Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 22, 2024, 11:25 a.m.	Aug. 22, 2024, 11:31 a.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`34440059466824a2678e1e846f3bff3b`
SHA256	`6205513c5a1d07e7d96566f6fe8b76b8a49e82aa3f090e864c21efe47779b61e`
CRC32	`F48426F4`
ssdeep	`49152:CNSofoGYX6t4kHXVpufnwKOC8vSHXTu17kRlmWKs:gLvYX6tDufnuCXKV`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
1880
- svoutse.exe "C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
  2240
  - 28d6bed020.exe "C:\Users\test22\AppData\Local\Temp\1000009001\28d6bed020.exe"
    2448
  - 75b348cc75.exe "C:\Users\test22\AppData\Local\Temp\1000012001\75b348cc75.exe"
    2672
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
      2876
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        2960
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\2314ff24-e161-49ec-aa51-b883d6444016.dmp"
        1688
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\2314ff24-e161-49ec-aa51-b883d6444016.dmp"
        200
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
        1908
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        1524
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\6ca122c6-8b28-434d-a3a2-68b507e2c103.dmp"
        1184
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\6ca122c6-8b28-434d-a3a2-68b507e2c103.dmp"
        2116
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
        2904
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        1076
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\2172002e-c362-4265-9c2c-d642233fd983.dmp"
        1284
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\2172002e-c362-4265-9c2c-d642233fd983.dmp"
        1680
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
crash-reports.mozilla.com	A 34.49.45.138 CNAME antenna-prod.socorro.prod.webservices.mozgcp.net	34.49.45.138

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.215.113.100	Active	Moloch
31.41.244.10	Active	Moloch
31.41.244.11	Active	Moloch
34.49.45.138	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 31.41.244.11:80 -> 192.168.56.103:49165	2400001	ET DROP Spamhaus DROP Listed Traffic Inbound group 2	Misc Attack
TCP 31.41.244.10:80 -> 192.168.56.103:49164	2400001	ET DROP Spamhaus DROP Listed Traffic Inbound group 2	Misc Attack
TCP 192.168.56.103:49165 -> 31.41.244.11:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 31.41.244.11:80 -> 192.168.56.103:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 31.41.244.11:80 -> 192.168.56.103:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 31.41.244.11:80 -> 192.168.56.103:49165	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 31.41.244.11:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 31.41.244.11:80 -> 192.168.56.103:49167	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 31.41.244.11:80 -> 192.168.56.103:49167	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 31.41.244.11:80 -> 192.168.56.103:49167	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.100:80 -> 192.168.56.103:49168	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.103:49164 -> 31.41.244.10:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 31.41.244.10:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49168 -> 185.215.113.100:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.103:49203 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49168 -> 185.215.113.100:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.100:80 -> 192.168.56.103:49168	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 185.215.113.100:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49196 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49197 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.215.113.100:80 -> 192.168.56.103:49168	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49201 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49168 -> 185.215.113.100:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 185.215.113.100:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.100:80 -> 192.168.56.103:49168	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.100:80 -> 192.168.56.103:49168	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 185.215.113.100:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49168 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 185.215.113.100:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49168 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 185.215.113.100:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49168 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 185.215.113.100:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49168 -> 185.215.113.100:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 185.215.113.100:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameA Aug. 22, 2024, 11:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 22, 2024, 11:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 22, 2024, 11:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 22, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 22, 2024, 11:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 22, 2024, 11:20 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 98 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 22, 2024, 11:25 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:25 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:25 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:25 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:25 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:26 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:27 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:27 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:27 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:27 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:27 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:27 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:27 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:27 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:27 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:27 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:27 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:27 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:27 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:27 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:27 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:27 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 22, 2024, 11:25 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	gsjytwpj
section	jmtliodp
section	.taggant

One or more processes crashed (50 out of 355 events)

