Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 19, 2024, 2:15 p.m.	Aug. 19, 2024, 2:52 p.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`304eb6432c7696e15f48eda1ffd469aa`
SHA256	`7835a26e3f5ea565c099b426c66838dbea8642cd7dcf51fdfc260b1cd9bde4a6`
CRC32	`4FDDB605`
ssdeep	`49152:/iCP6/ACHu1QT5Z17CXMuTsu03yMKtbyyIO0PWFiDsC2O:/il/ASZY8ysucyMm29OjFiwC2O`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

rama.exe "C:\Users\test22\AppData\Local\Temp\rama.exe"
1932
- svoutse.exe "C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
  2320
  - 2fd9b80b02.exe "C:\Users\test22\AppData\Local\Temp\1000008001\2fd9b80b02.exe"
    2520
    - cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\D099.tmp\D09A.tmp\D0AB.bat C:\Users\test22\AppData\Local\Temp\1000008001\2fd9b80b02.exe"
      2576
      - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"
        2668
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef3f86e00,0x7fef3f86e10,0x7fef3f86e20
        2788
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"
        2752
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
        2928
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\f68e7be3-9e2b-4ffe-97d7-a1ef27c9922c.dmp"
        2856
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\f68e7be3-9e2b-4ffe-97d7-a1ef27c9922c.dmp"
        2968
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"
        2756
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
        1152
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"
        2776
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
        1948
  - 5c887e602a.exe "C:\Users\test22\AppData\Local\Temp\1000009001\5c887e602a.exe"
    3024
  - b936c46ad4.exe "C:\Users\test22\1000010002\b936c46ad4.exe"
    1476
    - cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\test22\1000010002\b936c46ad4.exe" & del "C:\ProgramData\*.dll"" & exit
      3060
      - timeout.exe timeout /t 5
        412
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
crash-reports.mozilla.com	A 34.49.45.138 CNAME antenna-prod.socorro.prod.webservices.mozgcp.net	34.49.45.138

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.215.113.100	Active	Moloch
31.41.244.10	Active	Moloch
31.41.244.11	Active	Moloch
34.49.45.138	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 31.41.244.11:80 -> 192.168.56.103:49165	2400001	ET DROP Spamhaus DROP Listed Traffic Inbound group 2	Misc Attack
TCP 192.168.56.103:49165 -> 31.41.244.11:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 31.41.244.10:80 -> 192.168.56.103:49164	2400001	ET DROP Spamhaus DROP Listed Traffic Inbound group 2	Misc Attack
TCP 31.41.244.11:80 -> 192.168.56.103:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 31.41.244.11:80 -> 192.168.56.103:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 31.41.244.11:80 -> 192.168.56.103:49165	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 31.41.244.10:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 31.41.244.11:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 31.41.244.11:80 -> 192.168.56.103:49171	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 31.41.244.11:80 -> 192.168.56.103:49171	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 31.41.244.11:80 -> 192.168.56.103:49171	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 31.41.244.10:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 31.41.244.11:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 31.41.244.11:80 -> 192.168.56.103:49171	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 31.41.244.11:80 -> 192.168.56.103:49171	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49210 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49205 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49168 -> 31.41.244.10:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 185.215.113.100:80 -> 192.168.56.103:49181	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.103:49181 -> 185.215.113.100:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 185.215.113.100:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.100:80 -> 192.168.56.103:49181	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 185.215.113.100:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.100:80 -> 192.168.56.103:49181	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 185.215.113.100:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49212 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 185.215.113.100:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.100:80 -> 192.168.56.103:49181	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.100:80 -> 192.168.56.103:49181	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 185.215.113.100:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.100:80 -> 192.168.56.103:49183	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.100:80 -> 192.168.56.103:49183	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 185.215.113.100:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.100:80 -> 192.168.56.103:49183	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 185.215.113.100:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49183 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 185.215.113.100:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49183 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 185.215.113.100:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49207 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameA Aug. 19, 2024, 2:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 19, 2024, 2:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 19, 2024, 2:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 19, 2024, 2:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 19, 2024, 2:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 19, 2024, 2:09 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 108 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:15 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:16 p.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 19, 2024, 2:15 p.m.	buffer: Could Not Find C:\ProgramData\*.dll & exit console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 19, 2024, 2:15 p.m.	buffer: Waiting for 5 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 19, 2024, 2:15 p.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.111\Locales
file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 19, 2024, 2:15 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	gtwryuai
section	dszigxmi
section	.taggant

One or more processes crashed (50 out of 234 events)

