Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 12, 2024, 8:50 a.m.	Aug. 12, 2024, 9:54 a.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`83847cf6a192b9983d7a07be74cdab7b`
SHA256	`4e5a7df168270d5bfd2491582da2a10c921cf04b1b5daed922af9c8bce20f4ce`
CRC32	`B6DFC223`
ssdeep	`49152:ExRFPlGjyvW1YqvRhXBERh7qzxwALvCODAE7/JvpmbFHiM4:ElPlGoqvnXu7qtwGCC3vcFHiM`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

ramos.exe "C:\Users\test22\AppData\Local\Temp\ramos.exe"
2544
- explorti.exe "C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
  2804
  - 59d7dfe3f8.exe "C:\Users\test22\AppData\Local\Temp\1000036001\59d7dfe3f8.exe"
    3040
    - RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2088
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        2448
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        2584
  - e72857cb8a.exe "C:\Users\test22\1000037002\e72857cb8a.exe"
    2068
    - RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2220
  - 4e6c60056f.exe "C:\Users\test22\AppData\Local\Temp\1000038001\4e6c60056f.exe"
    2824
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.215.113.100	Active	Moloch
185.215.113.16	Active	Moloch
185.215.113.19	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.19:80 -> 192.168.56.101:49164	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 185.215.113.16:80 -> 192.168.56.101:49165	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49165 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.101:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49165	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 185.215.113.100:80 -> 192.168.56.101:49175	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49168 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49175 -> 185.215.113.100:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 185.215.113.100:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.100:80 -> 192.168.56.101:49175	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 185.215.113.100:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.100:80 -> 192.168.56.101:49175	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49175 -> 185.215.113.100:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 185.215.113.16:80 -> 192.168.56.101:49171	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.101:49171	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49171	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 185.215.113.100:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.100:80 -> 192.168.56.101:49175	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.100:80 -> 192.168.56.101:49175	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49171	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49171	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 185.215.113.100:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49175 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 185.215.113.100:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49175 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 185.215.113.100:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49175 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 185.215.113.100:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49175 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 185.215.113.100:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameA Aug. 12, 2024, 8:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 12, 2024, 8:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 12, 2024, 8:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 12, 2024, 8:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 12, 2024, 8:50 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 73 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:50 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:51 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:51 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:51 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:51 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:51 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:51 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:51 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:51 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:51 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:51 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:51 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:51 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:51 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:51 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:51 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:51 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:51 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:51 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:51 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 8:51 a.m.			0	0

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayVersion
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 12, 2024, 8:50 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	zghbmtmp
section	ekzcdlcs
section	.taggant

One or more processes crashed (50 out of 229 events)

