Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 21, 2024, 9:19 a.m.	Sept. 21, 2024, 9:22 a.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`cb218d4896ba79bb9d4527b1a69602e0`
SHA256	`d910b2ec11534ffd057e3e2574a25e94ee5878ba9b248437f51ce978a75aabe0`
CRC32	`3F8A8FB8`
ssdeep	`49152:h3zAEl59K+3xJX6WA31OeNwBkz/pfMdzR:lAED9vJXssBy/ZMdzR`
Yara	themida_packer - themida packer PE_Header_Zero - PE File Signature anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description)

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
2576
- svoutse.exe "C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
  2840
  - 9689483c43.exe "C:\Users\test22\AppData\Local\Temp\1000042001\9689483c43.exe"
    3036
  - 23f4812b8e.exe "C:\Users\test22\AppData\Roaming\1000043000\23f4812b8e.exe"
    1400
  - 74e2c6ecf7.exe "C:\Users\test22\AppData\Local\Temp\1000048001\74e2c6ecf7.exe"
    2568
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      2604
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        2356
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\dea64fbd-5898-45e2-b245-2e4b2398afe3.dmp"
        1080
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\dea64fbd-5898-45e2-b245-2e4b2398afe3.dmp"
        2748
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      2672
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        2744
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\8ca021dc-c7d6-49fb-8ed5-8b29fc5fbf04.dmp"
        2732
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\8ca021dc-c7d6-49fb-8ed5-8b29fc5fbf04.dmp"
        2168
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      196
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        2104
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\ae0965bd-8ece-4bc0-8b9e-f361bd7860fc.dmp"
        2316
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\ae0965bd-8ece-4bc0-8b9e-f361bd7860fc.dmp"
        2772
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      284
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        2372
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\32e0ed30-e778-4679-84dc-c44141c2515a.dmp"
        3116
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\32e0ed30-e778-4679-84dc-c44141c2515a.dmp"
        3280
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      1304
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        1576
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\a8b9f685-5eda-4121-ae2f-a3256eb94ea8.dmp"
        3496
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\a8b9f685-5eda-4121-ae2f-a3256eb94ea8.dmp"
        3628
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      2872
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        2728
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\07e8335b-76ca-4bf2-8a37-b0334d058974.dmp"
        3976
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\07e8335b-76ca-4bf2-8a37-b0334d058974.dmp"
        4052
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      1156
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        2416
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\7a0a2923-f4a5-492a-95ea-ca19ba432f81.dmp"
        3808
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\7a0a2923-f4a5-492a-95ea-ca19ba432f81.dmp"
        4060
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      2776
      - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\6dc696bd-ac7d-473e-ba28-8b077e44d305.dmp"
        3312
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\6dc696bd-ac7d-473e-ba28-8b077e44d305.dmp"
        3432
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      536
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        2676
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\841baca1-9369-4a7a-93ca-dc0c45b62afe.dmp"
        1924
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\841baca1-9369-4a7a-93ca-dc0c45b62afe.dmp"
        3656
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      1092
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        3232
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\350d8c5a-c101-4457-962f-25918f282ee7.dmp"
        2036
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\350d8c5a-c101-4457-962f-25918f282ee7.dmp"
        560
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      3416
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        3504
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\f29ca694-0d34-4a80-ae96-f8a58931ccab.dmp"
        4156
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\f29ca694-0d34-4a80-ae96-f8a58931ccab.dmp"
        4268
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      3700
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        3776
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\3d625017-5073-4e56-bd3a-cd5921e5d492.dmp"
        4480
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      3860
      - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\d2eae037-8988-407b-a6d3-f86b71ff5ff3.dmp"
        4392
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\d2eae037-8988-407b-a6d3-f86b71ff5ff3.dmp"
        4488
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4036
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        3144
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      1872
      - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\b28664aa-ac75-4768-b7de-b27000e704b6.dmp"
        4532
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      412