Time & API	Arguments	Status
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: rama+0x31a0b9 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 3252409 exception.address: 0x34a0b9 registers.esp: 9435940 registers.edi: 0 registers.eax: 1 registers.ebp: 9435956 registers.edx: 5173248 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 31 db ff 34 1e e9 0d fd ff ff 87 04 24 e9 d2 exception.symbol: rama+0x6d694 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 448148 exception.address: 0x9d694 registers.esp: 9435908 registers.edi: 1971192040 registers.eax: 27239 registers.ebp: 3990663188 registers.edx: 196608 registers.ebx: 239103 registers.esi: 669701 registers.ecx: 1971388416	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 50 b8 27 8f 7a 7a 52 55 bd 00 c8 c6 33 e9 74 exception.symbol: rama+0x6cfc5 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 446405 exception.address: 0x9cfc5 registers.esp: 9435908 registers.edi: 1971192040 registers.eax: 27239 registers.ebp: 3990663188 registers.edx: 196608 registers.ebx: 4294942624 registers.esi: 669701 registers.ecx: 3639170898	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb e9 99 01 00 00 83 c2 04 87 14 24 5c 81 ef 18 exception.symbol: rama+0x6db58 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 449368 exception.address: 0x9db58 registers.esp: 9435904 registers.edi: 1971192040 registers.eax: 26972 registers.ebp: 3990663188 registers.edx: 1933118857 registers.ebx: 1698716272 registers.esi: 645475 registers.ecx: 3639170898	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 52 53 bb f0 cf ff 2d e9 cf f9 ff ff 5b 50 b8 exception.symbol: rama+0x6e05d exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 450653 exception.address: 0x9e05d registers.esp: 9435908 registers.edi: 4294943276 registers.eax: 26972 registers.ebp: 3990663188 registers.edx: 1933118857 registers.ebx: 242921 registers.esi: 672447 registers.ecx: 3639170898	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 53 89 2c 24 57 c7 04 24 a6 9f cd 4e 8b 2c 24 exception.symbol: rama+0x1f1d6d exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2039149 exception.address: 0x221d6d registers.esp: 9435908 registers.edi: 2238514 registers.eax: 32104 registers.ebp: 3990663188 registers.edx: 370921 registers.ebx: 60359577 registers.esi: 0 registers.ecx: 921	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 51 b9 34 a4 bd 3e 81 e9 7d 0b bf c2 e9 4b 02 exception.symbol: rama+0x1f47c5 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2049989 exception.address: 0x2247c5 registers.esp: 9435904 registers.edi: 2243179 registers.eax: 26857 registers.ebp: 3990663188 registers.edx: 61311 registers.ebx: 2241403 registers.esi: 2245569 registers.ecx: 120	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 52 89 e2 81 c2 04 00 00 00 83 ea 04 e9 ff 00 exception.symbol: rama+0x1f46f8 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2049784 exception.address: 0x2246f8 registers.esp: 9435908 registers.edi: 2243179 registers.eax: 26857 registers.ebp: 3990663188 registers.edx: 61311 registers.ebx: 2241403 registers.esi: 2272426 registers.ecx: 120	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 68 e1 73 e5 18 89 14 24 51 b9 63 dc 32 67 89 exception.symbol: rama+0x1f4cf1 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2051313 exception.address: 0x224cf1 registers.esp: 9435908 registers.edi: 0 registers.eax: 26857 registers.ebp: 3990663188 registers.edx: 61311 registers.ebx: 2241403 registers.esi: 2248274 registers.ecx: 1259	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 57 89 1c 24 56 e9 0e 00 00 00 8f 04 24 5c ff exception.symbol: rama+0x1fb3f5 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2077685 exception.address: 0x22b3f5 registers.esp: 9435908 registers.edi: 0 registers.eax: 202985 registers.ebp: 3990663188 registers.edx: 0 registers.ebx: 2274529 registers.esi: 2248274 registers.ecx: 14288	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 60 1d 00 00 5b 01 f7 exception.symbol: rama+0x1ff4f7 exception.instruction: in eax, dx exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2094327 exception.address: 0x22f4f7 registers.esp: 9435900 registers.edi: 9711334 registers.eax: 1447909480 registers.ebp: 3990663188 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 2280893 registers.ecx: 20	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: rama+0x1feefb exception.address: 0x22eefb exception.module: rama.exe exception.exception_code: 0xc000001d exception.offset: 2092795 registers.esp: 9435900 registers.edi: 9711334 registers.eax: 1 registers.ebp: 3990663188 registers.edx: 22104 registers.ebx: 0 registers.esi: 2280893 registers.ecx: 20	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 14 37 2d 12 01 exception.symbol: rama+0x2004bc exception.instruction: in eax, dx exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2098364 exception.address: 0x2304bc registers.esp: 9435900 registers.edi: 9711334 registers.eax: 1447909480 registers.ebp: 3990663188 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 2280893 registers.ecx: 10	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 57 e8 03 00 00 00 20 5f c3 5f exception.symbol: rama+0x205778 exception.instruction: int 1 exception.module: rama.exe exception.exception_code: 0xc0000005 exception.offset: 2119544 exception.address: 0x235778 registers.esp: 9435868 registers.edi: 0 registers.eax: 9435868 registers.ebp: 3990663188 registers.edx: 2526963715 registers.ebx: 2316464 registers.esi: 2526991107 registers.ecx: 0	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 51 e9 1a 00 00 00 51 b9 aa 0d db 7f 83 c1 01 exception.symbol: rama+0x206529 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2123049 exception.address: 0x236529 registers.esp: 9435908 registers.edi: 9711334 registers.eax: 27900 registers.ebp: 3990663188 registers.edx: 729242941 registers.ebx: 2320012 registers.esi: 6379 registers.ecx: 0	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 55 68 78 9d 1a 22 89 0c 24 50 b8 f7 f5 fe 6f exception.symbol: rama+0x20dd56 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2153814 exception.address: 0x23dd56 registers.esp: 9435908 registers.edi: 9711334 registers.eax: 0 registers.ebp: 3990663188 registers.edx: 2350616 registers.ebx: 3968029520 registers.esi: 6379 registers.ecx: 2331050	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 61 06 00 00 c1 e2 05 e9 59 02 00 exception.symbol: rama+0x215fda exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2187226 exception.address: 0x245fda registers.esp: 9435904 registers.edi: 638082 registers.eax: 29146 registers.ebp: 3990663188 registers.edx: 6 registers.ebx: 21714518 registers.esi: 2383179 registers.ecx: 0	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 68 cd f9 45 74 ff 34 24 59 83 ec 04 89 34 24 exception.symbol: rama+0x216884 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2189444 exception.address: 0x246884 registers.esp: 9435908 registers.edi: 638082 registers.eax: 29146 registers.ebp: 3990663188 registers.edx: 0 registers.ebx: 262633 registers.esi: 2386129 registers.ecx: 0	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 52 ba 64 df fb 7f 81 ef 0a 83 37 2f 29 d7 53 exception.symbol: rama+0x21978d exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2201485 exception.address: 0x24978d registers.esp: 9435896 registers.edi: 2395656 registers.eax: 30570 registers.ebp: 3990663188 registers.edx: 1219948726 registers.ebx: 262633 registers.esi: 2386129 registers.ecx: 1950742989	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 50 e9 94 01 00 00 40 f7 d8 52 e9 43 fd ff ff exception.symbol: rama+0x21919a exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2199962 exception.address: 0x24919a registers.esp: 9435900 registers.edi: 2426226 registers.eax: 30570 registers.ebp: 3990663188 registers.edx: 1219948726 registers.ebx: 262633 registers.esi: 2386129 registers.ecx: 1950742989	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 57 bf f2 07 bf 75 83 ec 04 e9 8a fb ff ff 89 exception.symbol: rama+0x219731 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2201393 exception.address: 0x249731 registers.esp: 9435900 registers.edi: 2398326 registers.eax: 30570 registers.ebp: 3990663188 registers.edx: 2298801283 registers.ebx: 0 registers.esi: 2386129 registers.ecx: 1950742989	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 3c 24 bf 00 d2 fb 7f c1 e7 01 c1 exception.symbol: rama+0x22086f exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2230383 exception.address: 0x25086f registers.esp: 9435900 registers.edi: 2452819 registers.eax: 28469 registers.ebp: 3990663188 registers.edx: 2130566132 registers.ebx: 110136652 registers.esi: 2386129 registers.ecx: 740360192	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb e9 06 02 00 00 89 04 24 55 bd 36 ea ff 3f b8 exception.symbol: rama+0x22017a exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2228602 exception.address: 0x25017a registers.esp: 9435900 registers.edi: 2427251 registers.eax: 28469 registers.ebp: 3990663188 registers.edx: 2130566132 registers.ebx: 110136652 registers.esi: 0 registers.ecx: 1783979243	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 53 c7 04 24 35 f4 bd 1f 81 0c 24 53 ed f9 27 exception.symbol: rama+0x22b466 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2274406 exception.address: 0x25b466 registers.esp: 9435900 registers.edi: 1392536160 registers.eax: 0 registers.ebp: 3990663188 registers.edx: 2467330 registers.ebx: 2467330 registers.esi: 681533 registers.ecx: 2474304	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb e9 78 fa ff ff 5c 89 0c 24 89 e1 68 43 22 a6 exception.symbol: rama+0x240f62 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2363234 exception.address: 0x270f62 registers.esp: 9435868 registers.edi: 2560053 registers.eax: 31467 registers.ebp: 3990663188 registers.edx: 2130566132 registers.ebx: 1528247507 registers.esi: 0 registers.ecx: 1656588640	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb e9 9b fe ff ff 68 03 2e 20 64 89 14 24 51 b9 exception.symbol: rama+0x241df6 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2366966 exception.address: 0x271df6 registers.esp: 9435864 registers.edi: 0 registers.eax: 27620 registers.ebp: 3990663188 registers.edx: 469707555 registers.ebx: 1385110076 registers.esi: 2560081 registers.ecx: 2563162	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 68 79 b0 dd 50 89 2c 24 51 68 50 b5 6b 5c e9 exception.symbol: rama+0x242132 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2367794 exception.address: 0x272132 registers.esp: 9435868 registers.edi: 0 registers.eax: 27620 registers.ebp: 3990663188 registers.edx: 469707555 registers.ebx: 13887826 registers.esi: 4294942656 registers.ecx: 2590782	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 57 55 89 e5 81 c5 04 00 00 00 81 ed 04 00 00 exception.symbol: rama+0x24319b exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2371995 exception.address: 0x27319b registers.esp: 9435864 registers.edi: 0 registers.eax: 2566623 registers.ebp: 3990663188 registers.edx: 469707555 registers.ebx: 1565673281 registers.esi: 4294942656 registers.ecx: 2590782	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb e9 9a ff ff ff 47 81 ef 85 61 bf 2b 29 f9 5f exception.symbol: rama+0x242fc0 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2371520 exception.address: 0x272fc0 registers.esp: 9435868 registers.edi: 0 registers.eax: 2598225 registers.ebp: 3990663188 registers.edx: 469707555 registers.ebx: 1565673281 registers.esi: 4294942656 registers.ecx: 2590782	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 3c 24 bf 6a 31 ff 2d 81 c7 7d b7 exception.symbol: rama+0x242eba exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2371258 exception.address: 0x272eba registers.esp: 9435868 registers.edi: 0 registers.eax: 2598225 registers.ebp: 3990663188 registers.edx: 469707555 registers.ebx: 1565673281 registers.esi: 4294938636 registers.ecx: 44777	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb e9 2d fd ff ff 5f 57 bf fc 82 ed ed 89 f8 5f exception.symbol: rama+0x2475f4 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2389492 exception.address: 0x2775f4 registers.esp: 9435864 registers.edi: 2584304 registers.eax: 29889 registers.ebp: 3990663188 registers.edx: 0 registers.ebx: 648908 registers.esi: 4294938636 registers.ecx: 1969225870	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 52 55 68 fd 4d ef 5f 5d f7 d5 81 c5 7a d2 ec exception.symbol: rama+0x247224 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2388516 exception.address: 0x277224 registers.esp: 9435868 registers.edi: 2614193 registers.eax: 29889 registers.ebp: 3990663188 registers.edx: 4294940840 registers.ebx: 648908 registers.esi: 5695824 registers.ecx: 1969225870	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 05 e3 24 9f 4f 57 51 b9 61 29 7b 7b bf 90 3f exception.symbol: rama+0x2483c2 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2393026 exception.address: 0x2783c2 registers.esp: 9435864 registers.edi: 2614193 registers.eax: 2588199 registers.ebp: 3990663188 registers.edx: 1172839836 registers.ebx: 786166922 registers.esi: 5695824 registers.ecx: 1969225870	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 55 50 e9 d9 00 00 00 c1 24 24 06 81 ec 04 00 exception.symbol: rama+0x2481fd exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2392573 exception.address: 0x2781fd registers.esp: 9435868 registers.edi: 24811 registers.eax: 2613751 registers.ebp: 3990663188 registers.edx: 1172839836 registers.ebx: 4294944444 registers.esi: 5695824 registers.ecx: 1969225870	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 50 b8 bf 99 b6 7f 56 e9 15 00 00 00 29 f0 e9 exception.symbol: rama+0x24b55e exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2405726 exception.address: 0x27b55e registers.esp: 9435868 registers.edi: 2597605 registers.eax: 30688 registers.ebp: 3990663188 registers.edx: 3056357480 registers.ebx: 856327041 registers.esi: 2630398 registers.ecx: 4294939716	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 51 89 e1 81 c1 04 00 00 00 81 e9 04 00 00 00 exception.symbol: rama+0x24b9f9 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2406905 exception.address: 0x27b9f9 registers.esp: 9435864 registers.edi: 2597605 registers.eax: 29472 registers.ebp: 3990663188 registers.edx: 2603154 registers.ebx: 1552364043 registers.esi: 2630398 registers.ecx: 4294939716	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 2c 24 50 89 e0 05 04 00 00 00 56 exception.symbol: rama+0x24c073 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2408563 exception.address: 0x27c073 registers.esp: 9435868 registers.edi: 2597605 registers.eax: 29472 registers.ebp: 3990663188 registers.edx: 2632626 registers.ebx: 1552364043 registers.esi: 2630398 registers.ecx: 4294939716	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 65 f3 ff ff c1 24 24 04 exception.symbol: rama+0x24c58d exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2409869 exception.address: 0x27c58d registers.esp: 9435868 registers.edi: 0 registers.eax: 157417 registers.ebp: 3990663188 registers.edx: 2606722 registers.ebx: 1552364043 registers.esi: 2630398 registers.ecx: 4294939716	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 52 e9 1f fc ff ff b8 27 ff bf 7b 48 f7 d0 e9 exception.symbol: rama+0x25ed25 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2485541 exception.address: 0x28ed25 registers.esp: 9435864 registers.edi: 2659189 registers.eax: 29893 registers.ebp: 3990663188 registers.edx: 2130566132 registers.ebx: 1969225702 registers.esi: 2679410 registers.ecx: 0	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 53 e9 93 01 00 00 31 1c 24 33 1c 24 5c 89 2c exception.symbol: rama+0x25e8dd exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2484445 exception.address: 0x28e8dd registers.esp: 9435868 registers.edi: 2659189 registers.eax: 29893 registers.ebp: 3990663188 registers.edx: 0 registers.ebx: 604292951 registers.esi: 2682931 registers.ecx: 0	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 68 e1 52 64 15 e9 8a 00 00 00 59 81 f1 b6 09 exception.symbol: rama+0x263e62 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2506338 exception.address: 0x293e62 registers.esp: 9435864 registers.edi: 1763025447 registers.eax: 28241 registers.ebp: 3990663188 registers.edx: 49132 registers.ebx: 2684454 registers.esi: 2701008 registers.ecx: 0	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 51 e9 45 ff ff ff 56 89 e6 81 c6 04 00 00 00 exception.symbol: rama+0x263c2e exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2505774 exception.address: 0x293c2e registers.esp: 9435868 registers.edi: 1763025447 registers.eax: 322689 registers.ebp: 3990663188 registers.edx: 0 registers.ebx: 2684454 registers.esi: 2704125 registers.ecx: 0	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb e9 6c 02 00 00 01 fb 5f e9 bb fd ff ff 83 c4 exception.symbol: rama+0x26f441 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2552897 exception.address: 0x29f441 registers.esp: 9435868 registers.edi: 2728801 registers.eax: 27152 registers.ebp: 3990663188 registers.edx: 7398232 registers.ebx: 2705404 registers.esi: 2775659 registers.ecx: 740360192	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 0c 24 89 1c 24 e9 73 fe ff ff 89 exception.symbol: rama+0x26f52d exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2553133 exception.address: 0x29f52d registers.esp: 9435868 registers.edi: 2728801 registers.eax: 27152 registers.ebp: 3990663188 registers.edx: 7398232 registers.ebx: 411764072 registers.esi: 2751915 registers.ecx: 0	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 53 52 e9 0c 00 00 00 c7 04 24 c1 48 73 52 e9 exception.symbol: rama+0x2735dd exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2569693 exception.address: 0x2a35dd registers.esp: 9435864 registers.edi: 2764256 registers.eax: 28389 registers.ebp: 3990663188 registers.edx: 2130566132 registers.ebx: 411764072 registers.esi: 2751915 registers.ecx: 740360192	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb e9 43 00 00 00 01 fa 5f 83 c2 04 87 14 24 5c exception.symbol: rama+0x27335e exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2569054 exception.address: 0x2a335e registers.esp: 9435868 registers.edi: 2792645 registers.eax: 28389 registers.ebp: 3990663188 registers.edx: 2130566132 registers.ebx: 1371900245 registers.esi: 2751915 registers.ecx: 4294941444	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb e9 32 03 00 00 81 c4 04 00 00 00 56 83 ec 04 exception.symbol: rama+0x2841ce exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2638286 exception.address: 0x2b41ce registers.esp: 9435868 registers.edi: 1763025447 registers.eax: 2865582 registers.ebp: 3990663188 registers.edx: 11 registers.ebx: 2806165 registers.esi: 8372204 registers.ecx: 12	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb e9 a9 fb ff ff 89 e3 e9 0e 04 00 00 5a c1 e9 exception.symbol: rama+0x284455 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2638933 exception.address: 0x2b4455 registers.esp: 9435868 registers.edi: 604292949 registers.eax: 2865582 registers.ebp: 3990663188 registers.edx: 11 registers.ebx: 2806165 registers.esi: 4294938744 registers.ecx: 12	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 ba 7e ab da 77 81 exception.symbol: rama+0x28ecdb exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2682075 exception.address: 0x2becdb registers.esp: 9435864 registers.edi: 604292949 registers.eax: 29435 registers.ebp: 3990663188 registers.edx: 2130566132 registers.ebx: 1394648611 registers.esi: 2877609 registers.ecx: 2133442087	1
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: fb 53 55 52 ba fe 53 f9 7b 81 f2 5e 92 66 14 89 exception.symbol: rama+0x28ed85 exception.instruction: sti exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2682245 exception.address: 0x2bed85 registers.esp: 9435868 registers.edi: 604292949 registers.eax: 29435 registers.ebp: 3990663188 registers.edx: 2130566132 registers.ebx: 1394648611 registers.esi: 2907044 registers.ecx: 2133442087	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (13 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://31.41.244.10/Dem7kTu/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://31.41.244.11/cost/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://31.41.244.11/steam/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://31.41.244.11/num/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.100/e2b1563c6670f193.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/vcruntime140.dll