Time & API	Arguments	Status
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: random+0x3190b9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3248313 exception.address: 0x13d90b9 registers.esp: 3735348 registers.edi: 0 registers.eax: 1 registers.ebp: 3735364 registers.edx: 22528000 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 50 56 c7 04 24 d4 1c 5f 2f 8b 04 24 81 c4 04 exception.symbol: random+0x6d09a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 446618 exception.address: 0x112d09a registers.esp: 3735312 registers.edi: 1971192040 registers.eax: 31419 registers.ebp: 4008030228 registers.edx: 18009513 registers.ebx: 2237752443 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 56 53 bb fa b7 ff 7f e9 5d f7 ff ff 5c e9 00 exception.symbol: random+0x6d879 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 448633 exception.address: 0x112d879 registers.esp: 3735316 registers.edi: 1971192040 registers.eax: 31419 registers.ebp: 4008030228 registers.edx: 18040932 registers.ebx: 2237752443 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 56 83 ec 04 89 3c 24 e9 ba fc ff ff 55 89 e5 exception.symbol: random+0x6d711 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 448273 exception.address: 0x112d711 registers.esp: 3735316 registers.edi: 1971192040 registers.eax: 0 registers.ebp: 4008030228 registers.edx: 18012904 registers.ebx: 2179434839 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 68 9d 48 e3 34 e9 00 00 00 00 89 0c 24 89 e1 exception.symbol: random+0x6e6dc exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 452316 exception.address: 0x112e6dc registers.esp: 3735316 registers.edi: 18016377 registers.eax: 0 registers.ebp: 4008030228 registers.edx: 234729 registers.ebx: 2179434839 registers.esi: 3 registers.ecx: 878832457	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb e9 4a f6 ff ff 50 81 2c 24 35 0b 7b 73 5b 81 exception.symbol: random+0x1e98f4 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2005236 exception.address: 0x12a98f4 registers.esp: 3735316 registers.edi: 18049433 registers.eax: 26707 registers.ebp: 4008030228 registers.edx: 2130566132 registers.ebx: 61408169 registers.esi: 19592895 registers.ecx: 937	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 2f 03 00 00 31 c3 53 f7 14 24 8b exception.symbol: random+0x1e8f74 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2002804 exception.address: 0x12a8f74 registers.esp: 3735316 registers.edi: 4294943564 registers.eax: 26707 registers.ebp: 4008030228 registers.edx: 2130566132 registers.ebx: 145641 registers.esi: 19592895 registers.ecx: 937	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb e9 11 ff ff ff f7 d3 68 00 00 00 00 29 1c 24 exception.symbol: random+0x1eb4b0 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2012336 exception.address: 0x12ab4b0 registers.esp: 3735316 registers.edi: 4294943564 registers.eax: 26728 registers.ebp: 4008030228 registers.edx: 1355480153 registers.ebx: 19601455 registers.esi: 19592895 registers.ecx: 975060844	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 57 e9 37 00 00 00 5e 29 eb 5d 81 c3 ee e2 fe exception.symbol: random+0x1eb96b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2013547 exception.address: 0x12ab96b registers.esp: 3735316 registers.edi: 4294943264 registers.eax: 26728 registers.ebp: 4008030228 registers.edx: 1549541099 registers.ebx: 19601455 registers.esi: 19592895 registers.ecx: 975060844	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 63 a3 74 61 89 14 24 89 2c 24 bd exception.symbol: random+0x1f2aa9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2042537 exception.address: 0x12b2aa9 registers.esp: 3735312 registers.edi: 6893296 registers.eax: 19604655 registers.ebp: 4008030228 registers.edx: 19579168 registers.ebx: 19577449 registers.esi: 41247 registers.ecx: 19577449	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 31 f6 ff 34 06 ff 34 24 8b 3c 24 52 89 0c 24 exception.symbol: random+0x1f295c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2042204 exception.address: 0x12b295c registers.esp: 3735316 registers.edi: 6893296 registers.eax: 19631124 registers.ebp: 4008030228 registers.edx: 19579168 registers.ebx: 19577449 registers.esi: 41247 registers.ecx: 19577449	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 89 3c 24 89 2c 24 exception.symbol: random+0x1f25c5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2041285 exception.address: 0x12b25c5 registers.esp: 3735316 registers.edi: 1114345 registers.eax: 19631124 registers.ebp: 4008030228 registers.edx: 19579168 registers.ebx: 19577449 registers.esi: 4294943400 registers.ecx: 19577449	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 56 c7 04 24 1d 94 9e 15 exception.symbol: random+0x1f8391 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2065297 exception.address: 0x12b8391 registers.esp: 3735308 registers.edi: 1114345 registers.eax: 1447909480 registers.ebp: 4008030228 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 19611392 registers.ecx: 20	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: random+0x1f73ec exception.address: 0x12b73ec exception.module: random.exe exception.exception_code: 0xc000001d exception.offset: 2061292 registers.esp: 3735308 registers.edi: 1114345 registers.eax: 1 registers.ebp: 4008030228 registers.edx: 22104 registers.ebx: 0 registers.esi: 19611392 registers.ecx: 20	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 d6 39 2d 12 01 exception.symbol: random+0x1f4539 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2049337 exception.address: 0x12b4539 registers.esp: 3735308 registers.edi: 1114345 registers.eax: 1447909480 registers.ebp: 4008030228 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 19611392 registers.ecx: 10	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 56 be 26 ff eb 37 53 bb e1 b1 f3 6b 81 f3 91 exception.symbol: random+0x1fcea0 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2084512 exception.address: 0x12bcea0 registers.esp: 3735312 registers.edi: 1114345 registers.eax: 26699 registers.ebp: 4008030228 registers.edx: 2130566132 registers.ebx: 26514031 registers.esi: 10 registers.ecx: 19646175	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 51 89 2c 24 68 00 2e 83 32 89 04 24 e9 71 02 exception.symbol: random+0x1fc73d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2082621 exception.address: 0x12bc73d registers.esp: 3735316 registers.edi: 1114345 registers.eax: 26699 registers.ebp: 4008030228 registers.edx: 2130566132 registers.ebx: 26514031 registers.esi: 10 registers.ecx: 19672874	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb e9 d1 00 00 00 89 e3 e9 96 03 00 00 31 54 24 exception.symbol: random+0x1fca15 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2083349 exception.address: 0x12bca15 registers.esp: 3735316 registers.edi: 1114345 