Time & API	Arguments	Status
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: ramos+0x3150b9 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 3231929 exception.address: 0xd550b9 registers.esp: 1570928 registers.edi: 0 registers.eax: 1 registers.ebp: 1570944 registers.edx: 15687680 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 04 24 c7 04 24 9d 6e 3c 46 89 04 exception.symbol: ramos+0x6cf8e exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 446350 exception.address: 0xaacf8e registers.esp: 1570896 registers.edi: 1968898280 registers.eax: 11222266 registers.ebp: 4001214484 registers.edx: 10747904 registers.ebx: 1968898280 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb b9 ec 05 eb 7f e9 6a ff ff ff 53 55 bd 2e e3 exception.symbol: ramos+0x6d797 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 448407 exception.address: 0xaad797 registers.esp: 1570896 registers.edi: 1968898280 registers.eax: 11196830 registers.ebp: 4001214484 registers.edx: 0 registers.ebx: 1968898280 registers.esi: 3 registers.ecx: 237801	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb e9 b2 05 00 00 8b 1c 24 e9 d1 01 00 00 89 04 exception.symbol: ramos+0x6e094 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 450708 exception.address: 0xaae094 registers.esp: 1570892 registers.edi: 1968898280 registers.eax: 32785 registers.ebp: 4001214484 registers.edx: 1104926759 registers.ebx: 11198146 registers.esi: 3 registers.ecx: 478115951	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 c8 00 00 00 81 c1 75 0b 6f 7b 57 exception.symbol: ramos+0x6e672 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 452210 exception.address: 0xaae672 registers.esp: 1570896 registers.edi: 1968898280 registers.eax: 32785 registers.ebp: 4001214484 registers.edx: 1259 registers.ebx: 11230931 registers.esi: 3 registers.ecx: 4294937896	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 52 ba 13 0b f3 4f 01 d7 8b 14 24 56 89 e6 e9 exception.symbol: ramos+0x1e4bb8 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 1985464 exception.address: 0xc24bb8 registers.esp: 1570892 registers.edi: 12732789 registers.eax: 30306 registers.ebp: 4001214484 registers.edx: 11190237 registers.ebx: 425984 registers.esi: 12732194 registers.ecx: 2062942208	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 53 89 2c 24 c7 04 24 81 8b dd 5f e9 71 06 00 exception.symbol: ramos+0x1e4aeb exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 1985259 exception.address: 0xc24aeb registers.esp: 1570896 registers.edi: 12763095 registers.eax: 30306 registers.ebp: 4001214484 registers.edx: 4294939572 registers.ebx: 425984 registers.esi: 12732194 registers.ecx: 82608976	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 50 e9 d7 01 00 00 89 c6 58 e9 f1 00 00 00 01 exception.symbol: ramos+0x1eaf2a exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2010922 exception.address: 0xc2af2a registers.esp: 1570892 registers.edi: 12763095 registers.eax: 27156 registers.ebp: 4001214484 registers.edx: 2130566132 registers.ebx: 50135805 registers.esi: 12757229 registers.ecx: 765	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb e9 74 00 00 00 57 bf 40 59 e6 3e 81 f7 e9 6e exception.symbol: ramos+0x1ead4b exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2010443 exception.address: 0xc2ad4b registers.esp: 1570896 registers.edi: 0 registers.eax: 27156 registers.ebp: 4001214484 registers.edx: 2130566132 registers.ebx: 1549541099 registers.esi: 12760585 registers.ecx: 765	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb e9 89 00 00 00 f7 db 81 eb b1 eb 61 8e 89 da exception.symbol: ramos+0x1f2a62 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2042466 exception.address: 0xc32a62 registers.esp: 1570892 registers.edi: 4730383 registers.eax: 12788569 registers.ebp: 4001214484 registers.edx: 95 registers.ebx: 12760611 registers.esi: 0 registers.ecx: 1969148396	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 50 56 55 68 1c 29 fb 0b e9 c5 04 00 00 58 21 exception.symbol: ramos+0x1f24bf exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2041023 exception.address: 0xc324bf registers.esp: 1570896 registers.edi: 4730383 registers.eax: 12821317 registers.ebp: 4001214484 registers.edx: 95 registers.ebx: 4294937792 registers.esi: 1114345 registers.ecx: 1969148396	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 ec 04 e9 65 19 00 00 exception.symbol: ramos+0x1f6f95 exception.instruction: in eax, dx exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2060181 exception.address: 0xc36f95 registers.esp: 1570888 registers.edi: 4730383 registers.eax: 1447909480 registers.ebp: 4001214484 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 12795977 registers.ecx: 20	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: ramos+0x1f9174 exception.address: 0xc39174 exception.module: ramos.exe exception.exception_code: 0xc000001d exception.offset: 2068852 registers.esp: 1570888 registers.edi: 4730383 registers.eax: 1 registers.ebp: 4001214484 registers.edx: 22104 registers.ebx: 0 registers.esi: 12795977 registers.ecx: 20	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 77 2b 2d 12 01 exception.symbol: ramos+0x1f8263 exception.instruction: in eax, dx exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2064995 exception.address: 0xc38263 registers.esp: 1570888 registers.edi: 4730383 registers.eax: 1447909480 registers.ebp: 4001214484 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 12795977 registers.ecx: 10	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 52 e8 03 00 00 00 20 5a c3 5a exception.symbol: ramos+0x1fcada exception.instruction: int 1 exception.module: ramos.exe exception.exception_code: 0xc0000005 exception.offset: 2083546 exception.address: 0xc3cada registers.esp: 1570856 registers.edi: 0 registers.eax: 1570856 registers.ebp: 4001214484 registers.edx: 461029562 registers.ebx: 12831775 registers.esi: 10 registers.ecx: 392732831	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 50 89 e0 05 04 00 00 00 e9 fc fa ff ff 83 c0 exception.symbol: ramos+0x1fd5c4 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2086340 exception.address: 0xc3d5c4 registers.esp: 1570896 registers.edi: 6379 registers.eax: 31993 registers.ebp: 4001214484 registers.edx: 4294938116 registers.ebx: 12864471 registers.esi: 24878 registers.ecx: 2027002322	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 50 b8 41 cc 7f 4e e9 03 fa ff ff 89 e7 81 c7 exception.symbol: ramos+0x20d287 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2151047 exception.address: 0xc4d287 registers.esp: 1570892 registers.edi: 11190674 registers.eax: 32169 registers.ebp: 4001214484 registers.edx: 6 registers.ebx: 28860940 registers.esi: 12896664 registers.ecx: 0	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 57 89 e7 52 50 b8 15 09 bf 6b e9 d1 03 00 00 exception.symbol: ramos+0x20cf64 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2150244 exception.address: 0xc4cf64 registers.esp: 1570896 registers.edi: 11190674 registers.eax: 32169 registers.ebp: 4001214484 registers.edx: 6 registers.ebx: 28860940 registers.esi: 12928833 registers.ecx: 0	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 68 14 20 00 24 89 1c 24 52 ba c3 16 e6 79 89 exception.symbol: ramos+0x20d311 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2151185 exception.address: 0xc4d311 registers.esp: 1570896 registers.edi: 11190674 registers.eax: 4294938620 registers.ebp: 4001214484 registers.edx: 2298801283 registers.ebx: 28860940 registers.esi: 12928833 registers.ecx: 0	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 55 e9 5d f7 ff ff 01 c6 58 89 74 24 04 8b 34 exception.symbol: ramos+0x20e1da exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2154970 exception.address: 0xc4e1da registers.esp: 1570892 registers.edi: 11190674 registers.eax: 28524 registers.ebp: 4001214484 registers.edx: 1524682713 registers.ebx: 2084216892 registers.esi: 12928833 registers.ecx: 12900566	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 53 89 0c 24 e9 3a 00 00 00 bf 74 6f db 3e 89 exception.symbol: ramos+0x20e272 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2155122 exception.address: 0xc4e272 registers.esp: 1570896 registers.edi: 11190674 registers.eax: 28524 registers.ebp: 4001214484 registers.edx: 1524682713 registers.ebx: 2084216892 registers.esi: 12928833 registers.ecx: 12929090	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 8a 01 00 00 81 ea 46 ae fe 27 5e exception.symbol: ramos+0x20de14 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2154004 exception.address: 0xc4de14 registers.esp: 1570896 registers.edi: 11190674 registers.eax: 28524 registers.ebp: 4001214484 registers.edx: 1524682713 registers.ebx: 4294941472 registers.esi: 1179202795 registers.ecx: 12929090	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 31 c9 e9 6b 07 00 00 81 ed c5 ec 81 ad 29 ea exception.symbol: ramos+0x2138d8 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2177240 exception.address: 0xc538d8 registers.esp: 1570888 registers.edi: 11190674 registers.eax: 31449 registers.ebp: 4001214484 registers.edx: 12956566 registers.ebx: 686164844 registers.esi: 1179202795 registers.ecx: 358888575	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 23 c2 f9 64 89 04 24 e9 e0 00 00 exception.symbol: ramos+0x213f18 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2178840 exception.address: 0xc53f18 registers.esp: 1570888 registers.edi: 11190674 registers.eax: 31449 registers.ebp: 4001214484 registers.edx: 12956566 registers.ebx: 686164844 registers.esi: 4262367416 registers.ecx: 4294938452	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb e9 67 00 00 00 89 e7 81 c7 04 00 00 00 81 c7 exception.symbol: ramos+0x214f6d exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2183021 exception.address: 0xc54f6d registers.esp: 1570884 registers.edi: 11190674 registers.eax: 30982 registers.ebp: 4001214484 registers.edx: 12928154 registers.ebx: 686164844 registers.esi: 4262367416 registers.ecx: 4294938452	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb e9 5c 03 00 00 55 c7 04 24 00 4a 5f 6b 89 04 exception.symbol: ramos+0x214949 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2181449 exception.address: 0xc54949 registers.esp: 1570888 registers.edi: 11190674 registers.eax: 30982 registers.ebp: 4001214484 registers.edx: 12959136 registers.ebx: 686164844 registers.esi: 4262367416 registers.ecx: 4294938452	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb e9 34 01 00 00 83 ec 04 89 24 24 81 04 24 04 exception.symbol: ramos+0x214702 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2180866 exception.address: 0xc54702 registers.esp: 1570888 registers.edi: 11190674 registers.eax: 0 registers.ebp: 4001214484 registers.edx: 12931364 registers.ebx: 686164844 registers.esi: 84201 registers.ecx: 4294938452	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb e9 93 01 00 00 f7 d0 92 92 35 77 0e 7d 5d 51 exception.symbol: ramos+0x233ae8 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2308840 exception.address: 0xc73ae8 registers.esp: 1570856 registers.edi: 13088208 registers.eax: 32743 registers.ebp: 4001214484 registers.edx: 2130566132 registers.ebx: 237783825 registers.esi: 13051235 registers.ecx: 2062942208	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb e9 d2 05 00 00 87 0c 24 8b 24 24 fb e9 93 01 exception.symbol: ramos+0x233adc exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2308828 exception.address: 0xc73adc registers.esp: 1570856 registers.edi: 13058340 registers.eax: 0 registers.ebp: 4001214484 registers.edx: 2130566132 registers.ebx: 237783825 registers.esi: 116969 registers.ecx: 2062942208	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 51 b9 32 c9 fe 1d 01 c8 59 05 00 19 6e 3d 03 exception.symbol: ramos+0x2357c6 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2316230 exception.address: 0xc757c6 registers.esp: 1570852 registers.edi: 13058340 registers.eax: 13061730 registers.ebp: 4001214484 registers.edx: 2105246407 registers.ebx: 237783825 registers.esi: 116969 registers.ecx: 1827966415	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 68 33 95 63 54 59 81 c9 03 14 f3 3f f7 d9 e9 exception.symbol: ramos+0x235692 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2315922 exception.address: 0xc75692 registers.esp: 1570856 registers.edi: 1716958048 registers.eax: 13064529 registers.ebp: 4001214484 registers.edx: 2105246407 registers.ebx: 237783825 registers.esi: 0 registers.ecx: 1827966415	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 81 e9 21 89 df 7f e9 8b ff ff ff 5d 81 ec 04 exception.symbol: ramos+0x236563 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2319715 exception.address: 0xc76563 registers.esp: 1570852 registers.edi: 13065136 registers.eax: 25811 registers.ebp: 4001214484 registers.edx: 2105246407 registers.ebx: 417201301 registers.esi: 13065149 registers.ecx: 13065635	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 1c 24 89 0c 24 b9 4b c8 ef 6f 53 exception.symbol: ramos+0x2366d0 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2320080 exception.address: 0xc766d0 registers.esp: 1570856 registers.edi: 13065136 registers.eax: 25811 registers.ebp: 4001214484 registers.edx: 2399949160 registers.ebx: 417201301 registers.esi: 4294944112 registers.ecx: 13091446	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb e9 78 fb ff ff 01 fe 5f e9 bd fb ff ff 59 68 exception.symbol: ramos+0x236efa exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2322170 exception.address: 0xc76efa registers.esp: 1570852 registers.edi: 13065136 registers.eax: 29769 registers.ebp: 4001214484 registers.edx: 2399949160 registers.ebx: 2051009052 registers.esi: 13068674 registers.ecx: 13091446	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb e9 57 01 00 00 83 c4 04 83 c7 04 e9 c6 00 00 exception.symbol: ramos+0x237551 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2323793 exception.address: 0xc77551 registers.esp: 1570856 registers.edi: 0 registers.eax: 703045005 registers.ebp: 4001214484 registers.edx: 2399949160 registers.ebx: 2051009052 registers.esi: 13072083 registers.ecx: 13091446	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb e9 8d fd ff ff 89 0c 24 89 e1 81 c1 04 00 00 exception.symbol: ramos+0x23ba0e exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2341390 exception.address: 0xc7ba0e registers.esp: 1570856 registers.edi: 13090673 registers.eax: 28464 registers.ebp: 4001214484 registers.edx: 0 registers.ebx: 0 registers.esi: 13072083 registers.ecx: 101609	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 81 ef 86 fe fe 1f 03 3c 24 e9 00 00 00 00 68 exception.symbol: ramos+0x23e8c0 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2353344 exception.address: 0xc7e8c0 registers.esp: 1570852 registers.edi: 13098635 registers.eax: 30895 registers.ebp: 4001214484 registers.edx: 0 registers.ebx: 775972864 registers.esi: 13072083 registers.ecx: 670234227	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 55 89 e5 52 ba 44 87 8d 76 f7 da f7 da 83 ec exception.symbol: ramos+0x23e59f exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2352543 exception.address: 0xc7e59f registers.esp: 1570856 registers.edi: 13101838 registers.eax: 30895 registers.ebp: 4001214484 registers.edx: 0 registers.ebx: 0 registers.esi: 3939837675 registers.ecx: 670234227	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 c8 03 00 00 83 ec 04 89 14 24 ba exception.symbol: ramos+0x240cf4 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2362612 exception.address: 0xc80cf4 registers.esp: 1570852 registers.edi: 13109555 registers.eax: 28263 registers.ebp: 4001214484 registers.edx: 29517 registers.ebx: 4006486429 registers.esi: 29588739 registers.ecx: 13137101	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 51 50 89 1c 24 bb e1 ee 1c 36 89 d9 5b 56 e9 exception.symbol: ramos+0x240a91 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2362001 exception.address: 0xc80a91 registers.esp: 1570856 registers.edi: 13112738 registers.eax: 157417 registers.ebp: 4001214484 registers.edx: 29517 registers.ebx: 4006486429 registers.esi: 29588739 registers.ecx: 0	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 57 54 5f 81 ec 04 00 00 00 89 2c 24 51 55 bd exception.symbol: ramos+0x242249 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2368073 exception.address: 0xc82249 registers.esp: 1570856 registers.edi: 13112738 registers.eax: 30748 registers.ebp: 4001214484 registers.edx: 29517 registers.ebx: 907865825 registers.esi: 29588739 registers.ecx: 13146310	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 ae 01 00 00 50 b8 c6 f9 exception.symbol: ramos+0x2428f3 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2369779 exception.address: 0xc828f3 registers.esp: 1570856 registers.edi: 13112738 registers.eax: 30748 registers.ebp: 4001214484 registers.edx: 604277075 registers.ebx: 4294939344 registers.esi: 29588739 registers.ecx: 13146310	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 50 51 e9 7b fe ff ff bd 93 1e 6a 39 e9 9b 00 exception.symbol: ramos+0x248813 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2394131 exception.address: 0xc88813 registers.esp: 1570852 registers.edi: 13112738 registers.eax: 32480 registers.ebp: 4001214484 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 13139719 registers.ecx: 2062942208	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 68 1b 31 db 49 89 0c 24 51 89 e1 81 c1 04 00 exception.symbol: ramos+0x248629 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2393641 exception.address: 0xc88629 registers.esp: 1570856 registers.edi: 13112738 registers.eax: 4294937752 registers.ebp: 4001214484 registers.edx: 2130566132 registers.ebx: 1416696936 registers.esi: 13172199 registers.ecx: 2062942208	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 55 bd 3b 5f db 5b 81 c5 4c 09 7b 1e 50 e9 ff exception.symbol: ramos+0x25a069 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2465897 exception.address: 0xc9a069 registers.esp: 1570856 registers.edi: 428788132 registers.eax: 27633 registers.ebp: 4001214484 registers.edx: 51620 registers.ebx: 13181191 registers.esi: 4702472 registers.ecx: 13240144	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 57 68 1d dd 77 5b 5f 81 e7 70 bd ff 6b c1 ef exception.symbol: ramos+0x25a710 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2467600 exception.address: 0xc9a710 registers.esp: 1570856 registers.edi: 428788132 registers.eax: 27633 registers.ebp: 4001214484 registers.edx: 51620 registers.ebx: 0 registers.esi: 1544302440 registers.ecx: 13215708	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 55 89 0c 24 b9 8d 54 96 3d e9 28 00 00 00 03 exception.symbol: ramos+0x2659a6 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2513318 exception.address: 0xca59a6 registers.esp: 1570856 registers.edi: 4294944084 registers.eax: 607422807 registers.ebp: 4001214484 registers.edx: 2481736 registers.ebx: 1971716070 registers.esi: 1544302440 registers.ecx: 13287123	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb e9 e5 ff ff ff bf 69 80 96 3f 81 cf 96 bb 7b exception.symbol: ramos+0x266bce exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2517966 exception.address: 0xca6bce registers.esp: 1570856 registers.edi: 4294944084 registers.eax: 13291540 registers.ebp: 4001214484 registers.edx: 2481736 registers.ebx: 1971716070 registers.esi: 1544302440 registers.ecx: 1621786296	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 55 89 14 24 ba 59 65 e9 19 e9 c1 01 00 00 33 exception.symbol: ramos+0x26689b exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2517147 exception.address: 0xca689b registers.esp: 1570856 registers.edi: 210327126 registers.eax: 13267456 registers.ebp: 4001214484 registers.edx: 2481736 registers.ebx: 0 registers.esi: 1544302440 registers.ecx: 1621786296	1
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: fb 31 c9 50 89 c8 51 89 3c 24 68 04 a0 39 6c 89 exception.symbol: ramos+0x274850 exception.instruction: sti exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2574416 exception.address: 0xcb4850 registers.esp: 1570856 registers.edi: 428788132 registers.eax: 31869 registers.ebp: 4001214484 registers.edx: 2130566132 registers.ebx: 13352192 registers.esi: 3998900148 registers.ecx: 2062942208	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (13 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.19/Vi9leo/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/well/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/steam/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/num/random.exe
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.100/e2b1563c6670f193.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/vcruntime140.dll

