: = base_address: 0x000000013f4b0d78 process_identifier: 2660 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:19 p.m.	buffer: I» G?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2660 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 11, 2024, 2:19 p.m.	buffer: = base_address: 0x000000013f4b0d70 process_identifier: 2660 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:19 p.m.	buffer: ÏT base_address: 0x000000013f450108 process_identifier: 2660 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:19 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f4aaae8 process_identifier: 2660 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:19 p.m.	buffer: base_address: 0x000000013f4b0c78 process_identifier: 2660 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:19 p.m.	buffer: base_address: 0x000000013f4a22b0 process_identifier: 1876 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 11, 2024, 2:19 p.m.	buffer: base_address: 0x000000013f4b0d88 process_identifier: 1876 process_handle: 0x0000000000000048	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 11, 2024, 2:24 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL¡Â´fà ÈB"dà@0$@Ð©<à#\|$àô.textJÆÈ à.rdataæÎàÐÌ@@.data+!°@À.reloc*Dà#F¨@B base_address: 0x00400000 process_identifier: 3000 process_handle: 0x000001f0	1	1	0

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA Aug. 11, 2024, 2:24 p.m.	key_handle: 0x000002f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (1 event)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	explorti.exe				useragent
process	crashreporter.exe				useragent	Breakpad/1.0 (Windows)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2900 called NtSetContextThread to modify thread in remote process 3000
NtSetContextThread Aug. 11, 2024, 2:24 p.m.	registers.eip: 2005598660 registers.esp: 3602452 registers.edi: 0 registers.eax: 4285584 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001f4 process_identifier: 3000	1	0	0

One or more non-whitelisted processes were created (10 events)

parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\dfdf8a39-e218-4823-a9f3-9f42dbedbb4f.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\4f979e04-9859-42de-9bd9-8488598079bb.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\f8e524a8-c28c-4a04-b227-175b7a39bc79.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