Performs some HTTP requests (13 events)

request	POST http://31.41.244.10/Dem7kTu/index.php
request	GET http://31.41.244.11/cost/random.exe
request	GET http://31.41.244.11/steam/random.exe
request	GET http://31.41.244.11/num/random.exe
request	GET http://185.215.113.100/
request	POST http://185.215.113.100/e2b1563c6670f193.php
request	GET http://185.215.113.100/0d60be0de163924d/sqlite3.dll
request	GET http://185.215.113.100/0d60be0de163924d/freebl3.dll
request	GET http://185.215.113.100/0d60be0de163924d/mozglue.dll
request	GET http://185.215.113.100/0d60be0de163924d/msvcp140.dll
request	GET http://185.215.113.100/0d60be0de163924d/nss3.dll
request	GET http://185.215.113.100/0d60be0de163924d/softokn3.dll
request	GET http://185.215.113.100/0d60be0de163924d/vcruntime140.dll

Sends data using the HTTP POST Method (2 events)

request	POST http://31.41.244.10/Dem7kTu/index.php
request	POST http://185.215.113.100/e2b1563c6670f193.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 93 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00031000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02170000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02210000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:08 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x013b1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 2320 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 2320 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 2320 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:15 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

svoutse.exe tried to sleep 1186 seconds, actually delayed analysis time by 1186 seconds