Performs some HTTP requests (13 events)

request	POST http://185.215.113.19/Vi9leo/index.php
request	GET http://185.215.113.16/well/random.exe
request	GET http://185.215.113.16/steam/random.exe
request	GET http://185.215.113.100/
request	GET http://185.215.113.16/num/random.exe
request	POST http://185.215.113.100/e2b1563c6670f193.php
request	GET http://185.215.113.100/0d60be0de163924d/sqlite3.dll
request	GET http://185.215.113.100/0d60be0de163924d/freebl3.dll
request	GET http://185.215.113.100/0d60be0de163924d/mozglue.dll
request	GET http://185.215.113.100/0d60be0de163924d/msvcp140.dll
request	GET http://185.215.113.100/0d60be0de163924d/nss3.dll
request	GET http://185.215.113.100/0d60be0de163924d/softokn3.dll
request	GET http://185.215.113.100/0d60be0de163924d/vcruntime140.dll

Sends data using the HTTP POST Method (2 events)

request	POST http://185.215.113.19/Vi9leo/index.php
request	POST http://185.215.113.100/e2b1563c6670f193.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 114 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a41000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73402000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00061000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2804 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02440000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2804 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02450000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2804 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

explorti.exe tried to sleep 1135 seconds, actually delayed analysis time by 1135 seconds

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process firefox.exe with pid 2584 crashed
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9890984 registers.r15: 8791562032752 registers.rcx: 48 registers.rsi: 8791561964416 registers.r10: 0 registers.rbx: 0 registers.rsp: 9890616 registers.r11: 9894000 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14927648 registers.rbp: 9890736 registers.rdi: 269595360 registers.rax: 13442816 registers.r13: 9891576	1	0	0

Application Crash

Process firefox.exe with pid 2584 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 12, 2024, 8:50 a.m.

stacktrace:

0xcd1f04
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 9890984
registers.r15: 8791562032752
registers.rcx: 48
registers.rsi: 8791561964416
registers.r10: 0
registers.rbx: 0
registers.rsp: 9890616
registers.r11: 9894000
registers.r8: 1994752396
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 14927648
registers.rbp: 9890736
registers.rdi: 269595360
registers.rax: 13442816
registers.r13: 9891576