registers.eax: 26699 registers.ebp: 4008030228 registers.edx: 2130566132 registers.ebx: 6379 registers.esi: 0 registers.ecx: 19648762	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 0f bf d3 0f 80 05 00 00 00 66 81 c1 exception.symbol: random+0x1fd5de exception.instruction: int 1 exception.module: random.exe exception.exception_code: 0xc0000005 exception.offset: 2086366 exception.address: 0x12bd5de registers.esp: 3735276 registers.edi: 0 registers.eax: 3735276 registers.ebp: 4008030228 registers.edx: 1027563979 registers.ebx: 19650249 registers.esi: 1236167242 registers.ecx: 0	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb e9 77 05 00 00 81 c7 00 08 d6 6e e9 c3 ff ff exception.symbol: random+0x204294 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2114196 exception.address: 0x12c4294 registers.esp: 3735316 registers.edi: 0 registers.eax: 28186 registers.ebp: 4008030228 registers.edx: 19680950 registers.ebx: 347401348 registers.esi: 15291989 registers.ecx: 19648823	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 68 14 79 b5 5d 89 3c 24 51 89 34 24 be 05 40 exception.symbol: random+0x2105c7 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2164167 exception.address: 0x12d05c7 registers.esp: 3735304 registers.edi: 18007110 registers.eax: 31817 registers.ebp: 4008030228 registers.edx: 19727390 registers.ebx: 26514253 registers.esi: 1971262480 registers.ecx: 6	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb e9 31 fd ff ff 58 c1 e2 07 e9 fb 00 00 00 83 exception.symbol: random+0x2109c5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2165189 exception.address: 0x12d09c5 registers.esp: 3735308 registers.edi: 18007110 registers.eax: 604292947 registers.ebp: 4008030228 registers.edx: 19730511 registers.ebx: 26514253 registers.esi: 0 registers.ecx: 6	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 50 89 e0 05 04 00 00 00 2d 04 00 00 00 87 04 exception.symbol: random+0x211b76 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2169718 exception.address: 0x12d1b76 registers.esp: 3735308 registers.edi: 18007110 registers.eax: 19763745 registers.ebp: 4008030228 registers.edx: 1324566467 registers.ebx: 26514253 registers.esi: 0 registers.ecx: 6	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 57 50 e9 45 02 00 00 56 be 68 06 ad 6f 68 7c exception.symbol: random+0x2114b0 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2167984 exception.address: 0x12d14b0 registers.esp: 3735308 registers.edi: 18007110 registers.eax: 19734621 registers.ebp: 4008030228 registers.edx: 607453008 registers.ebx: 26514253 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb e9 5b 01 00 00 01 cb e9 ca 04 00 00 52 ba 1e exception.symbol: random+0x21443e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2180158 exception.address: 0x12d443e registers.esp: 3735308 registers.edi: 18007110 registers.eax: 25954 registers.ebp: 4008030228 registers.edx: 19768007 registers.ebx: 595118080 registers.esi: 0 registers.ecx: 1309431512	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 fb 81 06 29 89 3c 24 e9 c7 fd ff exception.symbol: random+0x21438c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2179980 exception.address: 0x12d438c registers.esp: 3735308 registers.edi: 0 registers.eax: 25954 registers.ebp: 4008030228 registers.edx: 19745463 registers.ebx: 595118080 registers.esi: 84201 registers.ecx: 1309431512	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb e9 31 00 00 00 81 c2 f7 af c7 20 89 d0 e9 d1 exception.symbol: random+0x2355c1 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2315713 exception.address: 0x12f55c1 registers.esp: 3735276 registers.edi: 19909293 registers.eax: 30929 registers.ebp: 4008030228 registers.edx: 2130566132 registers.ebx: 2150439100 registers.esi: 19874936 registers.ecx: 757530624	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 50 89 0c 24 e9 25 02 00 00 c7 04 24 7a 13 69 exception.symbol: random+0x235a54 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2316884 exception.address: 0x12f5a54 registers.esp: 3735276 registers.edi: 19881309 registers.eax: 30929 registers.ebp: 4008030228 registers.edx: 2130566132 registers.ebx: 116969 registers.esi: 0 registers.ecx: 757530624	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 81 c7 c1 28 ff 5b 03 3c 24 68 7d ea 03 48 e9 exception.symbol: random+0x236957 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2320727 exception.address: 0x12f6957 registers.esp: 3735272 registers.edi: 19883558 registers.eax: 32367 registers.ebp: 4008030228 registers.edx: 72447633 registers.ebx: 155071276 registers.esi: 19882668 registers.ecx: 0	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 56 52 51 e9 d7 ff ff ff 51 68 e9 7f e3 7f 59 exception.symbol: random+0x236aa5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2321061 exception.address: 0x12f6aa5 registers.esp: 3735276 registers.edi: 19886593 registers.eax: 0 registers.ebp: 4008030228 registers.edx: 8317265 registers.ebx: 155071276 registers.esi: 19882668 registers.ecx: 0	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 68 96 8c 5c 73 89 14 24 83 ec 04 89 34 24 be exception.symbol: random+0x2379da exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2324954 exception.address: 0x12f79da registers.esp: 3735272 registers.edi: 19886593 registers.eax: 30057 registers.ebp: 4008030228 registers.edx: 8317265 registers.ebx: 1090745490 registers.esi: 19886811 registers.ecx: 1322330285	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 50 55 89 0c 24 52 e9 d0 03 00 00 21 d9 e9 31 exception.symbol: random+0x23737e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2323326 exception.address: 0x12f737e registers.esp: 3735276 registers.edi: 19886593 registers.eax: 30057 registers.ebp: 4008030228 registers.edx: 8317265 registers.ebx: 1090745490 registers.esi: 19916868 registers.ecx: 1322330285	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 56 89 0c 24 89 2c 24 c7 04 24 f5 0c 37 44 81 exception.symbol: random+0x2378c2 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2324674 exception.address: 0x12f78c2 registers.esp: 3735276 registers.edi: 992308072 registers.eax: 30057 registers.ebp: 4008030228 registers.edx: 0 registers.ebx: 1090745490 registers.esi: 19890220 registers.ecx: 1322330285	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 68 7e 4c 0f 4e 89 0c 24 c7 04 24 0c 25 ae 3e exception.symbol: random+0x2389d1 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2329041 exception.address: 0x12f89d1 registers.esp: 3735276 registers.edi: 992308072 registers.eax: 26629 registers.ebp: 4008030228 registers.edx: 0 registers.ebx: 19917018 registers.esi: 19890220 registers.ecx: 1420284895	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 50 89 0c 24 89 34 24 e9 22 00 00 00 c7 04 24 exception.symbol: random+0x238519 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2327833 