An application raised an exception which may be indicative of an exploit crash (8 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 2668 crashed
Application Crash	Process firefox.exe with pid 2928 crashed
Application Crash	Process firefox.exe with pid 1152 crashed
Application Crash	Process firefox.exe with pid 1948 crashed
__exception__ Aug. 19, 2024, 2:09 p.m.	stacktrace: 0x980004 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 fc 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x980004 registers.r14: 246608792 registers.r15: 86077184 registers.rcx: 1324 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 246608048 registers.rsp: 246607768 registers.r11: 246611664 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 504 registers.r12: 246608408 registers.rbp: 246607904 registers.rdi: 85940848 registers.rax: 9961472 registers.r13: 86153168	1	0	0
__exception__ Aug. 19, 2024, 2:08 p.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9104856 registers.r15: 8791391901296 registers.rcx: 48 registers.rsi: 8791391832960 registers.r10: 0 registers.rbx: 0 registers.rsp: 9104488 registers.r11: 9107872 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 14915376 registers.rbp: 9104608 registers.rdi: 254910496 registers.rax: 13442816 registers.r13: 9105448	1	0	0
__exception__ Aug. 19, 2024, 2:17 p.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9237336 registers.r15: 8791555544688 registers.rcx: 48 registers.rsi: 8791555476352 registers.r10: 0 registers.rbx: 0 registers.rsp: 9236968 registers.r11: 9240352 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14922128 registers.rbp: 9237088 registers.rdi: 260157696 registers.rax: 13442816 registers.r13: 9237928	1	0	0
__exception__ Aug. 19, 2024, 2:17 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9763168 registers.r15: 9762672 registers.rcx: 48 registers.rsi: 14759776 registers.r10: 0 registers.rbx: 0 registers.rsp: 9761720 registers.r11: 9763920 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 9762503 registers.rbp: 9761840 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0

Steals private information from local Internet browsers (50 out of 5884 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\apenkfbbpmhihehmihndmmcdanacolnh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\ciojocpkclfflombbcfigcijjcbkmhaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opfgelmcmbiajamepnmloijbpoleiama\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\fiikommddbeccaoicoejoniammnalkfa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCK\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\fa\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000001\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\naepdomgkenhinolocfifgehidddafch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch\CURRENT

Creates executable files on the filesystem (10 events)

file	C:\Users\test22\AppData\Local\Temp\D099.tmp\D09A.tmp\D0AB.bat
file	C:\ProgramData\vcruntime140.dll
file	C:\Users\test22\1000010002\b936c46ad4.exe
file	C:\ProgramData\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\1000008001\2fd9b80b02.exe
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\freebl3.dll
file	C:\Users\test22\AppData\Local\Temp\1000009001\5c887e602a.exe
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Creates a suspicious process (3 events)

cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\D099.tmp\D09A.tmp\D0AB.bat C:\Users\test22\AppData\Local\Temp\1000008001\2fd9b80b02.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\test22\1000010002\b936c46ad4.exe" & del "C:\ProgramData\*.dll"" & exit
cmdline	C:\Windows\System32\cmd.exe /c timeout /t 5 & del /f /q "C:\Users\test22\1000010002\b936c46ad4.exe" & del "C:\ProgramData\*.dll"" & exit

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe
file	C:\Users\test22\AppData\Local\Temp\1000008001\2fd9b80b02.exe
file	C:\Users\test22\AppData\Local\Temp\1000009001\5c887e602a.exe
file	C:\Users\test22\1000010002\b936c46ad4.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\1000009001\5c887e602a.exe
file	C:\Users\test22\AppData\Local\Temp\1000008001\2fd9b80b02.exe
file	C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 19, 2024, 2:15 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe	1	1
ShellExecuteExW Aug. 19, 2024, 2:15 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000008001\2fd9b80b02.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000008001\2fd9b80b02.exe	1	1
ShellExecuteExW Aug. 19, 2024, 2:15 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000009001\5c887e602a.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000009001\5c887e602a.exe	1	1
ShellExecuteExW Aug. 19, 2024, 2:15 p.m.	show_type: 0 filepath_r: C:\Users\test22\1000010002\b936c46ad4.exe parameters: filepath: C:\Users\test22\1000010002\b936c46ad4.exe	1	1
ShellExecuteExW Aug. 19, 2024, 2:15 p.m.	show_type: 0 filepath_r: C:\Windows\sysnative\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\D099.tmp\D09A.tmp\D0AB.bat C:\Users\test22\AppData\Local\Temp\1000008001\2fd9b80b02.exe" filepath: C:\Windows\sysnative\cmd	1	1
ShellExecuteExW Aug. 19, 2024, 2:15 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c timeout /t 5 & del /f /q "C:\Users\test22\1000010002\b936c46ad4.exe" & del "C:\ProgramData\*.dll"" & exit filepath: C:\Windows\System32\cmd.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (14 events)

Time & API	Arguments	Status	Return
Process32NextW Aug. 19, 2024, 2:15 p.m.	snapshot_handle: 0x00000298 process_name: mobsync.exe process_identifier: 1552	1	1
Process32NextW Aug. 19, 2024, 2:15 p.m.	snapshot_handle: 0x00000298 process_name: pw.exe process_identifier: 1696	1	1
Process32NextW Aug. 19, 2024, 2:15 p.m.	snapshot_handle: 0x00000298 process_name: taskhost.exe process_identifier: 880	1	1
Process32NextW Aug. 19, 2024, 2:15 p.m.	snapshot_handle: 0x00000298 process_name: SearchProtocolHost.exe process_identifier: 1076	1	1
Process32NextW Aug. 19, 2024, 2:15 p.m.	snapshot_handle: 0x00000298 process_name: cmd.exe process_identifier: 300	1	1
Process32NextW Aug. 19, 2024, 2:15 p.m.	snapshot_handle: 0x00000298 process_name: conhost.exe process_identifier: 1516	1	1
Process32NextW Aug. 19, 2024, 2:15 p.m.	snapshot_handle: 0x00000298 process_name: SearchFilterHost.exe process_identifier: 1700	1	1
Process32NextW Aug. 19, 2024, 2:15 p.m.	snapshot_handle: 0x00000298 process_name: pw.exe process_identifier: 2056	1	1
Process32NextW Aug. 19, 2024, 2:15 p.m.	snapshot_handle: 0x00000298 process_name: svoutse.exe process_identifier: 2320	1	1
Process32NextW Aug. 19, 2024, 2:15 p.m.	snapshot_handle: 0x00000298 process_name: chrome.exe process_identifier: 2668	1	1
Process32NextW Aug. 19, 2024, 2:15 p.m.	snapshot_handle: 0x00000298 process_name: firefox.exe process_identifier: 2752	1	1
Process32NextW Aug. 19, 2024, 2:15 p.m.	snapshot_handle: 0x00000298 process_name: chrome.exe process_identifier: 2788	1	1
Process32NextW Aug. 19, 2024, 2:15 p.m.	snapshot_handle: 0x00000298 process_name: firefox.exe process_identifier: 2928	1	1
Process32NextW Aug. 19, 2024, 2:15 p.m.	snapshot_handle: 0x00000298 process_name: b936c46ad4.exe process_identifier: 1476	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 19, 2024, 2:08 p.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000009ca75e0000 process_handle: 0xffffffffffffffff	1	0	0

An executable file was downloaded by the processes svoutse.exe, b936c46ad4.exe (10 events)