Steals private information from local Internet browsers (50 out of 4440 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\fldfpgipfncgndfolcbkdeeknbbbnhcc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\te\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\am\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\fr\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\uk\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\fr\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliob\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\nb\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\zh_CN\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\es_419\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Current Tabs\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\topbar_floating_button_close.png\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es_419\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\manifest.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\lo\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\03019df3fd85a69a8ebd1facc6da9ba73e469774fe77f579fc5a08b8328c1d6b.sth\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\cs\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\ar\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\fr_CA\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\52\manifest.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\ka\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT

Creates executable files on the filesystem (9 events)

file	C:\Users\test22\1000037002\e72857cb8a.exe
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\1000038001\4e6c60056f.exe
file	C:\ProgramData\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\1000036001\59d7dfe3f8.exe
file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 12, 2024, 8:50 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	1	1
ShellExecuteExW Aug. 12, 2024, 8:50 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000036001\59d7dfe3f8.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000036001\59d7dfe3f8.exe	1	1
ShellExecuteExW Aug. 12, 2024, 8:50 a.m.	show_type: 0 filepath_r: C:\Users\test22\1000037002\e72857cb8a.exe parameters: filepath: C:\Users\test22\1000037002\e72857cb8a.exe	1	1
ShellExecuteExW Aug. 12, 2024, 8:50 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000038001\4e6c60056f.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000038001\4e6c60056f.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 events)

Time & API	Arguments	Status	Return
Process32NextW Aug. 12, 2024, 8:50 a.m.	snapshot_handle: 0x00000304 process_name: RegAsm.exe process_identifier: 2088	1	1
Process32NextW Aug. 12, 2024, 8:50 a.m.	snapshot_handle: 0x00000304 process_name: RegAsm.exe process_identifier: 2220	1	1
Process32NextW Aug. 12, 2024, 8:50 a.m.	snapshot_handle: 0x00000304 process_name: firefox.exe process_identifier: 2448	1	1
Process32NextW Aug. 12, 2024, 8:50 a.m.	snapshot_handle: 0x00000304 process_name: firefox.exe process_identifier: 2584	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000002bc7d30000 process_handle: 0xffffffffffffffff	1	0	0

An executable file was downloaded by the processes explorti.exe, regasm.exe (10 events)