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        3584
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      3672
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        3844
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      3192
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        2260
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      3520
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        3904
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      2760
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      2824
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        1780
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      3076
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4112
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        4232
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.215.113.100	Active	Moloch
185.215.113.103	Active	Moloch
31.41.244.10	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 185.215.113.100:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.100:80 -> 192.168.56.101:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.100:80 -> 192.168.56.101:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.100:80 -> 192.168.56.101:49165	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 31.41.244.10:80 -> 192.168.56.101:49164	2400001	ET DROP Spamhaus DROP Listed Traffic Inbound group 2	Misc Attack
TCP 192.168.56.101:49173 -> 185.215.113.103:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 185.215.113.100:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 185.215.113.103:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.103:80 -> 192.168.56.101:49172	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.103:80 -> 192.168.56.101:49172	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.103:80 -> 192.168.56.101:49172	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 31.41.244.10:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49169 -> 185.215.113.103:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 31.41.244.10:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49168 -> 31.41.244.10:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameA Sept. 21, 2024, 9:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 21, 2024, 9:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 21, 2024, 9:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 21, 2024, 9:19 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 262 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:19 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 9:20 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 21, 2024, 9:19 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	slovfzks
section	ohubcquj
section	.taggant

One or more processes crashed (50 out of 491 events)

Time & API	Arguments	Status
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: random+0x3040b9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3162297 exception.address: 0x14b40b9 registers.esp: 1439896 registers.edi: 0 registers.eax: 1 registers.ebp: 1439912 registers.edx: 23379968 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 53 55 52 e9 89 03 00 00 8b 24 24 e9 cb 01 00 exception.symbol: random+0x6d19a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 446874 exception.address: 0x121d19a registers.esp: 1439864 registers.edi: 1968898280 registers.eax: 30628 registers.ebp: 4009013268 registers.edx: 19023202 registers.ebx: 0 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 55 52 ba 87 e2 6c 6c e9 35 00 00 00 f7 df 4f exception.symbol: random+0x6cebe exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 446142 exception.address: 0x121cebe registers.esp: 1439864 registers.edi: 0 registers.eax: 30628 registers.ebp: 4009013268 registers.edx: 18995450 registers.ebx: 0 registers.esi: 2179041617 registers.ecx: 1969094656	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 51 e9 b9 fb ff ff 89 e0 05 04 exception.symbol: random+0x6e3e1 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 451553 exception.address: 0x121e3e1 registers.esp: 1439864 registers.edi: 0 registers.eax: 27829 registers.ebp: 4009013268 registers.edx: 4294942244 registers.ebx: 0 registers.esi: 241897 registers.ecx: 19023735	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 57 89 04 24 68 27 70 ff 37 e9 97 00 00 00 89 exception.symbol: random+0x1dae98 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1945240 exception.address: 0x138ae98 registers.esp: 1439864 registers.edi: 19032059 registers.eax: 32209 registers.ebp: 4009013268 registers.edx: 18986089 registers.ebx: 20523662 registers.esi: 1458014551 registers.ecx: 4294937588	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 4c fb ff ff 05 04 00 00 exception.symbol: random+0x1e10bb exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1970363 exception.address: 0x13910bb registers.esp: 1439864 registers.edi: 19032059 registers.eax: 27469 registers.ebp: 4009013268 registers.edx: 20542149 registers.ebx: 42992272 registers.esi: 1458014551 registers.ecx: 656	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 0c 24 53 c7 04 24 d2 22 ff 7e e9 exception.symbol: random+0x1e0a8c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1968780 exception.address: 0x1390a8c registers.esp: 1439864 registers.edi: 1549541099 registers.eax: 27469 registers.ebp: 4009013268 registers.edx: 20517621 registers.ebx: 0 registers.esi: 1458014551 registers.ecx: 656	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 68 f7 f6 0a 76 89 0c 24 c7 04 24 e2 32 ad 6f exception.symbol: random+0x1e2427 