exception.address: 0x12f8519 registers.esp: 3735276 registers.edi: 992308072 registers.eax: 2170966112 registers.ebp: 4008030228 registers.edx: 0 registers.ebx: 19917018 registers.esi: 4294944144 registers.ecx: 1420284895	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 50 b8 b0 7c 7f 7f e9 13 06 00 00 05 92 b2 06 exception.symbol: random+0x2400ba exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2359482 exception.address: 0x13000ba registers.esp: 3735272 registers.edi: 19922185 registers.eax: 29329 registers.ebp: 4008030228 registers.edx: 19916030 registers.ebx: 3589275644 registers.esi: 269762168 registers.ecx: 39836666	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb e9 10 00 00 00 09 cd 59 81 ed 80 ff df fd 01 exception.symbol: random+0x24072d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2361133 exception.address: 0x130072d registers.esp: 3735276 registers.edi: 19951514 registers.eax: 29329 registers.ebp: 4008030228 registers.edx: 4294940852 registers.ebx: 3589275644 registers.esi: 4291421880 registers.ecx: 39836666	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 53 e9 60 02 00 00 81 ee fd dc ff 56 01 c6 81 exception.symbol: random+0x24102f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2363439 exception.address: 0x130102f registers.esp: 3735272 registers.edi: 19951514 registers.eax: 28404 registers.ebp: 4008030228 registers.edx: 4294940852 registers.ebx: 3589275644 registers.esi: 19925276 registers.ecx: 1385374145	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 31 c0 e9 7e fa ff ff bf bb c2 ff 07 81 e7 21 exception.symbol: random+0x24131e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2364190 exception.address: 0x130131e registers.esp: 3735276 registers.edi: 19951514 registers.eax: 28404 registers.ebp: 4008030228 registers.edx: 4294940852 registers.ebx: 3589275644 registers.esi: 19953680 registers.ecx: 1385374145	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 f4 9c fb 7d e9 df f9 ff ff 81 c1 exception.symbol: random+0x240fae exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2363310 exception.address: 0x1300fae registers.esp: 3735276 registers.edi: 19951514 registers.eax: 4294941540 registers.ebp: 4008030228 registers.edx: 4294940852 registers.ebx: 24811 registers.esi: 19953680 registers.ecx: 1385374145	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 2c 24 bd 7b 9d e7 72 29 exception.symbol: random+0x2434c3 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2372803 exception.address: 0x13034c3 registers.esp: 3735272 registers.edi: 19935613 registers.eax: 31167 registers.ebp: 4008030228 registers.edx: 4294940852 registers.ebx: 24811 registers.esi: 19953680 registers.ecx: 1471775433	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 68 f0 e8 2d 29 89 1c 24 55 51 e9 10 00 00 00 exception.symbol: random+0x243ade exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2374366 exception.address: 0x1303ade registers.esp: 3735276 registers.edi: 19938508 registers.eax: 0 registers.ebp: 4008030228 registers.edx: 4294940852 registers.ebx: 24811 registers.esi: 19953680 registers.ecx: 157417	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 68 60 d5 23 4f 89 14 24 89 2c 24 bd ec 35 77 exception.symbol: random+0x244160 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2376032 exception.address: 0x1304160 registers.esp: 3735272 registers.edi: 19938508 registers.eax: 30825 registers.ebp: 4008030228 registers.edx: 19939539 registers.ebx: 768078519 registers.esi: 19953680 registers.ecx: 157417	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 52 e9 88 fc ff ff 51 89 e1 81 c1 04 00 00 00 exception.symbol: random+0x244c8d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2378893 exception.address: 0x1304c8d registers.esp: 3735276 registers.edi: 19938508 registers.eax: 30825 registers.ebp: 4008030228 registers.edx: 19970364 registers.ebx: 768078519 registers.esi: 19953680 registers.ecx: 157417	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 78 2e 28 79 89 1c 24 50 b8 a6 9b exception.symbol: random+0x2447ae exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2377646 exception.address: 0x13047ae registers.esp: 3735276 registers.edi: 19938508 registers.eax: 81129 registers.ebp: 4008030228 registers.edx: 19970364 registers.ebx: 768078519 registers.esi: 4294939652 registers.ecx: 157417	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb e9 ba 00 00 00 29 ea e9 b4 ff ff ff c1 e1 06 exception.symbol: random+0x24c0bc exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2408636 exception.address: 0x130c0bc registers.esp: 3735276 registers.edi: 4023774921 registers.eax: 20003065 registers.ebp: 4008030228 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 19952306 registers.ecx: 757530624	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb e9 44 fc ff ff 5e e9 67 fd ff ff be 39 65 eb exception.symbol: random+0x24c322 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2409250 exception.address: 0x130c322 registers.esp: 3735276 registers.edi: 4023774921 registers.eax: 20003065 registers.ebp: 4008030228 registers.edx: 4294938800 registers.ebx: 2147483650 registers.esi: 746672215 registers.ecx: 757530624	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 2c 24 53 e9 68 02 00 00 exception.symbol: random+0x25679f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2451359 exception.address: 0x131679f registers.esp: 3735276 registers.edi: 19981761 registers.eax: 30840 registers.ebp: 4008030228 registers.edx: 20045704 registers.ebx: 1969225702 registers.esi: 459703479 registers.ecx: 0	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb e9 55 fa ff ff 55 e9 d1 01 00 00 58 01 fe 8b exception.symbol: random+0x256e3f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2453055 exception.address: 0x1316e3f registers.esp: 3735276 registers.edi: 0 registers.eax: 2676459880 registers.ebp: 4008030228 registers.edx: 20017440 registers.ebx: 1969225702 registers.esi: 459703479 registers.ecx: 0	1
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: fb 68 ae e0 fb 2c 89 04 24 b8 ae ad f5 5c 81 c7 exception.symbol: random+0x26ba59 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2538073 exception.address: 0x132ba59 registers.esp: 3735272 registers.edi: 20101407 registers.eax: 33075 registers.ebp: 4008030228 registers.edx: 2130566132 registers.ebx: 258 registers.esi: 20276855 registers.ecx: 757530624	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (12 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://31.41.244.10/Dem7kTu/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://31.41.244.11/steam/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://31.41.244.11/well/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.100/e2b1563c6670f193.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/0d60be0de163924d/vcruntime140.dll