Time & API	Arguments	Status	Return
InternetReadFile Aug. 19, 2024, 2:15 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELb@]à2V0@ \|qÈüpt,.codeð78 `.textÂÒPÔ< `.rdata304@@.data,pD@À.rsrcüV@@h¬hhAè\@ÄhèU@£AhhhèB@£Aè¼?¸pA£4AèÝÍèIËèCèÇèZèÔèøèx}è@CèÃ¶èk¡º.pA AèÓ?hõÿÿÿèã?£<A¸P¸AP1ÀPhhèÿ5 AèhhxpA APhè_ÿ5¨AèæhhppA¨APhè9hAhpAhh¡hèÊº:pA lAè+?ÿ5°AèhhppA°APhèå;@PèÁRèÍZPèÅhHAè:Íè XAûuèfèS,hèè±Ìÿ5AèÎ>èÏ>èµAèèçè½èìÀèSÃUSWºìÇ$JuóT$X$èa>ÿ4$èùDD$ÿt$èLD$T$RhhhhèÉT$RhhhhèvÉÇD$ÇD$ ÇD$$ÇD$(ÇD$,ÇD$0ÇD$ ÇD$ ÿt$XD$4ÿt$XD$8ÇD$ë¸ÿ;D$\|Tÿt$l$8XE\$4Ã\$4l$8¾]!Ûu ÿt$XD$8l$8¾EP\$ l$ÁãXD\$8C\$8ÿD$q¡ÇD$ ÇD$ë¸ÿ;D$\|m\$ \|$l$Áç\=\|$l$Áç\=ãÿ\$ \$l$ÁãÿtXD$,\$ Áãÿt\$ ÁãXDÿt$,\$$ÁãXDÿD$qÇD$ÇD$ ÿt$PXD$<ÇD$(ë\$TK;\$(Ã\$Cãÿ\$\$ \|$l$Áç\=ãÿ\$ \$ÁãÿtXD$,\$ Áãÿt\$ ÁãXDÿt$,\$$ÁãXD\$Áã\\|$ Áç\|=çÿûãÿ\$$\$$ÁãÿtXD$0l$<¾]3\$0Sl$@XE\$<C\$<ÿD$(.ÿÿÿT$RhhhhèÇT$RhhhhèÇÿt$èD$Pë1Àÿ4$èmÊPÿt$è0Èÿt$è'ÈXÄ@_[]ÂUSºìÇ$Juóè§ÊAû2\|AûuhAût¸ë1À!À¸&pAPÿ5AèB$ÇD$ë$;D$RèÉZPRèøÈZP¸fpAPÿt$ÿ5AèQBD$PèÉÿt$èé!ÀtLRèÄÈZPÿt$è3D$PèïÈT$Rè¥ÈZPRè=ÊT$Rè3ÊºfpARè(ÊD$Pè¾ÈÿD$aÿÿÿÿt$èë@D$hD$Pÿt$è4Pÿt$ ÿ5<AèX:ÿt$è;º$pA Aè:éÎÇAÇD$RèÈZPRèÈZP¸.pAPÿt$(ÿ5$Aè_AD$Pè%È¸2pAPÿt$èCD$ \|$ t\RèÅÇZPRè½ÇZP¸2pAPhÿt$ èAD$(PèÝÇRèÇZPRèÇZP¸2pAPhÿt$ èé@D$Pè¯ÇT$1Éè:î\$Ø¹÷ùÓ!Ûu+ÿt$è¡BP\$-AkÛÝXE\$C\$éRèÇZPRèÇZPhÿt$è¡CèüÈº6pAYQèÐ9Áè9´PARè×ÆZPRèoÈlARècÈRè½ÆZPRèµÆZP¸6pAPÿt$ èÄEXD$,PèÙÆÿt$(èÕAûuÿt$$èÜAPÿt$,è7ÿt$(è'$ARè]ÆZPRèõÇT$,RèëÇºfpARèàÇAPètÆé½Rè)ÆZPRè!ÆZP¸6pAPÿt$è0ED$PèFÆT$RèüÅZPRèÇ\$-AkÛÝEPèÆÿt$$è3AP\$-AkÛÝXEARè³ÅZPRèKÇPARè?ÇlARè3ÇT$Rè)ÇºfpARèÇAPè²Åëë\$C\$éLýÿÿD$ë1Àÿt$èÆÿt$(èÆÿt$è Æÿt$$èÆÿt$èûÅÄ,[]ÃS1ÀPPPPPPèWÆ¸qA£4AÇ$ë¸;$\|d¡4A¾D$ÿ4ARèâÄZPRèÚÄZP\$kÛÿSèDD$PèÅT$Rè·ÄZPRèOÆT$RèEÆD$PèÛÄÿ$qhè¬D$RèÄZPRèzÄZPèID$Pè©Äÿt$h¸$pAPÿt$ èk6RèKÄZPRèCÄZPÿt$èxxAPèlÄÿ5xAèÿ5xAè[ÿt$h¸$pAPÿ5xAè6RèöÃZPRèîÃZPÿt$è#,APèÄÿ5,Aè3ÿ5,Aèÿt$h¸$pAPÿ5,AèÁ5ÿ5,Aèw8RèÃZPRèÃZPÿt$èÃ@APè·Ãÿ5@AèÓÿt$ÿ5@Aè>8ÿt$h¸$pAPÿ5,Aè]5Rè=ÃZPRè5ÃZPÿt$èjpAPè^Ãÿt$èë1Àÿt$èØÃÿt$èÏÃÿt$èÆÃÄ[ÃUS1ÀPPPPPPè"ÄRèÜÂZPhhRèÊÂZPRèÂÂZPèÓzè¸5$èÎ4èÉ5$h !@Pÿt$è·4ÿ4$èµ4ÿ5°AèA request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 19, 2024, 2:15 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELüÛÂfà ( @@ `Ì'O@°(&`& H.text$ `.rsrc°@@@.reloc`@B(H cnhRq&XT·Ò~âE;ù/ÉRµ¤j&ä2Èç4Þc¹d6tl9ãðÐ.jæµ{ÇIq/I"1=ødf/MÜlî¸ C ñãÃ¦My§}³áß1pB2Õ0T¾\GxKf`r2¤õ¼õ³i«ú-àW'DtÞëPTM Ð¡a{Ý K°¯56H¾ZÓÚ©åû´<bå¢í¥e¯db¶òo¹dpj½pÂÎÖNjnû¿6wX®Òýs¹Ç°v{øMl[u0<Ø§2(¶8Ê5ì¾Â/°gCª²üîÒóø/%vbû'¡B/îâ¥ÁwjüsPCÉ£±°Îå 6R0®¬j:=1heÉ¥÷Rõ°¹þi¼J\|FlÄF2ïù¬n ;zK!E¿FÏÔ {åDCX¼ÈZÀÀ1Ì7è¹®Ò^udCdUÜÆ\ðÜ:Á¿ykIî&×Z¦ êã96º¥3Ç îã¿d¯±G:ëx;Õ¿AÎÄÊËBòÇ^& ãáwStû þôFfreuÇ°×³ÒW'N 0ªØ/¥IoT1ÛvÁþnëßIðÌ9K"kËÐf½ØïU¢1^àþLo°ýèÜÐ(wN,¦E9¸jÞbÁDòÖ ìvKÿú9ÍKEö"ìA©q¦jaòº«ù¬ùáBþ®¸5åø2õt§~÷bxf5MáéGÚ&IÃ¥^Õ~#yôëÔU6bê[¹é]½ªw£ûb'Ï´þ0Ãªi¼Çù¢nõ&î¡G MK)üA(n6ºÔÈ;.9ÂÊZ%ãÎ:6î ÐâÜrÿ¥{¿þÂâÆykÍ6ÃzîàaýðôC÷"àKò:ÛýåÌ1ÌÍ®óDàl£ÜØd¦¶sóÝk8ó¤S¯ÓÉÖ¹sÌf¾PíTÚþö¾ÂkÍVÌVZD_s¿¾FÜÇjW¤k ³+kê B3[ÿYEô/x.óácI ¾m'æE=²?ÕêgÃfZc¬àvQ=JîW/ôËÌRf¤gð7×F¬b-ï_ÄØG>;ùä Äãf"Ô½Ú67ú¨ Tñ5Õ=Áopëf»Ös%Þw¯Þ¨-Ö W«+jI WfûËÔ'SËtnüÍ Þ° l&Êc5§ñFI=xÉ±[Qväeí))¢f®Âµà<º¨EZ}A]ÀÁÙXÊ¼$RÕÄy;ÆÒsqû{¥®ïK zÒ-Qv+LúXçS61àÀ48rÁ+ÉTzuE#xÒW¤~d©oIa!ÍïëéWÝÏäQÜßÝz¨÷¨ðoé¨c\|©òµîioç9wïxÇÓìâ](0`GqM%ñEøÚ©¶äs[VÎò±U«Å¯jãàÁ²æÑzøpçäìØ4ÔU3÷J:ÝÀ]D¿æÿð&]TÔ{ej$ÎsÂ¿äM/lÏTeòfÅ{ä\ ;Y¶Ý:»SÖuï y$}¯ÞWWTÊýÌ >&^~=#Ø±î$§ cúEu¼µZêV/I¢EÇ ·`=Ö'ýï ~«~O°;tÙ5`¼FJÎV \ÏEð½ÅX¾,Ù4^'¥bÞá×mU/ÀR.÷¸ä¶(L-_ÈN$T°ó7µxO®¦üº%ÇQ£QhefñLoÅÿw"o^£·4ÉE¦ÓU×-åÜu¿Ï×¥©<Ñdµ»!®Ð7g)=\|8µ±1ÃÞïÞn¿I+% Ú5'¨ìÑE³/£íLó^Ú)7>GÌâLT¡<±ñ@9 ¡Kxå½)ð$[ýI/!¨k®ðÁmhQö,h»Iôö¬ÅPBdI_U?`",¦(5}Ãp_¦^þÖü2zíÃ\|ÁÎëó¸ªmteÂµ_ÉC=\Ø³¶Õf'\ºwóc¦láÅ¸ôí,Èê'íÍ2ã@o@ºw}÷Û3-<dÆ5r?JA oML3Êúâ«ILñFy NÔIUyªØ[h}\¯FgHSý/TÝÐ-T"M7ë-ÎEJ³×w+âÁÏG4+¼»/Ç2rà>ÎáP·'Àbß >þÊ\¦Ü"TRì¦Ã{¼Qü/ÞOÊãÛe5¿ Óp¯qòÜí6<}·¤Ú»5¢Å±ýhöédCuk÷ð-¨"²hîCïzü6ÐÁù§ÛüÍÂ}º µº;I Ø³rç¿ª+TñÝ ]UÜëáñ!þIT^LvôùIfuh¯+w\|ztÎkhÂ¾xÐ×í2Y÷¤bîd&º/Àþ)bÑªÝÃ« ý"DpÏß,Õ~F¬£å%ÉólR 2®`[ÒÏ= ãñÿVTçwÎ$Ë6[;®Iü ·gëi-¥°õæ¯¦ öz¹d]#µ²>õ öÞÈßïBZ+éoýÄð©û$÷ÿ£Û.Á-a9ü;TòÇ¨ÛÐ¥'ÖWðÔ;:ÈF¾EUVû5RrAI`Ûy¦>t×Ð3XÂd`GqÒ ?