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 1975335 exception.address: 0x1392427 registers.esp: 1439864 registers.edi: 4294937684 registers.eax: 134889 registers.ebp: 4009013268 registers.edx: 95 registers.ebx: 20551951 registers.esi: 96 registers.ecx: 96	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 56 89 14 24 c7 04 24 45 exception.symbol: random+0x1e99f7 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2005495 exception.address: 0x13999f7 registers.esp: 1439856 registers.edi: 4009496 registers.eax: 1447909480 registers.ebp: 4009013268 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 20551509 registers.ecx: 20	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: random+0x1eb6ba exception.address: 0x139b6ba exception.module: random.exe exception.exception_code: 0xc000001d exception.offset: 2012858 registers.esp: 1439856 registers.edi: 4009496 registers.eax: 1 registers.ebp: 4009013268 registers.edx: 22104 registers.ebx: 0 registers.esi: 20551509 registers.ecx: 20	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 fc 35 2d 12 01 exception.symbol: random+0x1ec9e1 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2017761 exception.address: 0x139c9e1 registers.esp: 1439856 registers.edi: 4009496 registers.eax: 1447909480 registers.ebp: 4009013268 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 20551509 registers.ecx: 10	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 80 d6 72 0f 81 06 00 00 00 51 66 b9 exception.symbol: random+0x1f1f4a exception.instruction: int 1 exception.module: random.exe exception.exception_code: 0xc0000005 exception.offset: 2039626 exception.address: 0x13a1f4a registers.esp: 1439824 registers.edi: 0 registers.eax: 1439824 registers.ebp: 4009013268 registers.edx: 20586277 registers.ebx: 20586660 registers.esi: 51169 registers.ecx: 20586259	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 68 f4 1a 03 2c 89 1c 24 53 89 14 24 68 37 fd exception.symbol: random+0x1f2ce7 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2043111 exception.address: 0x13a2ce7 registers.esp: 1439864 registers.edi: 4009496 registers.eax: 32467 registers.ebp: 4009013268 registers.edx: 2130566340 registers.ebx: 72061312 registers.esi: 10 registers.ecx: 20619861	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 68 a2 ec 08 29 89 3c 24 81 ec 04 00 00 00 89 exception.symbol: random+0x1f2bb0 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2042800 exception.address: 0x13a2bb0 registers.esp: 1439864 registers.edi: 4009496 registers.eax: 0 registers.ebp: 4009013268 registers.edx: 6379 registers.ebx: 72061312 registers.esi: 10 registers.ecx: 20590605	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 b7 6b 7f 57 c1 24 24 07 e9 60 01 exception.symbol: random+0x200fb7 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2101175 exception.address: 0x13b0fb7 registers.esp: 1439864 registers.edi: 18985334 registers.eax: 20674940 registers.ebp: 4009013268 registers.edx: 6 registers.ebx: 72061534 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 b2 12 cd 57 89 1c 24 57 83 ec 04 exception.symbol: random+0x200ffe exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2101246 exception.address: 0x13b0ffe registers.esp: 1439864 registers.edi: 18985334 registers.eax: 20649940 registers.ebp: 4009013268 registers.edx: 6 registers.ebx: 3946993848 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 56 e9 26 f8 ff ff 8b 0c 24 e9 69 00 00 00 89 exception.symbol: random+0x2023b8 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2106296 exception.address: 0x13b23b8 registers.esp: 1439864 registers.edi: 18985334 registers.eax: 30981 registers.ebp: 4009013268 registers.edx: 20681364 registers.ebx: 4294939412 registers.esi: 1968968720 registers.ecx: 262633	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 1c 24 68 b0 0b f3 77 5b 56 be 4f exception.symbol: random+0x206584 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2123140 exception.address: 0x13b6584 registers.esp: 1439852 registers.edi: 4023714146 registers.eax: 20669058 registers.ebp: 4009013268 registers.edx: 20681364 registers.ebx: 35802737 registers.esi: 1987954054 registers.ecx: 41348729	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 50 89 34 24 51 b9 8c 53 f8 2f c1 e9 04 f7 d1 exception.symbol: random+0x2063e5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2122725 exception.address: 0x13b63e5 registers.esp: 1439856 registers.edi: 4023714146 registers.eax: 20701381 registers.ebp: 4009013268 registers.edx: 20681364 registers.ebx: 35802737 registers.esi: 1987954054 registers.ecx: 41348729	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 68 91 42 8a 0b 89 34 24 89 2c 24 c7 04 24 e1 exception.symbol: random+0x2068be exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2123966 exception.address: 0x13b68be registers.esp: 1439856 registers.edi: 0 registers.eax: 20671869 registers.ebp: 4009013268 registers.edx: 20681364 registers.ebx: 35802737 registers.esi: 1987954054 registers.ecx: 2241321320	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 29 d2 ff 34 0a e9 10 00 00 00 89 14 24 54 5a exception.symbol: random+0x20e1cb exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2154955 exception.address: 0x13be1cb registers.esp: 1439856 registers.edi: 0 registers.eax: 29225 registers.ebp: 4009013268 registers.edx: 2130566132 registers.ebx: 922730691 registers.esi: 1987954054 registers.ecx: 20728790	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 68 6a 66 e8 3f 89 2c 24 e9 7f ff ff ff 56 be exception.symbol: random+0x20dffa exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2154490 