Performs some HTTP requests (12 events)

request	POST http://31.41.244.10/Dem7kTu/index.php
request	GET http://31.41.244.11/steam/random.exe
request	GET http://31.41.244.11/well/random.exe
request	GET http://185.215.113.100/
request	POST http://185.215.113.100/e2b1563c6670f193.php
request	GET http://185.215.113.100/0d60be0de163924d/sqlite3.dll
request	GET http://185.215.113.100/0d60be0de163924d/freebl3.dll
request	GET http://185.215.113.100/0d60be0de163924d/mozglue.dll
request	GET http://185.215.113.100/0d60be0de163924d/msvcp140.dll
request	GET http://185.215.113.100/0d60be0de163924d/nss3.dll
request	GET http://185.215.113.100/0d60be0de163924d/softokn3.dll
request	GET http://185.215.113.100/0d60be0de163924d/vcruntime140.dll

Sends data using the HTTP POST Method (2 events)

request	POST http://31.41.244.10/Dem7kTu/index.php
request	POST http://185.215.113.100/e2b1563c6670f193.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 96 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ea0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ef0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000049d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 2240 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 2240 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 2240 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02440000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02450000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 11:25 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (2 events)

description	svoutse.exe tried to sleep 1124 seconds, actually delayed analysis time by 1124 seconds
description	28d6bed020.exe tried to sleep 231 seconds, actually delayed analysis time by 231 seconds

An application raised an exception which may be indicative of an exploit crash (6 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process firefox.exe with pid 2960 crashed
Application Crash	Process firefox.exe with pid 1524 crashed
Application Crash	Process firefox.exe with pid 1076 crashed
__exception__ Aug. 22, 2024, 11:19 a.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8712728 registers.r15: 8791545386608 registers.rcx: 48 registers.rsi: 8791545318272 registers.r10: 0 registers.rbx: 0 registers.rsp: 8712360 registers.r11: 8715744 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14927408 registers.rbp: 8712480 registers.rdi: 251764768 registers.rax: 13442816 registers.r13: 8713320	1	0	0
__exception__ Aug. 22, 2024, 11:19 a.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10415640 registers.r15: 8791414380144 registers.rcx: 48 registers.rsi: 8791414311808 registers.r10: 0 registers.rbx: 0 registers.rsp: 10415272 registers.r11: 10418656 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 14928848 registers.rbp: 10415392 registers.rdi: 257007648 registers.rax: 13442816 registers.r13: 10416232	1	0	0
__exception__ Aug. 22, 2024, 11:19 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8648672 registers.r15: 8648176 registers.rcx: 48 registers.rsi: 14758912 registers.r10: 0 registers.rbx: 0 registers.rsp: 8647224 registers.r11: 8649424 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 8648007 registers.rbp: 8647344 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0

Steals private information from local Internet browsers (50 out of 5864 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\apenkfbbpmhihehmihndmmcdanacolnh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\ciojocpkclfflombbcfigcijjcbkmhaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opfgelmcmbiajamepnmloijbpoleiama\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\fiikommddbeccaoicoejoniammnalkfa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCK\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\fa\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000001\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\naepdomgkenhinolocfifgehidddafch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch\CURRENT

Creates executable files on the filesystem (8 events)

file	C:\Users\test22\AppData\Local\Temp\1000012001\75b348cc75.exe
file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\1000009001\28d6bed020.exe
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe
file	C:\Users\test22\AppData\Local\Temp\1000009001\28d6bed020.exe
file	C:\Users\test22\AppData\Local\Temp\1000012001\75b348cc75.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\1000012001\75b348cc75.exe
file	C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe
file	C:\Users\test22\AppData\Local\Temp\1000009001\28d6bed020.exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 22, 2024, 11:25 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe	1	1
ShellExecuteExW Aug. 22, 2024, 11:25 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000009001\28d6bed020.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000009001\28d6bed020.exe	1	1
ShellExecuteExW Aug. 22, 2024, 11:26 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000012001\75b348cc75.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000012001\75b348cc75.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (15 events)

Time & API	Arguments	Status	Return
Process32NextW Aug. 22, 2024, 11:26 a.m.	snapshot_handle: 0x00000354 process_name: pw.exe process_identifier: 1696	1	1
Process32NextW Aug. 22, 2024, 11:26 a.m.	snapshot_handle: 0x00000354 process_name: cmd.exe process_identifier: 1976	1	1
Process32NextW Aug. 22, 2024, 11:26 a.m.	snapshot_handle: 0x00000354 process_name: SearchProtocolHost.exe process_identifier: 1256	1	1
Process32NextW Aug. 22, 2024, 11:26 a.m.	snapshot_handle: 0x00000354 process_name: SearchFilterHost.exe process_identifier: 1960	1	1
Process32NextW Aug. 22, 2024, 11:26 a.m.	snapshot_handle: 0x00000354 process_name: pw.exe process_identifier: 184	1	1
Process32NextW Aug. 22, 2024, 11:26 a.m.	snapshot_handle: 0x00000354 process_name: svoutse.exe process_identifier: 2240	1	1
Process32NextW Aug. 22, 2024, 11:26 a.m.	snapshot_handle: 0x00000354 process_name: 28d6bed020.exe process_identifier: 2448	1	1
Process32NextW Aug. 22, 2024, 11:26 a.m.	snapshot_handle: 0x00000354 process_name: 75b348cc75.exe process_identifier: 2672	1	1
Process32NextW Aug. 22, 2024, 11:26 a.m.	snapshot_handle: 0x00000500 process_name: svchost.exe process_identifier: 2792	1	1
Process32NextW Aug. 22, 2024, 11:26 a.m.	snapshot_handle: 0x00000500 process_name: mscorsvw.exe process_identifier: 2820	1	1
Process32NextW Aug. 22, 2024, 11:26 a.m.	snapshot_handle: 0x00000500 process_name: firefox.exe process_identifier: 2960	1	1
Process32NextW Aug. 22, 2024, 11:26 a.m.	snapshot_handle: 0x00000500 process_name: mscorsvw.exe process_identifier: 3000	1	1
Process32NextW Aug. 22, 2024, 11:26 a.m.	snapshot_handle: 0x00000500 process_name: sppsvc.exe process_identifier: 1232	1	1
Process32NextW Aug. 22, 2024, 11:26 a.m.	snapshot_handle: 0x00000500 process_name: svchost.exe process_identifier: 2084	1	1
Process32NextW Aug. 22, 2024, 11:26 a.m.	snapshot_handle: 0x00000500 process_name: explorer.exe process_identifier: 2128	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 2960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00000179d8830000 process_handle: 0xffffffffffffffff	1	0	0