&¾e,"'ò¡Æ;ÖZ øÉ¥¶ùnñ¿íÿ¹Lf÷h$Smèy 1¡+¹ÄÁmåÝ"ùL1b´:KrÙ¨´£ÁPg¶ÆxFª÷_é6ýn$Ù6~(LØ\ïI")=¤.fÃ¦oÆè2½ôí¯je¯àAí× Íø£ÃÒ"£KÉþH/+7eÊjåª:q U vi7ÙBÙU{§3'bÓFësÉQpQ ¶`ÌÉÛp¶wÛý§Ý;Ù·,Íà§=uÕÎ¯°r8Y®~ªË¡X(Sk¯ \|Ã}5ÿrßÕ/¼ÈõÐÂu¦æOaÐl äÎôÕó¢[v)!þPÍó1î%Ì{_³`Ð/s¤µ¹Up>ù Bü~«ÔlÍã³BØ´Óe©ÊêC²ù¬ARÃvÃ[ÿAáºñÌùÝ«¯m{Þ»û¸[\ô<dQ?×F×è%· aþPÅµyspN$(ÝHÃÇF½Íéi¨{Aå nm¾!¡YOXÇÍ®Çc)Å~cåxáðD+~[]5ì.I <>áÕÜ9TÐ²Î[¡êGçe ¯÷¥×öÂÊãõZá0%ÍÏo~7!ªÂ(ÏQS´$F¶`GåÀÛ'pÚäÇäTG z²Jôy¾Ñ×hXú^szàfÿ£¢9øpý¯ÒËopß]èÃò8tPäÞ/yu®8³æ±E+à&T¦e¼@¦åGm´{ ëõEòÓÆ§or[;¯éÓ,BÒXç«Il kfÏµGG%k&µ#FjHécÂ[¦àÖDa¨´HjvMá%QkXÞÔPý2&¢/ÙÃíüV>#ôÇ]aó¼ÔIÃë~`ÛÂH2Ô@tn'sÄoP%ik »Ozå%Þgs£z½/ eª X¡sVÊv¼Å5Ð ±IïAUìGvcßUhâ¤¢ãáQòÚ³?EÎô À)Ô \|RÑXfïI?ØÎ©¶áiÐò +Q¤ÿÂÆÔþ\`ÿm»7¬ÅÐvT8-TªY£ß1±¢;.r Í_^:ëX-Pía+ÊJiF¦ åÉ0¹ÙîDp)»Ô4!ðûa° 2BP5³üíVºù;j¾¡ÏnW%¦÷pÛm'!¸«¥gïoV37¬ðwKÆù¶Ñ}ý=v]äHRsi7ÁÃ Â\jºÃHYõ¡ÜÕfxJ?©ÚÆI¿Ë°øÚ*Æ¢·jWÏ¶£Up£>L4üÆN$ÝA7`]Ö\ô¼JH¥äJKÿÜäÂ?«"Uzfyh«NI³ÖÀ@©Aíu_7] »lÝºN ¯hìípVd¬÷¿ç=°µ §ñÕBR 7RÇ4ÆiEãÕC%ØzÃQ½}qÅÌëÜIZ¬'gbcÑÐah)²MÖ°ixn¾£imÀêG;ÀrrõÕ°kt§°ÃâqOF0© ¬ request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 19, 2024, 2:15 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL¡Â´fà ÈB"dà@0$@Ð©<à#\|$àô.textJÆÈ à.rdataæÎàÐÌ@@.data+!°@À.relocDà#F¨@By¹ApÈAÙÈAUìQEEü}tMüÆUüÂUüEèEëàEå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìEèExMÿUMMMëä]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQSjh0hÀAÈjÿ$ÐbEüPøtÀüÉÀøX}üt,ÀhÀæEüPèNsSÉÉü[hhÀAÈMüQÿdÏb[å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQÇEüjj@h0hÐjÿØÐbPÿÐbEü}üujÿìÏbèRÿÿÿå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì(EÜPÿtÏbMðMØ}ØsjÿìÏbå]ÃÌÌÌÌÌÌÌÌUì¡@ÍbPèâaPè,sÄÀu! ÎbQè9aPèsÄÀujÿìÏb]ÃÌÌUììjjj¡ÐÈbPÿ,ÐbEôj MôQÿÐÏbEøUôRjÿpÐb}ø}jÿìÏbå]ÃÌÌÌÌÌUììHj@jE¸PèrÇE¸@M¸QÿÑbøujhUÄREÀPèÁjhRPèÁEøUüëÇEøÇEü}üwr }øWsjÿìÏbå]ÃÌÌUììÇEøÿhjÿÀÐbPÿXÐbEôEüPhjMQURÿ¬ÏbÀuEøPMôQjjUREüPÿÏbMüQÿ(ÐbEôå]ÃÌÌÌÌUìì\hèjüÿÿPÿäàAÄh4MBhäMBhè\ÿÿÿÄPüÿÿQÿlÐbüÿÿRÿÏbøÊhbBüÿÿPÿlÐbhÿ Büÿÿèh¬NBàûÿÿQðÉbRìûÿÿPüÿÿèÎÈèÇPüÿÿè«àûÿÿèìûÿÿèõhBøûÿÿè%jÈûÿÿQèrÄP¼ûÿÿR¡¤ÌbPÔûÿÿQøûÿÿèdÈèÍPøûÿÿèA¼ûÿÿèÔûÿÿèÈûÿÿèjøûÿÿèCPüÿÿRÿ0ÏbüÿÿPüÿÿQìÌøûÿÿRèæèÄÀtMüÿÿPüÿÿQìÌüÿÿRè»ìÌEPèÊ¤ûÿÿQè7Ä ¤ûÿÿèíøûÿÿè²PÿÏbøûÿÿèüÿÿèjjüÿÿRÿäàAÄøûÿÿè¦üÿÿèMèå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQMüMüÁ\|ènMüÁHècMüÁ<èXMüÁ0èMMüèåå]ÃÌUìQMüEPMüè MÁ0QMüÁ0è»UÂ<RMüÁ<è©EÀHPMüÁHèMüUBTATMüUBXAXMüUB\A\MüUB`A`MüUBdAdMüUBhAhMüUBlAlMüUBpApMüUBtAtMüUBxAxMÁ\|QMüÁ\|è Eüå]ÂÌÌÌÌUìQMüMüÁ$èNMüÁèCMüÁè8Müè0å]ÃÌÌÌÌÌÌÌÌÌÌÌÌUìQMüEPMüèMÁQMüÁèUÂRMüÁèEÀ$PMüÁ$èwEüå]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUììthBMèèêhBMôèÝEüÿÿ½üÿÿt½üÿÿtW½üÿÿéÇjhþÿÿQèqÄP\þÿÿRMèèoPMèèæ\þÿÿè;hþÿÿè0éjPþÿÿPèÍpÄPDþÿÿQMèèPMèè¡DþÿÿèöPþÿÿèëë@j(8þÿÿRèpÄP,þÿÿPMèèèPMèè_,þÿÿè´8þÿÿè©}0hbBüýÿÿQURþÿÿPhdOBþÿÿQUèR þÿÿPMôèÈèÈè{ÈèPMôèëüýÿÿè@þÿÿè5þÿÿè þÿÿèéM$QÀýÿÿRh´PBÌýÿÿPMQØýÿÿRhPBäýÿÿPMèQðýÿÿRMôèùÈèÈèëÈètÈèÝPMôèTÀýÿÿè©ÌýÿÿèØýÿÿèäýÿÿèðýÿÿè} þÿÿPMôè>PÿÑbEä}äÿu5MôèVMèèNMèFMè>M$è6M4è®ûÿÿéh\QBÌþÿÿQÿÐbÀthRBÌþÿÿRÿÐbÀué}hBþÿÿè(}0æE$PlýÿÿQhüSBxýÿÿRÌþÿÿPýÿÿQhTSBýÿÿREPýÿÿQh¬RB¨ýÿÿREèP´ýÿÿQþÿÿè Èè)ÈèÈèÈèÈè ÈèvPþÿÿèêlýÿÿè?xýÿÿè4ýÿÿè)ýÿÿèýÿÿè¨ýÿÿè´ýÿÿèýé¦ÌþÿÿR0ýÿÿPhLUB<ýÿÿQURHýÿÿPh¤TBTýÿÿQUèR`ýÿÿPþÿÿèÑÈèZÈèÃÈèLÈèEPþÿÿè)0ýÿÿè~<ýÿÿèsHýÿÿèhTýÿÿè]`ýÿÿèRìÌþÿÿRèáèlÄÀ«h BþÿÿèahVBüüÿÿPMQýÿÿRhôUBýÿÿP ðÉbQ ýÿÿRþÿÿèÈèÈè÷Èè request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 19, 2024, 2:15 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 19, 2024, 2:15 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 19, 2024, 2:15 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 19, 2024, 2:15 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 19, 2024, 2:15 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 19, 2024, 2:15 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 19, 2024, 2:15 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002dc00', u'virtual_address': u'0x00001000', u'entropy': 7.98454766920763, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.98454766921