Appends a known multi-family ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (18 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2820 resumed a thread in remote process 2060
Process injection	Process 2900 resumed a thread in remote process 3000
Process injection	Process 2060 resumed a thread in remote process 2308
Process injection	Process 3060 resumed a thread in remote process 2992
Process injection	Process 2228 resumed a thread in remote process 1000
Process injection	Process 536 resumed a thread in remote process 1132
Process injection	Process 2516 resumed a thread in remote process 2660
Process injection	Process 1448 resumed a thread in remote process 1876
Process injection	Process 2916 resumed a thread in remote process 1808
NtResumeThread Aug. 11, 2024, 2:24 p.m.	thread_handle: 0x000002d8 suspend_count: 1 process_identifier: 2060	1	0	0
NtResumeThread Aug. 11, 2024, 2:24 p.m.	thread_handle: 0x000001f4 suspend_count: 1 process_identifier: 3000	1	0	0
NtResumeThread Aug. 11, 2024, 2:17 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2308	1	0	0
NtResumeThread Aug. 11, 2024, 2:18 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2992	1	0	0
NtResumeThread Aug. 11, 2024, 2:18 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1000	1	0	0
NtResumeThread Aug. 11, 2024, 2:19 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1132	1	0	0
NtResumeThread Aug. 11, 2024, 2:19 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2660	1	0	0
NtResumeThread Aug. 11, 2024, 2:19 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1876	1	0	0
NtResumeThread Aug. 11, 2024, 2:19 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1808	1	0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 11, 2024, 2:24 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 1e 01 00 00 8b 14 24 exception.symbol: ramos+0x207d29 exception.instruction: in eax, dx exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2129193 exception.address: 0x3a7d29 registers.esp: 9042696 registers.edi: 9187047 registers.eax: 1447909480 registers.ebp: 3992170516 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 3813027 registers.ecx: 20	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 209 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 11, 2024, 2:24 p.m.	thread_handle: 0x000001e4 suspend_count: 1 process_identifier: 1676	1	0
CreateProcessInternalW Aug. 11, 2024, 2:24 p.m.	thread_identifier: 2348 thread_handle: 0x00000238 process_identifier: 2344 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003bc	1	1
NtResumeThread Aug. 11, 2024, 2:24 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2344	1	0
CreateProcessInternalW Aug. 11, 2024, 2:24 p.m.	thread_identifier: 2824 thread_handle: 0x00000484 process_identifier: 2820 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000036001\b88210b97d.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000036001\b88210b97d.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000036001\b88210b97d.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000480	1	1
CreateProcessInternalW Aug. 11, 2024, 2:24 p.m.	thread_identifier: 2904 thread_handle: 0x00000430 process_identifier: 2900 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\1000037002\6ea479c011.exe track: 1 command_line: "C:\Users\test22\1000037002\6ea479c011.exe" filepath_r: C:\Users\test22\1000037002\6ea479c011.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000490	1	1
CreateProcessInternalW Aug. 11, 2024, 2:24 p.m.	thread_identifier: 2192 thread_handle: 0x00000484 process_identifier: 2188 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000038001\dc83e0ea42.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000038001\dc83e0ea42.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000038001\dc83e0ea42.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000498	1	1
NtResumeThread Aug. 11, 2024, 2:24 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:24 p.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 2820	1	0
CreateProcessInternalW Aug. 11, 2024, 2:24 p.m.	thread_identifier: 1532 thread_handle: 0x000002d8 process_identifier: 2060 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002e0	1	1
NtResumeThread Aug. 11, 2024, 2:24 p.m.	thread_handle: 0x000002d8 suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Aug. 11, 2024, 2:24 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:24 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:24 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:24 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:24 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:24 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:25 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:25 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:25 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:25 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:25 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:25 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:25 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:25 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:25 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:25 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:25 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:25 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:25 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:25 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:25 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:26 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:26 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:26 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:26 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:26 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:26 p.m.	thread_handle: 0x00000158 suspend_count: 0 process_identifier: 2820	1	0
NtResumeThread Aug. 11, 2024, 2:24 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2900	1	0
NtResumeThread Aug. 11, 2024, 2:24 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2900	1	0
NtResumeThread Aug. 11, 2024, 2:24 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2900	1	0
CreateProcessInternalW Aug. 11, 2024, 2:24 p.m.	thread_identifier: 2964 thread_handle: 0x000001e8 process_identifier: 2960 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001ec	1	1
NtGetContextThread Aug. 11, 2024, 2:24 p.m.	thread_handle: 0x000001e8	1	0
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 2960 region_size: 2371584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001ec		3221225496
CreateProcessInternalW Aug. 11, 2024, 2:24 p.m.	thread_identifier: 3004 thread_handle: 0x000001f4 process_identifier: 3000 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001f0	1	1
NtGetContextThread Aug. 11, 2024, 2:24 p.m.	thread_handle: 0x000001f4	1	0
NtAllocateVirtualMemory Aug. 11, 2024, 2:24 p.m.	process_identifier: 3000 region_size: 2371584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f0	1	0
WriteProcessMemory Aug. 11, 2024, 2:24 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL¡Â´fà ÈB"dà@0$@Ð©<à#\|$àô.textJÆÈ à.rdataæÎàÐÌ@@.data+!°@À.reloc*Dà#F¨@B base_address: 0x00400000 process_identifier: 3000 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 11, 2024, 2:24 p.m.	buffer: base_address: 0x00401000 process_identifier: 3000 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 11, 2024, 2:24 p.m.	buffer: base_address: 0x0041e000 process_identifier: 3000 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 11, 2024, 2:24 p.m.	buffer: LáA.?AVtype_info@@Næ@»±¿D ! 5A CPR S WYl m pr ) ¡¤§ ·Î× ÿÿÿÿÿÿÿÿÈAÈAÈAÈAÈAÈAÈAÈAÈAÈAC$÷A ÷A÷A÷A÷A÷A÷A÷AüöAôöAèöAÜöAÔöAÈöAÄöAÀöA¼öA¸öA´öA°öA¬öA¨öA¤öA öAöAöAöAöA\|öAtöA´öAlöAdöA\öAPöAHöA<öA0öA,öA(öAöAöAüõA ôõAìõAäõAÜõAÔõAÌõAÄõA´õA¤õAõAõAlõA\õAHõA@õA8õA0õA(õA õAõAõAõAõAøôAðôAèôAØôAÄôA¸ôA¬ôA õA ôAôAôApôA`ôALôA8ôA0ôA(ôAôAìóAØóA³B³B³B³B³BÈºB¨øA0ýA°þA³Bx´B abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZXµB¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÿÿÿÿ þÿÿÿ¬úA..ÀºBÈBÈBÈBÈBÈBÈBÈBÈBÈBÄºBÈBÈBÈBÈBÈBÈBÈBÈºB¨øAªúA.LáA.?AVlogic_error@std@@LáA.?AVlength_error@std@@LáA.?AVout_of_range@std@@LáA.?AVexception@std@@LáA.?AVbad_alloc@std@@ base_address: 0x0042b000 process_identifier: 3000 process_handle: 0x000001f0	1	1

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Bkav	W32.AIDetectMalware
tehtris	Generic.Malware
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Gen:Variant.Kryptik.260
Cylance	Unsafe
BitDefender	Gen:Variant.Kryptik.260
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Gen:Variant.Kryptik.260
Emsisoft	Gen:Variant.Kryptik.260 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
BitDefenderTheta	Gen:NN.ZexaF.36810.3DWaayHqG!ii
McAfeeD	Real Protect-LS!D6612F5D347F
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.d6612f5d347fb3a1
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/Crypt.TPM.Gen
MAX	malware (ai score=86)
Kingsoft	malware.kb.a.730
Gridinsoft	Trojan.Heur!.038120A1
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Kryptik.260
Varist	W32/Agent.JDU.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R645974
DeepInstinct	MALICIOUS
VBA32	BScope.TrojanDownloader.Deyma
Malwarebytes	Trojan.Amadey
Zoner	Probably Heur.ExeHeaderL
Tencent	Trojan-DL.Win32.Deyma.kh
AVG	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (D)

ramos.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All