Time & API	Arguments	Status	Return
InternetReadFile Aug. 12, 2024, 8:50 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELO¹fà° À@ `<°OÀà(&à¯ H.text `.rsrcàÀ@@.relocà@Bp°H(¡Ü ':r(Àö¾%µT¤sÔ6(ÌÂÄJåúcv1EÅJôuÍ¤Aõ8Ø¦<Á³ ¼à"Wt 4æ>uÝ"Ytín)QÂªªý#&kÔ:Ó`_§3a¾Vª$à@¤ýýßôP ÿV· FûëÀJà{ÛNcÐT#(¼w^Q³¸M-r½JÐ3\x´Çó£K&\|~\CPXqo D_DéªQ¬EÆ²wTÁ~)ïD·'·¡µ÷ f c6â7sò >x³×Î#ü]TîôCË²ê²7bâ/=¤i7aîË;ÑÇá¿l~ìøÕøÇ¥øÚJæ!é·ãä¤`³åä=.uXzá¿RµíÀ0¦üî>XEÓÀl»qO¥+¿ ¹xx© ¶3ï$(öC83Ü]Iãs¹çñ»i¦æQ¡o_ßIãùÙÄ×Ú~4tì¬l^éxåÙ0& ÒS¡EZï=%à{÷2b¥`ACÙª"ýkãã±<ñ[Ðs#ÓþXçùnµûÕ"ùYP&KAüA'¢14/SE³åOäIæÇ%)fÌ&úB²Ýhúå¢HÝ?È\V$'ªO(}¤ò®UÉeÀlíO6CveK`l¸<9îFÊ( 0¿§W¤vßðõ/ûiOm×aJÌ¤°ÏÜx/ÃJjMØÐîTª¼øþJ³É1?eXAì¯J(×à¿]ôÍ8qI¨ç±£xø}i%BÁ9@°í`s, tÃ¤¯ï\|e- îò)ª3~gGc~ûØçUZ¡SX¦Ty:£U(÷É2©²T!ïÝÃB1%vÖ¶HW®n-ºb2ULo"Ì'²$è&Áì)FGõ° ÖyYÏ5¡.=µÌ¿W¹¡òp¸¹½vÕã¡s!ú¢Ô·´øìWÚìV#4Mã<3,Ë I´<)ñô³~´ UÅïÈ!®MÈóVµ¹Q"®Âæp59.'AW²ò<îq[Åé8`CU[r¯ñÌ²ý°£\|w=ÈcÂòÝGøE® ÓEÊGÕý·¤eØÕyCbNc[¹b$P)I_}õØJdÚøòæå}o$CF_- Eºe·ëÿÀx1idÒN/¿¤$ë Ê;P9¯ZÀ ~ùÑ¬sûA®_fBdÉ¦O=ÅmÙ·ÑþBä· ÐÁbB¿ò:æ9ÎæëjZ\|Uì¯ØtÕªK KÞasZµöÜd}L_±ÿGG¦KlkfcM-Îä¬O'÷hC,mnàã w&uECÄ ÆÇ¹2¢CäqÔv××ÎÄÅÿg[<è F}ZÝípáøVÊÎNeñk´lIÕ¬=&v¹üØJTG#?qèHgL8[ú²À(4ÀæÃ¸PÂ9lM ôóû_!ÎÓ#§M&Ý³7G+vÈ"u~¨ÜÔ=Í¢ó4_Î1c[wQ`û¼RvÉÑe& [@s%¾c áý×Ø²\ì¡?ß§Ý7Q4\ôÅ¢aã1ÙávÝÅÁj&©ukÛîCÎiqýR÷ë©p¡±d°FWÒ´±6Á)Æî¥¤ÓæÌîKSÎ¸øUêiñ¸O£ÅD0< åO¤QÎ%X·ÛÕû¨[mö¡~ûðó5T\|¹ TÅóìÁö÷·vâA±RoýEi^:ºÆNéF¼Ý?8{AB¿å¨9³ADÜÈ+QìeÇUvë×ªQ¬ª[Ój¡QK¥Òmh.ÑhA¼4Êb]î 0Í¦Õ2©^0ìú¥ÉUS¶qK=DïeÔ£,I»dR¯À¾~úÙùlÐZWCö8üÙZØ¸Vô ×b#Üâ¸ë¿Aö(¿&ÀÞí¥¿¯»£PXRèi[2rÅíãûäûUñ7dyoÖ^)ÍÀcù;sú²Þ@qáb¬G»`?Ûã, ºjáwr©$]ÝñÐbþ^LPnØJ¯§!ûkc²0û)iÚ&óàGÆ0jðºÜ»9VtYð¾âøXÌAÁâ¸«ÙýÍ© Ý6jsGe lHW#ºÃüååC³Ç»vXEKW\|3ÃÒlµjvNý>á48K%íV v¢9»c5:^¥k@&BÄk\|dÔè ÇÎEÖÄÕNPJgW ÜspêùÓaË~Å½ç`³Á ü~q!£Ö'/8kÖûQOûQÄú óé×OGX$?zñø9$A»Ï=!ëGgéw®Rb'--ª2j6ú`4Ý½ß¢²Úøµô}¶ùò©çÒÃ1J½¬^!<b«ó©lq7Jà óº3È(qNºÜS tÊV¤ÓóJ7%ß°þÈÙAîâàó]¢gmÜý'¦Ú¸È¦y²¹Ã `2Ï{É]¼~ÜÔÖÐ½ÑZÃ$XY-â+§Èf3Gº^÷òT_^q^¼Â9æÝs¢ªå±¡g¾ü\|N 6#ø Æ»/-7¾ÃFERæ¥ATÜÃeéEXÒá§[×DÀ×^²ÝØ.í ¹e¹åß\|®EEàhßò~ ¨fT&ø¼©Øª¤ñki16A GöÑÚÇcÏ¤_ü¢¡²T§)µ-¼2«óxÚùÛ¬n² Ãáwà{_Ygµ£ IÚ^Xóü6±+k<Üw%R¥à³&ZL £Áõ¯ô'ë+¶´(2[ -cò#8e×þb¿È¨¡Z¸jp/âQzL î^ºú6'éTC±2!ÉGî7b?N_SÚ¶9à¯À¬JN}òÔ3~xyu¤qGäé]NÆºÙ¼Uàz¹]çg+'R¿»ÖÿRÏiM½¾,ßí ÌdË·]½úÊö¾G\9ò{Ýõ½?ly_~à@îCvðÍÁºÁ{ù0>\ÝÐõbü¤üãþ;oøqþ®bÝo1ù±×öQ¨8£YJV'pë±ð¢à[G_[~÷ñ.]ðrñ<zâî7 ²,I(gzgú¦>Tkø0Sn#»¶¶{¡¢ÜC±C¢t'aeÛR#_çE«i;GlZ»äKÓÍ!}àjÒî]?1-pêùø\|?¤/¸¤Oß¢Þ$;ß§}3àªC õ òlì¢ÿ^Áîî¶÷;òñYKªt}Üz¯N]×1BÎ-1Wb!I:¼Ò=Qõªe/1Xc¢.(Ñ=rþ¹-èPfèuÝð?ïþ¨íkÍÕoÄaJ Fº£7Ç¿:õãm»°H7¬Òb3ngaº®~Êú;¤HðÊëÁ(l¦u^àu Ý¿ûÞÃh5´E\|PÝ?<ÿ£®«ahÑ'0ü#¸¾Ý£?Ð2.ÝÄµÍ¦FI«ÈNH6)¤é²öé¬Û¦Eùã%oÙTìêK¤Æ+\iµÛ<:Ò#§ñ+%^í¤Ç{¡ýAoeÁ¸6HÃ¬³ aâs;ÀùI- «oîåÊÇBþª'/_ª\ÇØÔ3öÜßõxè§×ÆnTd»ó·î½XrÇ~0>×¥Ãr#@WkNºÆvçRîIñ$cóØBu:äüÈsGÃëÖÖÄX §ó4Í÷ö¥OP!â1¸³85tíÈ½nÑböÅNué56 Ý 47qöÎXìÙL,í¤MõºØ]T+Í¥#X\|ncxp<E·=¡èHÖkÈ I5V¡¬×dhPbc° wtoæ!I\|¿yàÜÂAûûãB{¾·_ÉÙ[ÔßTª¥\|ðº¬þuþ¶\|%Û ÝÞaÐ$RË·çÙ©4= xø+ÄªíÅºò{l½ñ+¾ÞÎÎg_ï=u]'C¡¬±¹x4RMuÿþàJIàÀ«òy`Xô\::ý@ö¾Äíx]O¤ðÕ¶vîj¼#wö¤ye\¢¶MXHÂqÈ8û¼&êuS¤ð!"¥¾0Ö}}ÑZ&ÿ7ð¯\ÌÅI" Ê';RåüT«ÑTÛ]®Ã«®¤uñWîÅ`_¯ìª²;cThø#lå1°¦²1°Û(Àý ¿ request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 12, 2024, 8:50 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¤[¹fà ( @@ `<(O@à(&`' H.text `.rsrcà@@@.reloc`@Bp(H(Ü Ô®fgåï8?o7øüj©ØØ2,ÆÛhTâ6RñFÕÊÀÎ4¦9 H-ºÕ7ðJ¡ $´ÝÉ OF$.J¥%SÀ@i$#}gvyê)}º¸î~züq74É²µ¼ lD1Vá@~#Ò(½r(CRÀªÔxmO5¨j93`Î±k º®Òù+eí,º^Õ"ÏÿçMûQS6ÇA;òhÂðwóÚeÙòn5ÿJ³¸Ô÷lM÷ä;u÷ A6[äÁßÜ±°;AÑnâãÜC ¦9("¸ h9×½kDÒcuY,à9â»¿iö°ÏÁñçF÷Òæ£äºéb½Í~TßÃ±eE7Ö iCì`Zy±OvBt$ñ{?BÁ¼yqë@ðáÛØÕÀÍÊV¥X'òÛ©çÚdÞÉÝæKÊó/÷¬;Î¡äâyµb¨zRÖÊx'ÈÜÙ¤×;ïÊÛQÉ{\M Lª¥×#·ñ9R&·ÓÁyï± J.v $©®÷°)[¶ÈÚx§®K«å¦å 0ËYó:ß(yuÎÄmäPHYî«ÄØ,êòY4H¾~©ækagÌõ°æDÒ.·Æ Ñ¯ö«IÍ²ú÷Ìy:mo¦³È+©é6,=ÕËãÊöÝØå]lÕóÉ2§f a³x-'òÜåw -Å$öb?Å8'ÕVRÿeéÚÐêù}Õ¾í¤aIàÈâågòVä%zzæW¨µb¬U;×6Þ 2I¦Ujäz&hjÁZ~IPáL oÂ·ùúÔöå'7%V¾ûFóôqc¦ÚpA±\|ÈëçÞvMµúu 9FKXrÐ Ý¬`2cqwÉÂzÝO96rfrÆ;¨Ö¤ªª$ÎPYMA³4v¨±Á¯+û{L<â;¸\ ~ç «2Ù{_#?Á¼SÔ:÷{Ü)¥òk 3¾CÔ#Ù^KÙHÊÈ·Àê9lÖFðéÏºp®^éýïgÏîâ¿ºv0=IhtðÃCdèïÄìÁq!ß·»ªìX)/©fÏÕD]Ãvý³3yzÜBNÔDL æcþÍ0«Gµç¹P<o·Ñ¦ëHÆê! Âé}¸wYX(©ïÁ¨ÐOS6ò¿õÊ®Ó,ºÐÚk¹ Üµye%â~`øOÄ2Ñ×ÊzbjõS¾DB¯hn¹fÓî,]î1(ðTØ$ò¶ÊÙ9'ugqt9èhXp`ªÚm#ñ½#ûiÁl9£tÎ\àEÛulûyvÒ6öGÞÔqúªu²û!í3St©'û:&Dr3BÙ°Åð»À-IöTûÚ1'Ïñø4â½ã5ºäS#yBöïÓæÙîoÿÀôõ(Ú¤tÂN½wèZ@òÍ+ò¬î;þÌ&ï»vG´y7ú(ü<#>æu\|«Ôû¦º+EE¦>6çqÇ!Éµ\±×çA,j&/à å¬$Ë~fÚrXHF.¯Ý¤».r5áRâziûþ)AêÄ/3¦R6úDQÐÜlôºiÍ!{/Sò!ÔúS8~ÉÌPËO´ ÆÂ ³n¤¡² É8%};Ãøkñ¶ù ¤7»¡Kð¾ógÓcQ£@.EºTAÛo;ÎdÑò<u×»à#8\|ÛP+o¤+YåÅôRM¸< `4e ÚeAU~ÊÙûÄåèMK31ÞpYg°mmbk§0°©ÇBÒ=Þïv×,Õ£ê[¸ò¤Í¤ç»Çî¶ H ¤f~nº§Kr LþWù¿ùÄL7þ;YÔÙß\ÆþêÔê,²=¡Yµã¶¾äª6tÒp3Ê`ê¯'Xø4óón®÷føÓ]HÁTãÎëÄ° ²O êò¤6ot'·JrÅ°!