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001a3600', u'virtual_address': u'0x0031a000', u'entropy': 7.9536392612435085, u'name': u'gtwryuai', u'virtual_size': u'0x001a4000'}

entropy

7.95363926124

description

A section with a high entropy has been found

entropy

0.994122361742

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (50 out of 127 events)

url	https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url	https://crash-reports.mozilla.com/submit?id=
url	https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c
url	http://crl.comodo.net/TrustedCertificateServices.crl0
url	http://users.ocsp.d-trust.net03
url	https://accounts.google.com/ServiceLogin?service=accountsettings
url	http://crl.ssc.lt/root-b/cacrl.crl0
url	http://crl.securetrust.com/STCA.crl0
url	http://crl.securetrust.com/SGCA.crl0
url	http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url	http://www.ssc.lt/cps03
url	http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url	http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url	http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url	https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url	http://www.pkioverheid.nl/policies/root-policy0
url	http://cps.chambersign.org/cps/chambersroot.html0
url	http://www.e-szigno.hu/SZSZ/0
url	http://www.entrust.net/CRL/Client1.crl0
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	http://crl.comodo.net/AAACertificateServices.crl0
url	http://www.certplus.com/CRL/class3.crl0
url	http://logo.verisign.com/vslogo.gif0
url	http://www.acabogacia.org/doc0
url	http://www.disig.sk/ca/crl/ca_disig.crl0
url	https://www.catcert.net/verarrel
url	http://www.sk.ee/cps/0
url	http://www.quovadis.bm0
url	https://www.catcert.net/verarrel05
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url	http://crl.chambersign.org/chambersroot.crl0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url	http://crl.globalsign.net/root-r2.crl0
url	http://certificates.starfieldtech.com/repository/1604
url	http://www.d-trust.net0
url	http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url	http://crl.ssc.lt/root-a/cacrl.crl0
url	http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url	http://www.certicamara.com/certicamaraca.crl0
url	http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url	http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url	http://www.post.trust.ie/reposit/cps.html0
url	http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0
url	http://www2.public-trust.com/crl/ct/ctroot.crl0
url	http://www.certicamara.com0
url	http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
url	http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
url	http://www.comsign.co.il/cps0
url	http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0

Yara rule detected in process memory (50 out of 76 events)

description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg

Queries for potentially installed applications (50 out of 52 events)

Time & API	Arguments	Status
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExA Aug. 19, 2024, 2:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x0000029c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Aug. 19, 2024, 2:09 p.m.	status_code: 0xc0000005 process_identifier: 2668 process_handle: 0x00000000000000bc		0	0
NtTerminateProcess Aug. 19, 2024, 2:09 p.m.	status_code: 0xc0000005 process_identifier: 2668 process_handle: 0x00000000000000bc	1	0	0

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\D099.tmp\D09A.tmp\D0AB.bat C:\Users\test22\AppData\Local\Temp\1000008001\2fd9b80b02.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\test22\1000010002\b936c46ad4.exe" & del "C:\ProgramData\*.dll"" & exit
cmdline	C:\Windows\sysnative\cmd /c "C:\Users\test22\AppData\Local\Temp\D099.tmp\D09A.tmp\D0AB.bat C:\Users\test22\AppData\Local\Temp\1000008001\2fd9b80b02.exe"
cmdline	C:\Windows\System32\cmd.exe /c timeout /t 5 & del /f /q "C:\Users\test22\1000010002\b936c46ad4.exe" & del "C:\ProgramData\*.dll"" & exit

Communicates with host for which no DNS query was performed (3 events)

host	185.215.113.100
host	31.41.244.10
host	31.41.244.11

Allocates execute permission to another process indicative of possible code injection (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 19, 2024, 2:08 p.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Aug. 19, 2024, 2:08 p.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Aug. 19, 2024, 2:16 p.m.	process_identifier: 1152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Aug. 19, 2024, 2:16 p.m.	process_identifier: 1152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Aug. 19, 2024, 2:16 p.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Aug. 19, 2024, 2:16 p.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 367 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 19, 2024, 2:15 p.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\2fd9b80b02.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000008001\2fd9b80b02.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\5c887e602a.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000009001\5c887e602a.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\b936c46ad4.exe	reg_value	C:\Users\test22\1000010002\b936c46ad4.exe
file	C:\Windows\Tasks\svoutse.job

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Potential code injection by writing to the memory of another process (27 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 19, 2024, 2:08 p.m.	buffer: base_address: 0x000000013ff922b0 process_identifier: 2928 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 19, 2024, 2:08 p.m.	buffer: base_address: 0x000000013ffa0d88 process_identifier: 2928 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 19, 2024, 2:08 p.m.	buffer: I»`#ö?Aÿã base_address: 0x0000000077711590 process_identifier: 2928 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 19, 2024, 2:08 p.m.	buffer: µ base_address: 0x000000013ffa0d78 process_identifier: 2928 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 19, 2024, 2:08 p.m.	buffer: I» ö?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2928 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 19, 2024, 2:08 p.m.	buffer: µ base_address: 0x000000013ffa0d70 process_identifier: 2928 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 19, 2024, 2:08 p.m.	buffer: ÏT base_address: 0x000000013ff40108 process_identifier: 2928 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 19, 2024, 2:08 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013ff9aae8 process_identifier: 2928 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 19, 2024, 2:08 p.m.	buffer: base_address: 0x000000013ffa0c78 process_identifier: 2928 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 19, 2024, 2:16 p.m.	buffer: base_address: 0x000000013f5a22b0 process_identifier: 1152 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 19, 2024, 2:16 p.m.	buffer: base_address: 0x000000013f5b0d88 process_identifier: 1152 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 19, 2024, 2:16 p.m.	buffer: I»`#W?Aÿã base_address: 0x0000000077711590 process_identifier: 1152 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 19, 2024, 2:16 p.m.	buffer: § base_address: 0x000000013f5b0d78 process_identifier: 1152 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 19, 2024, 2:16 p.m.	buffer: I» W?Aÿã base_address: 0x00000000776e7a90 process_identifier: 1152 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 19, 2024, 2:16 p.m.	buffer: § base_address: 0x000000013f5b0d70 process_identifier: 1152 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 19, 2024, 2:16 p.m.	buffer: ÏT base_address: 0x000000013f550108 process_identifier: 1152 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 19, 2024, 2:16 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f5aaae8 process_identifier: 1152 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 19, 2024, 2:16 p.m.	buffer: base_address: 0x000000013f5b0c78 process_identifier: 1152 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 19, 2024, 2:16 p.m.	buffer: base_address: 0x000000013f5a22b0 process_identifier: 1948 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 19, 2024, 2:16 p.m.	buffer: base_address: 0x000000013f5b0d88 process_identifier: 1948 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 19, 2024, 2:16 p.m.	buffer: I»`#W?Aÿã base_address: 0x0000000077711590 process_identifier: 1948 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 19, 2024, 2:16 p.m.	buffer: base_address: 0x000000013f5b0d78 process_identifier: 1948 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 19, 2024, 2:16 p.m.	buffer: I» W?Aÿã base_address: 0x00000000776e7a90 process_identifier: 1948 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 19, 2024, 2:16 p.m.	buffer: base_address: 0x000000013f5b0d70 process_identifier: 1948 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 19, 2024, 2:16 p.m.	buffer: ÏT base_address: 0x000000013f550108 process_identifier: 1948 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 19, 2024, 2:16 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f5aaae8 process_identifier: 1948 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 19, 2024, 2:16 p.m.	buffer: base_address: 0x000000013f5b0c78 process_identifier: 1948 process_handle: 0x0000000000000048	1	1