An executable file was downloaded by the processes svoutse.exe, 28d6bed020.exe (9 events)

Time & API	Arguments	Status	Return
InternetReadFile Aug. 22, 2024, 11:25 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PELºfà ÈB"àfà@g @Pð#døñ# Ð#<@à.rsrc à#L@À.idata ð#L@À `)$N@àjgxtndkxp`MjP@àhkpnrzeyÐfº@à.taggant0àf"¾@à request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 22, 2024, 11:25 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPELoÆfà"¬ ÎwÀ @à¯t@@@d\|@ ¸`uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrc¸@ ô@@.relocu`v@B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè]N$èUÆ^ÃUìQSVWùûÿÿ@Ç8ûÿÿ\ÉIPûÿÿ:ûÿÿ\|üÿÿÀi3öVVVhHÉIÿÐÇI9·dýÿÿ[3ö9·4ýÿÿKËè®3ö9·Dýÿÿ3ö9·Týÿÿ·lýÿÿÎè÷º3ÉÇF@Ç9ûÿÿt5MüQMüQûÿÿè/ûÿÿ@ÈèÆ@Ç¸ûÿÿuÎÿlÈIOàÉkOÔÉu3Û_ÜOÄÉãO¤_Ìè`þÿÿè ·dþÿÿÎÇ<ÉIèÿvè¿èYýÿÿè\|ýÿÿè#lýÿÿè)º·\ýÿÿÎÇDÉIètÿvèèóÇLýÿÿ@ÉIY9Týÿÿòÿ·PýÿÿTýÿÿèXèóÇ<ýÿÿ@ÉIY9Dýÿÿñÿ·@ýÿÿDýÿÿè.èóÇ,ýÿÿ@ÉIY94ýÿÿðÿ·0ýÿÿ4ýÿÿèèY$ýÿÿÉù·ýÿÿÎÇ<ÉIè£ÿvèÚçYýÿÿÉãüüÿÿÉéèüÿÿè-ÐüÿÿèÄüÿÿÉÙÌüÿÿ¸üÿÿÉÙlüÿÿÀüÿÿèï\üÿÿèäLüÿÿèÙüÿÿèµ_^[ÉÃ`ýÿÿ°Àt#ÿ0ÿ5MÿÅI`ýÿÿ°ÉtQèØùÿÿF;·dýÿÿfýÿÿë¿qQèþàÎö þÿÿëëVñW3ÿN>è5N$è-N4èsPN`èkPèjÇ¼<ÉI¾À¾Ä¾ÈèiæY8Æ_^ÃVWùÉtQè_·¼ÎÇ<ÉIè6ÿvèmæYèÜO`è¯QO4è§QO$èÄO_^éºVñW3ÿ9~f_^ÃVñjVè×åYYÆ^ÂVñW3ÿ9~wf_^ÃFjÿ4¸è°åYYF$¸G;~sÝëâSVñ3ÛW¾d9u%\|èÿÿÿ¾p9u9=_^[ÃÏèÛëÎÏè=ëÚWùxÿÿÿ@Ç8xÿÿÿhÉIèhOðèóOàèëOÐèãOÀèÛO¬èÓOèËOèÃ\|ÿÿÿÉug_ÃVéË VWñè¶@öÉ _^ÃVqöÜ ^ÃWùu&?ÿu_ÃVw$Ïèij(WèäþYYöuæ^_ÃÿwèÓäYëÏVñÉtQèþÿÿìèP¼è&¬èèèN^éVWù3öD÷ÀN Fþ\|î_^ÃSVñ3ÛW8^ T 8^uNy8ÉtQè~^ ÿ_^[Ã³ëóVñN è²µÎè«µj@VèÐãYYÆ^ÂUìSÙVW{ {u)EÏ0è~µ7ÇGC{ _^[u Æ@]Â8ëÒ@8ëî3ÀÇMd3Éf£2MA¢4Mj 8M <M @M¢PMf£üM ôM øM¹úX M£DM£HM LMÃUìWù rVj@èãYÿuðÎèON8w^ÿ_]ÂUìVuWùVgèëåFO GFGFGF aPèÉåF0G0Ç_^]Â3Ò3À@AQQQQA,ÁQ Q(Q0ÃVñ&NèWèþèó¬èè¼èÝìè LjèEâÇ$\|ÉI ÿ ÇIFÆ^ÃjAZ @êuõÁÃSV5ÆI3ÛWùjXSGfÇG____j[ÇGÿÖSjG)ÿÖSh request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 22, 2024, 11:26 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 22, 2024, 11:26 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 22, 2024, 11:26 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 22, 2024, 11:26 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 22, 2024, 11:26 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 22, 2024, 11:26 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 22, 2024, 11:26 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002dc00', u'virtual_address': u'0x00001000', u'entropy': 7.98638646420937, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.98638646421

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001a1a00', u'virtual_address': u'0x00319000', u'entropy': 7.955372310054183, u'name': u'gsjytwpj', u'virtual_size': u'0x001a2000'}

entropy

7.95537231005

description

A section with a high entropy has been found

entropy

0.994100294985

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url	https://crash-reports.mozilla.com/submit?id=
url	https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c

Yara rule detected in process memory (36 events)

description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 52 events)