òËpuûÄb¦ÀC<µ-ùÔñ «65fÉg8\=S`a$[ISÚ6äõ¸¾9\|¯4üOøÞªöV``ºªYN¨P×ýøyñÇ`ö['¦À«>áÙcf\6 /³ûãdF¼{q'b>Uÿ\¢´âmtöFÙÖü-Á_ÒDö 2Òâw³ F2G$Ç§Ë£¡gÞ÷ù2êújø.`Ù^á2tZ¢R¡`À»tvßÞÛ°[fN-J Ú¡÷©þOö{YÓÄGÐ´ØH_ÖÆ¼®1¢rG}I>JzÍf!vú]Íh¶Ç¦q)-pÎc¹_×w¾BÞÏÙëGJ?3·µhî >¦£½W=H¼æ¥#0òæª´å_îo¸foËUOò¿¼¬bse× D,y$ò3L5Dûm1n;Ö<ÛïíóL¾Õumòc¬bÆ¥.&AF'$O õß{Ð5¡ÑÖiÊ³ýk}Ø)ùÍÔ÷póÀFMyÈÂ¿üëSã \|¼Èãßë×öt-µÀåQ¹?Hß³>;näô(ëw!O+ú¦Y¬¸²:Ý\|{{Û{Z XIÛ7JØh"®:ú ¨VìÉWDo,¬¬¬Áþ®¹þÌvz1ßa:ïv\|êC1Ù^àÁ½A`ß«Ä2½¤ WüA¥2BMÓù $%Gó=ÑðÇÀZÕã;í#QU(£µD^æp&×ÚÓÄíy}ZÐ"ÓptcSë;«Ø"ë<4ùyg°¥5ë[o[{ÞI)u<GZbý]àº<ðNZzËùÓ-ËBm½Ò=öÐ=)3_oyzäaÒÝáÚ.<ßùµq®ÒÄæ3Öº ¸÷g°!1\|R4ivÁ½°tÐ9x °¾UjÃ{þdõ·P <ÿYë×æB}¬ê\qêAJ³SÂëÕÞ¦ÝTáñÑDà0¡n>ãú]ÿô57@²QÙ¨É\©5ÉÛÌ+?5öµ'Õ_y45XÞR£);Ãë»RéyvÖÙVñ¡ÀÀÞ.`Ñ vo`c-Ú'»éõ4 ÆpOr¤,½ÊGê¡E²-p³ÍNÌ L yÍäÙE}mÂ Òf7b!OOÞ®V_Z·¸EsæÍrØ`Ôføëò\|©{Óé¿ª{0§ÒÓ ¬êRárÌ,Ðo½+ZLØMå»xËÚdä2}AUiÍü¥¶pÙ#éKýOJs¿%'ßÍÙßò`Ïð+ó§\¸ÄÑÏëÐZnK%Ãv, ·¯¾¨UcyOÓA=Å }Å¦K¿\Qgòà<³k n?«üÛj©ì¥úh215kã#ù8wëh{@àõÓ)¯luU¡O¾å·ý0 AóLMÆ a=!7;Q«â´[ë¢F1M³ .ù½íÑþ;Z`¹A«çÅçÀFd4¡£.Q.ãô)àèJÆ®ðöËÁ¶»¨5ü +¹ç¢õ@.ÜE^ EU0Ï]c&Ï°lzSî¥èVÈðí+(¿tw#GK+Û¹IMÕüÇYx"ögÚp Ô(»¦V¸H~§LêuU2 ÆwÐË.+´/#J¯¶×9sàd¿!}Ez Lµ^aÚëÒ¼·ktêÍ~¼S´ ÅdTÎ=Æ¡¿óýÜµ[8W·[¥É\ÛZ0@´S4Ú Ì3ðëðÍ:åám¸rÞI ,k(ªúKÝ×®{SWçóßcäµ?ãIå}+4ó¤±×}:ûÂ^páËên«Ã`«mø½O"0¨¹ p¿å"$âÚE0©w")6fÐkb#Õýr_w-tQaíO??22¼çTìÌx&°o»m¢Ï½ÑKþUAE}ÀÜô"jÏ¿#Vua2Is4wv³[oØõÚø2Ý0¼§ÛH<u6Ù!ð+MÜ¯/ì´ç¾3ûÙÔ¸b§®\|ññ<ìf`As9g%RèNm0¾_÷lüð@YÝØªåæ`á"tqë!µnBøl¯ÅëÅÑêÙ¤uÅ³º½ûjFw^ÛôC.H¤çS½ g^ç´¹EQ¬*(¶ÿ¿Qø7ßÎ®¦ÆM\Ô!Ë¿b7§«íªs³"UP©NÐðÔæq:{>7ÐÕ request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 12, 2024, 8:50 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL¡Â´fà ÈB"dà@0$@Ð©<à#\|$àô.textJÆÈ à.rdataæÎàÐÌ@@.data+!°@À.relocDà#F¨@By¹ApÈAÙÈAUìQEEü}tMüÆUüÂUüEèEëàEå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìEèExMÿUMMMëä]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQSjh0hÀAÈjÿ$ÐbEüPøtÀüÉÀøX}üt,ÀhÀæEüPèNsSÉÉü[hhÀAÈMüQÿdÏb[å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQÇEüjj@h0hÐjÿØÐbPÿÐbEü}üujÿìÏbèRÿÿÿå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì(EÜPÿtÏbMðMØ}ØsjÿìÏbå]ÃÌÌÌÌÌÌÌÌUì¡@ÍbPèâaPè,sÄÀu! ÎbQè9aPèsÄÀujÿìÏb]ÃÌÌUììjjj¡ÐÈbPÿ,ÐbEôj MôQÿÐÏbEøUôRjÿpÐb}ø}jÿìÏbå]ÃÌÌÌÌÌUììHj@jE¸PèrÇE¸@M¸QÿÑbøujhUÄREÀPèÁjhRPèÁEøUüëÇEøÇEü}üwr }øWsjÿìÏbå]ÃÌÌUììÇEøÿhjÿÀÐbPÿXÐbEôEüPhjMQURÿ¬ÏbÀuEøPMôQjjUREüPÿÏbMüQÿ(ÐbEôå]ÃÌÌÌÌUìì\hèjüÿÿPÿäàAÄh4MBhäMBhè\ÿÿÿÄPüÿÿQÿlÐbüÿÿRÿÏbøÊhbBüÿÿPÿlÐbhÿ Büÿÿèh¬NBàûÿÿQðÉbRìûÿÿPüÿÿèÎÈèÇPüÿÿè«àûÿÿèìûÿÿèõhBøûÿÿè%jÈûÿÿQèrÄP¼ûÿÿR¡¤ÌbPÔûÿÿQøûÿÿèdÈèÍPøûÿÿèA¼ûÿÿèÔûÿÿèÈûÿÿèjøûÿÿèCPüÿÿRÿ0ÏbüÿÿPüÿÿQìÌøûÿÿRèæèÄÀtMüÿÿPüÿÿQìÌüÿÿRè»ìÌEPèÊ¤ûÿÿQè7Ä ¤ûÿÿèíøûÿÿè²PÿÏbøûÿÿèüÿÿèjjüÿÿRÿäàAÄøûÿÿè¦üÿÿèMèå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQMüMüÁ\|ènMüÁHècMüÁ<èXMüÁ0èMMüèåå]ÃÌUìQMüEPMüè MÁ0QMüÁ0è»UÂ<RMüÁ<è©EÀHPMüÁHèMüUBTATMüUBXAXMüUB\A\MüUB`A`MüUBdAdMüUBhAhMüUBlAlMüUBpApMüUBtAtMüUBxAxMÁ\|QMüÁ\|è Eüå]ÂÌÌÌÌUìQMüMüÁ$èNMüÁèCMüÁè8Müè0å]ÃÌÌÌÌÌÌÌÌÌÌÌÌUìQMüEPMüèMÁQMüÁèUÂRMüÁèEÀ$PMüÁ$èwEüå]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUììthBMèèêhBMôèÝEüÿÿ½üÿÿt½üÿÿtW½üÿÿéÇjhþÿÿQèqÄP\þÿÿRMèèoPMèèæ\þÿÿè;hþÿÿè0éjPþÿÿPèÍpÄPDþÿÿQMèèPMèè¡DþÿÿèöPþÿÿèëë@j(8þÿÿRèpÄP,þÿÿPMèèèPMèè_,þÿÿè´8þÿÿè©}0hbBüýÿÿQURþÿÿPhdOBþÿÿQUèR þÿÿPMôèÈèÈè{ÈèPMôèëüýÿÿè@þÿÿè5þÿÿè þÿÿèéM$QÀýÿÿRh´PBÌýÿÿPMQØýÿÿRhPBäýÿÿPMèQðýÿÿRMôèùÈèÈèëÈètÈèÝPMôèTÀýÿÿè©ÌýÿÿèØýÿÿèäýÿÿèðýÿÿè} þÿÿPMôè>PÿÑbEä}äÿu5MôèVMèèNMèFMè>M$è6M4è®ûÿÿéh\QBÌþÿÿQÿÐbÀthRBÌþÿÿRÿÐbÀué}hBþÿÿè(}0æE$PlýÿÿQhüSBxýÿÿRÌþÿÿPýÿÿQhTSBýÿÿREPýÿÿQh¬RB¨ýÿÿREèP´ýÿÿQþÿÿè Èè)ÈèÈèÈèÈè ÈèvPþÿÿèêlýÿÿè?xýÿÿè4ýÿÿè)ýÿÿèýÿÿè¨ýÿÿè´ýÿÿèýé¦ÌþÿÿR0ýÿÿPhLUB<ýÿÿQURHýÿÿPh¤TBTýÿÿQUèR`ýÿÿPþÿÿèÑÈèZÈèÃÈèLÈèEPþÿÿè)0ýÿÿè~<ýÿÿèsHýÿÿèhTýÿÿè]`ýÿÿèRìÌþÿÿRèáèlÄÀ«h BþÿÿèahVBüüÿÿPMQýÿÿRhôUBýÿÿP ðÉbQ ýÿÿRþÿÿèÈèÈè÷Èè request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 12, 2024, 8:50 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 12, 2024, 8:50 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 12, 2024, 8:50 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 12, 2024, 8:50 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 12, 2024, 8:50 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 12, 2024, 8:50 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 12, 2024, 8:50 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002dc00', u'virtual_address': u'0x00001000', u'entropy': 7.98261885585991, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.98261885586