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA Aug. 19, 2024, 2:15 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (1 event)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	svoutse.exe				useragent
process	crashreporter.exe				useragent	Breakpad/1.0 (Windows)

One or more non-whitelisted processes were created (6 events)

parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\f68e7be3-9e2b-4ffe-97d7-a1ef27c9922c.dmp"
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1084,1686251424030752262,2892902276595057861,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1112 /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef3f86e00,0x7fef3f86e10,0x7fef3f86e20
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

Appends a known multi-family ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (36 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2520 resumed a thread in remote process 2576
Process injection	Process 2576 resumed a thread in remote process 2668
Process injection	Process 2576 resumed a thread in remote process 2752
Process injection	Process 2788 resumed a thread in remote process 2668
Process injection	Process 2752 resumed a thread in remote process 2928
Process injection	Process 1476 resumed a thread in remote process 3060
Process injection	Process 2756 resumed a thread in remote process 1152
Process injection	Process 2776 resumed a thread in remote process 1948
NtResumeThread Aug. 19, 2024, 2:15 p.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2576	1	0	0
NtResumeThread Aug. 19, 2024, 2:08 p.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:08 p.m.	thread_handle: 0x0000000000000068 suspend_count: 0 process_identifier: 2752	1	0	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0	0
NtResumeThread Aug. 19, 2024, 2:08 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2928	1	0	0
NtResumeThread Aug. 19, 2024, 2:15 p.m.	thread_handle: 0x000004e0 suspend_count: 1 process_identifier: 3060	1	0	0
NtResumeThread Aug. 19, 2024, 2:16 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1152	1	0	0
NtResumeThread Aug. 19, 2024, 2:16 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1948	1	0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 19, 2024, 2:15 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 60 1d 00 00 5b 01 f7 exception.symbol: rama+0x1ff4f7 exception.instruction: in eax, dx exception.module: rama.exe exception.exception_code: 0xc0000096 exception.offset: 2094327 exception.address: 0x22f4f7 registers.esp: 9435900 registers.edi: 9711334 registers.eax: 1447909480 registers.ebp: 3990663188 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 2280893 registers.ecx: 20	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 136 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 19, 2024, 2:15 p.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 1932	1	0
CreateProcessInternalW Aug. 19, 2024, 2:15 p.m.	thread_identifier: 2324 thread_handle: 0x000003e0 process_identifier: 2320 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e8	1	1
NtResumeThread Aug. 19, 2024, 2:15 p.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 2320	1	0
CreateProcessInternalW Aug. 19, 2024, 2:15 p.m.	thread_identifier: 2524 thread_handle: 0x00000470 process_identifier: 2520 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000008001\2fd9b80b02.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000008001\2fd9b80b02.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000008001\2fd9b80b02.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000474	1	1
CreateProcessInternalW Aug. 19, 2024, 2:15 p.m.	thread_identifier: 3028 thread_handle: 0x00000460 process_identifier: 3024 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000009001\5c887e602a.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000009001\5c887e602a.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000009001\5c887e602a.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000484	1	1
CreateProcessInternalW Aug. 19, 2024, 2:15 p.m.	thread_identifier: 2072 thread_handle: 0x0000045c process_identifier: 1476 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\1000010002\b936c46ad4.exe track: 1 command_line: "C:\Users\test22\1000010002\b936c46ad4.exe" filepath_r: C:\Users\test22\1000010002\b936c46ad4.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000047c	1	1
NtResumeThread Aug. 19, 2024, 2:15 p.m.	thread_handle: 0x000001d8 suspend_count: 1 process_identifier: 2520	1	0
CreateProcessInternalW Aug. 19, 2024, 2:15 p.m.	thread_identifier: 2580 thread_handle: 0x000001fc process_identifier: 2576 current_directory: C:\Users\test22\AppData\Local\Temp\ filepath: C:\Windows\sysnative\cmd.exe track: 1 command_line: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\D099.tmp\D09A.tmp\D0AB.bat C:\Users\test22\AppData\Local\Temp\1000008001\2fd9b80b02.exe" filepath_r: C:\Windows\sysnative\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000020c	1	1
NtResumeThread Aug. 19, 2024, 2:15 p.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2576	1	0
CreateProcessInternalW Aug. 19, 2024, 2:08 p.m.	thread_identifier: 2672 thread_handle: 0x000000000000006c process_identifier: 2668 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd" filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000068	1	1
NtResumeThread Aug. 19, 2024, 2:08 p.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 2668	1	0
CreateProcessInternalW Aug. 19, 2024, 2:08 p.m.	thread_identifier: 2756 thread_handle: 0x0000000000000068 process_identifier: 2752 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd" filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000006c	1	1
NtResumeThread Aug. 19, 2024, 2:08 p.m.	thread_handle: 0x0000000000000068 suspend_count: 0 process_identifier: 2752	1	0
NtResumeThread Aug. 19, 2024, 2:08 p.m.	thread_handle: 0x0000000000000078 suspend_count: 1 process_identifier: 2668	1	0
CreateProcessInternalW Aug. 19, 2024, 2:08 p.m.	thread_identifier: 2792 thread_handle: 0x00000000000000c0 process_identifier: 2788 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef3f86e00,0x7fef3f86e10,0x7fef3f86e20 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000000000c4	1	1
CreateProcessInternalW Aug. 19, 2024, 2:09 p.m.	thread_identifier: 2988 thread_handle: 0x000000000000021c process_identifier: 3004 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1084,1686251424030752262,2892902276595057861,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1112 /prefetch:2 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000000001f8	1	1
NtResumeThread Aug. 19, 2024, 2:08 p.m.	thread_handle: 0x00000000000000e0 suspend_count: 1 process_identifier: 2788	1	0
NtGetContextThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114	1	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0
NtGetContextThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114	1	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0
NtGetContextThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114	1	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0
NtGetContextThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114	1	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0
NtGetContextThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114	1	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0
NtGetContextThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114	1	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0
NtGetContextThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114	1	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0
NtGetContextThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114	1	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0
NtGetContextThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114	1	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0
NtGetContextThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114	1	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0
NtGetContextThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114	1	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0
NtGetContextThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114	1	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0
NtGetContextThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114	1	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0
NtGetContextThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114	1	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0
NtGetContextThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114	1	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0
NtGetContextThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114	1	0
NtResumeThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2668	1	0
NtGetContextThread Aug. 19, 2024, 2:09 p.m.	thread_handle: 0x0000000000000114	1	0

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Gen:Variant.Kryptik.260
Cylance	Unsafe
VIPRE	Gen:Variant.Kryptik.260
BitDefender	Gen:Variant.Kryptik.260
Cybereason	malicious.32c769
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
McAfee	Themida-FWSE!304EB6432C76
Avast	Win32:Evo-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Gen:Variant.Kryptik.260
Rising	Backdoor.Phpw!8.EB5E (TFE:2:i7va3kkB9fR)
Emsisoft	Gen:Variant.Kryptik.260 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!304EB6432C76
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.304eb6432c7696e1
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/Crypt.TPM.Gen
MAX	malware (ai score=85)
Gridinsoft	Trojan.Heur!.038120A1
Microsoft	Backdoor:Win32/Bladabindi!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Kryptik.260
Varist	W32/Agent.JDU.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R645974
BitDefenderTheta	Gen:NN.ZexaF.36812.1DWaaiGtpmgi
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Amadey
Zoner	Probably Heur.ExeHeaderL
Tencent	Trojan-DL.Win32.Deyma.kh
Fortinet	W32/Themida.HZB!tr
AVG	Win32:Evo-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (D)

rama.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All