Time & API	Arguments	Status
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExA Aug. 22, 2024, 11:26 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Communicates with host for which no DNS query was performed (3 events)

host	185.215.113.100
host	31.41.244.10
host	31.41.244.11

Allocates execute permission to another process indicative of possible code injection (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 22, 2024, 11:18 a.m.	process_identifier: 2960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Aug. 22, 2024, 11:18 a.m.	process_identifier: 2960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 1524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 1524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 1076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 1076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 441 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 22, 2024, 11:25 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 22, 2024, 11:26 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 22, 2024, 11:26 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 22, 2024, 11:26 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 22, 2024, 11:26 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 22, 2024, 11:26 a.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\28d6bed020.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000009001\28d6bed020.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\75b348cc75.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000012001\75b348cc75.exe
file	C:\Windows\Tasks\svoutse.job

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Potential code injection by writing to the memory of another process (27 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: base_address: 0x000000013f7b22b0 process_identifier: 2960 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: base_address: 0x000000013f7c0d88 process_identifier: 2960 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: I»`#x?Aÿã base_address: 0x0000000077711590 process_identifier: 2960 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: ^] base_address: 0x000000013f7c0d78 process_identifier: 2960 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: I» x?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2960 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: ^] base_address: 0x000000013f7c0d70 process_identifier: 2960 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: ÏT base_address: 0x000000013f760108 process_identifier: 2960 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f7baae8 process_identifier: 2960 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: base_address: 0x000000013f7c0c78 process_identifier: 2960 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: base_address: 0x000000013f7f22b0 process_identifier: 1524 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: base_address: 0x000000013f800d88 process_identifier: 1524 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: I»`#\|?Aÿã base_address: 0x0000000077711590 process_identifier: 1524 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: ` base_address: 0x000000013f800d78 process_identifier: 1524 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: I» \|?Aÿã base_address: 0x00000000776e7a90 process_identifier: 1524 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: ` base_address: 0x000000013f800d70 process_identifier: 1524 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: ÏT base_address: 0x000000013f7a0108 process_identifier: 1524 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f7faae8 process_identifier: 1524 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: base_address: 0x000000013f800c78 process_identifier: 1524 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: base_address: 0x000000013f7f22b0 process_identifier: 1076 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: base_address: 0x000000013f800d88 process_identifier: 1076 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: I»`#\|?Aÿã base_address: 0x0000000077711590 process_identifier: 1076 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: ÆZ base_address: 0x000000013f800d78 process_identifier: 1076 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: I» \|?Aÿã base_address: 0x00000000776e7a90 process_identifier: 1076 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: ÆZ base_address: 0x000000013f800d70 process_identifier: 1076 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: ÏT base_address: 0x000000013f7a0108 process_identifier: 1076 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f7faae8 process_identifier: 1076 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: base_address: 0x000000013f800c78 process_identifier: 1076 process_handle: 0x0000000000000048	1	1

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA Aug. 22, 2024, 11:26 a.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\00000004
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	svoutse.exe				useragent
process	crashreporter.exe				useragent	Breakpad/1.0 (Windows)

One or more non-whitelisted processes were created (6 events)

parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\2314ff24-e161-49ec-aa51-b883d6444016.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\6ca122c6-8b28-434d-a3a2-68b507e2c103.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\2172002e-c362-4265-9c2c-d642233fd983.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