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0019fc00', u'virtual_address': u'0x00315000', u'entropy': 7.953479306807753, u'name': u'zghbmtmp', u'virtual_size': u'0x001a0000'}

entropy

7.95347930681

description

A section with a high entropy has been found

entropy

0.994076467421

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url	https://crash-reports.mozilla.com/submit?id=
url	https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c

Yara rule detected in process memory (46 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Communications over HTTP	rule	Network_HTTP
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Run a KeyLogger	rule	KeyLogger
description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	ftp clients info stealer	rule	infoStealer_ftpClients_Zero
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Aug. 12, 2024, 8:50 a.m.	status_code: 0x00000000 process_identifier: 2056 process_handle: 0x000001ec		0	0
NtTerminateProcess Aug. 12, 2024, 8:50 a.m.	status_code: 0x00000000 process_identifier: 2056 process_handle: 0x000001ec	1	0	0

Communicates with host for which no DNS query was performed (3 events)

host	185.215.113.100
host	185.215.113.16
host	185.215.113.19

Allocates execute permission to another process indicative of possible code injection (5 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2056 region_size: 1232896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001ec		3221225496
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2088 region_size: 1232896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f0	1	0
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2220 region_size: 2371584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f0	1	0
NtProtectVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1	0
NtProtectVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 358 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 12, 2024, 8:50 a.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\59d7dfe3f8.exe				reg_value	C:\Users\test22\AppData\Local\Temp\1000036001\59d7dfe3f8.exe
file	C:\Windows\Tasks\explorti.job

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3040 manipulating memory of non-child process 2056
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2056 region_size: 1232896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001ec		3221225496	0

Potential code injection by writing to the memory of another process (14 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPELO¹fà"¬ ÆwÀ @ÐjA@@@d\|@ Puð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrc@ ô@@.relocuPv@B base_address: 0x00400000 process_identifier: 2088 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2088 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL¡Â´fà ÈB"dà@0$@Ð©<à#\|$àô.textJÆÈ à.rdataæÎàÐÌ@@.data+!°@À.reloc*Dà#F¨@B base_address: 0x00400000 process_identifier: 2220 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: LáA.?AVtype_info@@Næ@»±¿D ! 5A CPR S WYl m pr ) ¡¤§ ·Î× ÿÿÿÿÿÿÿÿÈAÈAÈAÈAÈAÈAÈAÈAÈAÈAC$÷A ÷A÷A÷A÷A÷A÷A÷AüöAôöAèöAÜöAÔöAÈöAÄöAÀöA¼öA¸öA´öA°öA¬öA¨öA¤öA öAöAöAöAöA\|öAtöA´öAlöAdöA\öAPöAHöA<öA0öA,öA(öAöAöAüõA ôõAìõAäõAÜõAÔõAÌõAÄõA´õA¤õAõAõAlõA\õAHõA@õA8õA0õA(õA õAõAõAõAõAøôAðôAèôAØôAÄôA¸ôA¬ôA õA ôAôAôApôA`ôALôA8ôA0ôA(ôAôAìóAØóA³B³B³B³B³BÈºB¨øA0ýA°þA³Bx´B abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZXµB¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÿÿÿÿ þÿÿÿ¬úA..ÀºBÈBÈBÈBÈBÈBÈBÈBÈBÈBÄºBÈBÈBÈBÈBÈBÈBÈBÈºB¨øAªúA.LáA.?AVlogic_error@std@@LáA.?AVlength_error@std@@LáA.?AVout_of_range@std@@LáA.?AVexception@std@@LáA.?AVbad_alloc@std@@ base_address: 0x0042b000 process_identifier: 2220 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2220 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: base_address: 0x00000001400122b0 process_identifier: 2584 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: base_address: 0x0000000140020d88 process_identifier: 2584 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: I»`#þ?Aÿã base_address: 0x0000000076d81590 process_identifier: 2584 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: "\| base_address: 0x0000000140020d78 process_identifier: 2584 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: I» þ?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2584 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: "\| base_address: 0x0000000140020d70 process_identifier: 2584 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: ÏT base_address: 0x000000013ffc0108 process_identifier: 2584 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000014001aae8 process_identifier: 2584 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: base_address: 0x0000000140020c78 process_identifier: 2584 process_handle: 0x000000000000004c	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPELO¹fà"¬ ÆwÀ @ÐjA@@@d\|@ Puð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrc@ ô@@.relocuPv@B base_address: 0x00400000 process_identifier: 2088 process_handle: 0x000001f0	1	1	0
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL¡Â´fà ÈB"dà@0$@Ð©<à#\|$àô.textJÆÈ à.rdataæÎàÐÌ@@.data+!°@À.reloc*Dà#F¨@B base_address: 0x00400000 process_identifier: 2220 process_handle: 0x000001f0	1	1	0

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Aug. 12, 2024, 8:50 a.m.	key_handle: 0x00000308 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3040 called NtSetContextThread to modify thread in remote process 2088
Process injection	Process 2068 called NtSetContextThread to modify thread in remote process 2220
NtSetContextThread Aug. 12, 2024, 8:50 a.m.	registers.eip: 1995571652 registers.esp: 3472288 registers.edi: 0 registers.eax: 4326775 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001f4 process_identifier: 2088	1	0	0
NtSetContextThread Aug. 12, 2024, 8:50 a.m.	registers.eip: 1995571652 registers.esp: 2554792 registers.edi: 0 registers.eax: 4285584 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001ec process_identifier: 2220	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