Appends a known multi-family ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2672 resumed a thread in remote process 2876
Process injection	Process 2876 resumed a thread in remote process 2960
Process injection	Process 1908 resumed a thread in remote process 1524
Process injection	Process 2904 resumed a thread in remote process 1076
NtResumeThread Aug. 22, 2024, 11:26 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2876	1	0	0
NtResumeThread Aug. 22, 2024, 11:18 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2960	1	0	0
NtResumeThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1524	1	0	0
NtResumeThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1076	1	0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 22, 2024, 11:25 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 56 c7 04 24 1d 94 9e 15 exception.symbol: random+0x1f8391 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2065297 exception.address: 0x12b8391 registers.esp: 3735308 registers.edi: 1114345 registers.eax: 1447909480 registers.ebp: 4008030228 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 19611392 registers.ecx: 20	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 95 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 22, 2024, 11:25 a.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 1880	1	0
CreateProcessInternalW Aug. 22, 2024, 11:25 a.m.	thread_identifier: 2244 thread_handle: 0x000003dc process_identifier: 2240 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e4	1	1
NtResumeThread Aug. 22, 2024, 11:25 a.m.	thread_handle: 0x000001a4 suspend_count: 1 process_identifier: 2240	1	0
CreateProcessInternalW Aug. 22, 2024, 11:25 a.m.	thread_identifier: 2452 thread_handle: 0x00000468 process_identifier: 2448 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000009001\28d6bed020.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000009001\28d6bed020.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000009001\28d6bed020.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000464	1	1
CreateProcessInternalW Aug. 22, 2024, 11:26 a.m.	thread_identifier: 2676 thread_handle: 0x00000430 process_identifier: 2672 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000012001\75b348cc75.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000012001\75b348cc75.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000012001\75b348cc75.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000474	1	1
NtResumeThread Aug. 22, 2024, 11:26 a.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 2672	1	0
CreateProcessInternalW Aug. 22, 2024, 11:26 a.m.	thread_identifier: 2880 thread_handle: 0x000002a8 process_identifier: 2876 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b0	1	1
NtResumeThread Aug. 22, 2024, 11:26 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2876	1	0
CreateProcessInternalW Aug. 22, 2024, 11:18 a.m.	thread_identifier: 2964 thread_handle: 0x0000000000000044 process_identifier: 2960 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 1028 (CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 0 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: base_address: 0x000000013f7b22b0 process_identifier: 2960 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: base_address: 0x000000013f7c0d88 process_identifier: 2960 process_handle: 0x000000000000004c	1	1
NtMapViewOfSection Aug. 22, 2024, 11:18 a.m.	section_handle: 0x0000000000000060 process_identifier: 2960 commit_size: 0 win32_protect: 32 (PAGE_EXECUTE_READ) buffer: base_address: 0x000000005d5e0000 allocation_type: 0 () section_offset: 0 view_size: 65536 process_handle: 0x0000000000000050	1	0
NtAllocateVirtualMemory Aug. 22, 2024, 11:18 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000000005d5e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000050	1	0
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: I»`#x?Aÿã base_address: 0x0000000077711590 process_identifier: 2960 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: ^] base_address: 0x000000013f7c0d78 process_identifier: 2960 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: I» x?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2960 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: ^] base_address: 0x000000013f7c0d70 process_identifier: 2960 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: ÏT base_address: 0x000000013f760108 process_identifier: 2960 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f7baae8 process_identifier: 2960 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: base_address: 0x000000013f7c0c78 process_identifier: 2960 process_handle: 0x000000000000004c	1	1
NtResumeThread Aug. 22, 2024, 11:18 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2960	1	0
NtResumeThread Aug. 22, 2024, 11:18 a.m.	thread_handle: 0x000000000000016c suspend_count: 1 process_identifier: 2960	1	0
NtGetContextThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000228	1	0
NtGetContextThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000230	1	0
NtGetContextThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000234	1	0
NtGetContextThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000238	1	0
NtGetContextThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x000000000000023c	1	0
NtGetContextThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000240	1	0
NtResumeThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000228 suspend_count: 1 process_identifier: 2960	1	0
NtResumeThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000230 suspend_count: 1 process_identifier: 2960	1	0
NtResumeThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000234 suspend_count: 1 process_identifier: 2960	1	0
NtResumeThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000238 suspend_count: 1 process_identifier: 2960	1	0
NtResumeThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000240 suspend_count: 1 process_identifier: 2960	1	0
CreateProcessInternalW Aug. 22, 2024, 11:19 a.m.	thread_identifier: 1676 thread_handle: 0x0000000000000208 process_identifier: 1688 current_directory: filepath: track: 1 command_line: "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\2314ff24-e161-49ec-aa51-b883d6444016.dmp" filepath_r: stack_pivoted: 0 creation_flags: 150994976 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_NO_WINDOW\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000000000000214	1	1
CreateProcessInternalW Aug. 22, 2024, 11:19 a.m.	thread_identifier: 1184 thread_handle: 0x00000000000000a0 process_identifier: 200 current_directory: filepath: track: 1 command_line: "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\2314ff24-e161-49ec-aa51-b883d6444016.dmp" filepath_r: stack_pivoted: 0 creation_flags: 134217760 (CREATE_NO_WINDOW\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000000000000a4	1	1
NtResumeThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000150 suspend_count: 1 process_identifier: 1688	1	0
CreateProcessInternalW Aug. 22, 2024, 11:19 a.m.	thread_identifier: 1864 thread_handle: 0x0000000000000164 process_identifier: 1908 current_directory: filepath: track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000000000000168	1	1
CreateProcessInternalW Aug. 22, 2024, 11:19 a.m.	thread_identifier: 2908 thread_handle: 0x0000000000000344 process_identifier: 2904 current_directory: filepath: track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000000000000348	1	1
NtResumeThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x00000000000000c0 suspend_count: 1 process_identifier: 200	1	0
CreateProcessInternalW Aug. 22, 2024, 11:19 a.m.	thread_identifier: 1868 thread_handle: 0x0000000000000044 process_identifier: 1524 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 1028 (CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 0 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: base_address: 0x000000013f7f22b0 process_identifier: 1524 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: base_address: 0x000000013f800d88 process_identifier: 1524 process_handle: 0x0000000000000048	1	1
NtMapViewOfSection Aug. 22, 2024, 11:19 a.m.	section_handle: 0x000000000000005c process_identifier: 1524 commit_size: 0 win32_protect: 32 (PAGE_EXECUTE_READ) buffer: base_address: 0x0000000060870000 allocation_type: 0 () section_offset: 0 view_size: 65536 process_handle: 0x000000000000004c	1	0
NtAllocateVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 1524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000060870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000000000000004c	1	0
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: I»`#\|?Aÿã base_address: 0x0000000077711590 process_identifier: 1524 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: ` base_address: 0x000000013f800d78 process_identifier: 1524 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: I» \|?Aÿã base_address: 0x00000000776e7a90 process_identifier: 1524 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: ` base_address: 0x000000013f800d70 process_identifier: 1524 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: ÏT base_address: 0x000000013f7a0108 process_identifier: 1524 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f7faae8 process_identifier: 1524 process_handle: 0x0000000000000048	1	1

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Pate.tc
ALYac	Gen:Variant.Kryptik.260
Cylance	Unsafe
VIPRE	Gen:Variant.Kryptik.260
BitDefender	Gen:Variant.Kryptik.260
Cybereason	malicious.946682
Arcabit	Trojan.Kryptik.260
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
McAfee	Themida-FWSE!344400594668
Avast	Win32:Evo-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Gen:Variant.Kryptik.260
Emsisoft	Gen:Variant.Kryptik.260 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!344400594668
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.34440059466824a2
Sophos	ML/PE-A
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/Crypt.TPM.Gen
MAX	malware (ai score=86)
Gridinsoft	Trojan.Heur!.038120A1
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Kryptik.260
Varist	W32/Agent.JDU.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R645974
BitDefenderTheta	Gen:NN.ZexaF.36812.0DWaa0A27Bgi
DeepInstinct	MALICIOUS
VBA32	TScope.Malware-Cryptor.SB
Malwarebytes	Trojan.Amadey
Zoner	Probably Heur.ExeHeaderL
Tencent	Trojan-DL.Win32.Deyma.kh
Fortinet	W32/Themida.HZB!tr
AVG	Win32:Evo-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (D)

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All