firefox.exe

martian_process

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

Appends a known multi-family ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3040 resumed a thread in remote process 2088
Process injection	Process 2088 resumed a thread in remote process 2448
Process injection	Process 2068 resumed a thread in remote process 2220
Process injection	Process 2448 resumed a thread in remote process 2584
NtResumeThread Aug. 12, 2024, 8:50 a.m.	thread_handle: 0x000001f4 suspend_count: 1 process_identifier: 2088	1	0	0
NtResumeThread Aug. 12, 2024, 8:50 a.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 2448	1	0	0
NtResumeThread Aug. 12, 2024, 8:50 a.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 2220	1	0	0
NtResumeThread Aug. 12, 2024, 8:50 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2584	1	0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 12, 2024, 8:50 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 ec 04 e9 65 19 00 00 exception.symbol: ramos+0x1f6f95 exception.instruction: in eax, dx exception.module: ramos.exe exception.exception_code: 0xc0000096 exception.offset: 2060181 exception.address: 0xc36f95 registers.esp: 1570888 registers.edi: 4730383 registers.eax: 1447909480 registers.ebp: 4001214484 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 12795977 registers.ecx: 20	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 70 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 12, 2024, 8:50 a.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 2544	1	0
CreateProcessInternalW Aug. 12, 2024, 8:50 a.m.	thread_identifier: 2808 thread_handle: 0x000003d8 process_identifier: 2804 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e0	1	1
NtResumeThread Aug. 12, 2024, 8:50 a.m.	thread_handle: 0x000001a0 suspend_count: 1 process_identifier: 2804	1	0
CreateProcessInternalW Aug. 12, 2024, 8:50 a.m.	thread_identifier: 3044 thread_handle: 0x00000470 process_identifier: 3040 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000036001\59d7dfe3f8.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000036001\59d7dfe3f8.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000036001\59d7dfe3f8.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000474	1	1
CreateProcessInternalW Aug. 12, 2024, 8:50 a.m.	thread_identifier: 192 thread_handle: 0x00000460 process_identifier: 2068 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\1000037002\e72857cb8a.exe track: 1 command_line: "C:\Users\test22\1000037002\e72857cb8a.exe" filepath_r: C:\Users\test22\1000037002\e72857cb8a.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000484	1	1
CreateProcessInternalW Aug. 12, 2024, 8:50 a.m.	thread_identifier: 2816 thread_handle: 0x000003b0 process_identifier: 2824 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000038001\4e6c60056f.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000038001\4e6c60056f.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000038001\4e6c60056f.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000480	1	1
NtResumeThread Aug. 12, 2024, 8:50 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread Aug. 12, 2024, 8:50 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread Aug. 12, 2024, 8:50 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 3040	1	0
CreateProcessInternalW Aug. 12, 2024, 8:50 a.m.	thread_identifier: 1152 thread_handle: 0x000001e8 process_identifier: 2056 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001ec	1	1
NtGetContextThread Aug. 12, 2024, 8:50 a.m.	thread_handle: 0x000001e8	1	0
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2056 region_size: 1232896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001ec		3221225496
CreateProcessInternalW Aug. 12, 2024, 8:50 a.m.	thread_identifier: 1384 thread_handle: 0x000001f4 process_identifier: 2088 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001f0	1	1
NtGetContextThread Aug. 12, 2024, 8:50 a.m.	thread_handle: 0x000001f4	1	0
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2088 region_size: 1232896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f0	1	0
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPELO¹fà"¬ ÆwÀ @ÐjA@@@d\|@ Puð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrc@ ô@@.relocuPv@B base_address: 0x00400000 process_identifier: 2088 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: base_address: 0x00401000 process_identifier: 2088 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: base_address: 0x0049c000 process_identifier: 2088 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: base_address: 0x004cc000 process_identifier: 2088 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: base_address: 0x004d4000 process_identifier: 2088 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: base_address: 0x00525000 process_identifier: 2088 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2088 process_handle: 0x000001f0	1	1
NtSetContextThread Aug. 12, 2024, 8:50 a.m.	registers.eip: 1995571652 registers.esp: 3472288 registers.edi: 0 registers.eax: 4326775 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001f4 process_identifier: 2088	1	0
NtResumeThread Aug. 12, 2024, 8:50 a.m.	thread_handle: 0x000001f4 suspend_count: 1 process_identifier: 2088	1	0
NtResumeThread Aug. 12, 2024, 8:50 a.m.	thread_handle: 0x00000280 suspend_count: 1 process_identifier: 2088	1	0
CreateProcessInternalW Aug. 12, 2024, 8:50 a.m.	thread_identifier: 2488 thread_handle: 0x000002a4 process_identifier: 2448 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002ac	1	1
NtResumeThread Aug. 12, 2024, 8:50 a.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 2448	1	0
NtResumeThread Aug. 12, 2024, 8:50 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread Aug. 12, 2024, 8:50 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread Aug. 12, 2024, 8:50 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2068	1	0
CreateProcessInternalW Aug. 12, 2024, 8:50 a.m.	thread_identifier: 2248 thread_handle: 0x000001ec process_identifier: 2220 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001f0	1	1
NtGetContextThread Aug. 12, 2024, 8:50 a.m.	thread_handle: 0x000001ec	1	0
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2220 region_size: 2371584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f0	1	0
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL¡Â´fà ÈB"dà@0$@Ð©<à#\|$àô.textJÆÈ à.rdataæÎàÐÌ@@.data+!°@À.reloc*Dà#F¨@B base_address: 0x00400000 process_identifier: 2220 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: base_address: 0x00401000 process_identifier: 2220 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: base_address: 0x0041e000 process_identifier: 2220 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: LáA.?AVtype_info@@Næ@»±¿D ! 5A CPR S WYl m pr ) ¡¤§ ·Î× ÿÿÿÿÿÿÿÿÈAÈAÈAÈAÈAÈAÈAÈAÈAÈAC$÷A ÷A÷A÷A÷A÷A÷A÷AüöAôöAèöAÜöAÔöAÈöAÄöAÀöA¼öA¸öA´öA°öA¬öA¨öA¤öA öAöAöAöAöA\|öAtöA´öAlöAdöA\öAPöAHöA<öA0öA,öA(öAöAöAüõA ôõAìõAäõAÜõAÔõAÌõAÄõA´õA¤õAõAõAlõA\õAHõA@õA8õA0õA(õA õAõAõAõAõAøôAðôAèôAØôAÄôA¸ôA¬ôA õA ôAôAôApôA`ôALôA8ôA0ôA(ôAôAìóAØóA³B³B³B³B³BÈºB¨øA0ýA°þA³Bx´B abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZXµB¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÿÿÿÿ þÿÿÿ¬úA..ÀºBÈBÈBÈBÈBÈBÈBÈBÈBÈBÄºBÈBÈBÈBÈBÈBÈBÈBÈºB¨øAªúA.LáA.?AVlogic_error@std@@LáA.?AVlength_error@std@@LáA.?AVout_of_range@std@@LáA.?AVexception@std@@LáA.?AVbad_alloc@std@@ base_address: 0x0042b000 process_identifier: 2220 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: base_address: 0x0063e000 process_identifier: 2220 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2220 process_handle: 0x000001f0	1	1
NtSetContextThread Aug. 12, 2024, 8:50 a.m.	registers.eip: 1995571652 registers.esp: 2554792 registers.edi: 0 registers.eax: 4285584 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001ec process_identifier: 2220	1	0
NtResumeThread Aug. 12, 2024, 8:50 a.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 2220	1	0
CreateProcessInternalW Aug. 12, 2024, 8:50 a.m.	thread_identifier: 2580 thread_handle: 0x0000000000000044 process_identifier: 2584 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 1028 (CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 0 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: base_address: 0x00000001400122b0 process_identifier: 2584 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: base_address: 0x0000000140020d88 process_identifier: 2584 process_handle: 0x000000000000004c	1	1
NtMapViewOfSection Aug. 12, 2024, 8:50 a.m.	section_handle: 0x0000000000000060 process_identifier: 2584 commit_size: 0 win32_protect: 32 (PAGE_EXECUTE_READ) buffer: base_address: 0x000000007c220000 allocation_type: 0 () section_offset: 0 view_size: 65536 process_handle: 0x0000000000000050	1	0
NtAllocateVirtualMemory Aug. 12, 2024, 8:50 a.m.	process_identifier: 2584 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000000007c220000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000050	1	0
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: I»`#þ?Aÿã base_address: 0x0000000076d81590 process_identifier: 2584 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: "\| base_address: 0x0000000140020d78 process_identifier: 2584 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: I» þ?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2584 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 12, 2024, 8:50 a.m.	buffer: "\| base_address: 0x0000000140020d70 process_identifier: 2584 process_handle: 0x000000000000004c	1	1

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Gen:Variant.Kryptik.260
Cylance	Unsafe
VIPRE	Gen:Variant.Kryptik.260
BitDefender	Gen:Variant.Kryptik.260
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Gen:Variant.Kryptik.260
Emsisoft	Gen:Variant.Kryptik.260 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!83847CF6A192
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.83847cf6a192b998
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/Crypt.TPM.Gen
MAX	malware (ai score=89)
Gridinsoft	Trojan.Heur!.038120A1
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Kryptik.260
Varist	W32/Agent.JDU.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R645974
BitDefenderTheta	Gen:NN.ZexaF.36810.0DWaaanY7kci
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Amadey
Zoner	Probably Heur.ExeHeaderL
Fortinet	W32/Themida.HZB!tr
AVG	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (D)

ramos.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All