exception.address: 0x13bdffa registers.esp: 1439856 registers.edi: 1783979243 registers.eax: 29225 registers.ebp: 4009013268 registers.edx: 4294940632 registers.ebx: 922730691 registers.esi: 1987954054 registers.ecx: 20728790	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 57 e9 66 00 00 00 35 2a 59 4f 53 50 56 58 5e exception.symbol: random+0x21750b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2192651 exception.address: 0x13c750b registers.esp: 1439852 registers.edi: 2134376448 registers.eax: 20738279 registers.ebp: 4009013268 registers.edx: 2130566132 registers.ebx: 20734466 registers.esi: 20714265 registers.ecx: 2130566132	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 51 89 34 24 89 e6 57 bf e6 02 ef 7d f7 df 53 exception.symbol: random+0x217a50 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2194000 exception.address: 0x13c7a50 registers.esp: 1439856 registers.edi: 2134376448 registers.eax: 20767376 registers.ebp: 4009013268 registers.edx: 2130566132 registers.ebx: 20734466 registers.esi: 20714265 registers.ecx: 2130566132	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 52 89 1c 24 68 80 e7 b3 6e 8b 1c 24 83 c4 04 exception.symbol: random+0x21716f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2191727 exception.address: 0x13c716f registers.esp: 1439856 registers.edi: 116969 registers.eax: 20741084 registers.ebp: 4009013268 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 20714265 registers.ecx: 2130566132	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 50 b8 15 29 7f 7f 05 25 ad d7 3f e9 4a fe ff exception.symbol: random+0x22ca57 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2280023 exception.address: 0x13dca57 registers.esp: 1439820 registers.edi: 20825723 registers.eax: 28206 registers.ebp: 4009013268 registers.edx: 0 registers.ebx: 0 registers.esi: 20824476 registers.ecx: 0	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 68 7a b0 e9 19 89 0c 24 68 62 32 b3 1c 89 14 exception.symbol: random+0x22c711 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2279185 exception.address: 0x13dc711 registers.esp: 1439824 registers.edi: 20853929 registers.eax: 28206 registers.ebp: 4009013268 registers.edx: 0 registers.ebx: 0 registers.esi: 20824476 registers.ecx: 0	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 34 24 56 e9 95 01 00 00 b9 51 04 exception.symbol: random+0x22c9b6 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2279862 exception.address: 0x13dc9b6 registers.esp: 1439824 registers.edi: 20828673 registers.eax: 2298801283 registers.ebp: 4009013268 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 50 e9 f6 01 00 00 81 ed aa 3e fe 1b e9 c4 00 exception.symbol: random+0x22db96 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2284438 exception.address: 0x13ddb96 registers.esp: 1439824 registers.edi: 20828673 registers.eax: 29006 registers.ebp: 4009013268 registers.edx: 606898519 registers.ebx: 4294941932 registers.esi: 20858042 registers.ecx: 0	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 55 e9 1f fb ff ff ba 97 7a ec 1e bd 9b 7a ec exception.symbol: random+0x22e841 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2287681 exception.address: 0x13de841 registers.esp: 1439820 registers.edi: 20828673 registers.eax: 20833047 registers.ebp: 4009013268 registers.edx: 6628546 registers.ebx: 1236585227 registers.esi: 20858042 registers.ecx: 1727694802	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 57 50 50 c7 04 24 12 e1 f5 6d ff 04 24 87 14 exception.symbol: random+0x22ed16 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2288918 exception.address: 0x13ded16 registers.esp: 1439824 registers.edi: 20828673 registers.eax: 20861762 registers.ebp: 4009013268 registers.edx: 6628546 registers.ebx: 1236585227 registers.esi: 20858042 registers.ecx: 1727694802	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 52 57 89 04 24 b8 d1 f0 f1 5d 81 ec 04 00 00 exception.symbol: random+0x22ebd7 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2288599 exception.address: 0x13debd7 registers.esp: 1439824 registers.edi: 20828673 registers.eax: 20835794 registers.ebp: 4009013268 registers.edx: 6628546 registers.ebx: 0 registers.esi: 604292950 registers.ecx: 1727694802	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 68 e1 2d df 29 e9 43 02 00 00 01 c2 58 87 14 exception.symbol: random+0x22f055 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2289749 exception.address: 0x13df055 registers.esp: 1439820 registers.edi: 20828673 registers.eax: 29102 registers.ebp: 4009013268 registers.edx: 20836190 registers.ebx: 0 registers.esi: 604292950 registers.ecx: 159342321	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 50 52 e9 a3 f6 ff ff 8f 04 24 e9 3d 00 00 00 exception.symbol: random+0x22f9cb exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2292171 exception.address: 0x13df9cb registers.esp: 1439824 registers.edi: 20828673 registers.eax: 29102 registers.ebp: 4009013268 registers.edx: 20865292 registers.ebx: 0 registers.esi: 604292950 registers.ecx: 159342321	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 3c 24 51 c7 04 24 5b d1 exception.symbol: random+0x22f18d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2290061 exception.address: 0x13df18d registers.esp: 1439824 registers.edi: 0 registers.eax: 29102 registers.ebp: 4009013268 registers.edx: 20839156 registers.ebx: 0 registers.esi: 2298801283 registers.ecx: 159342321	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb e9 40 ff ff ff c1 e1 05 81 e9 55 ac e9 3b 01 exception.symbol: random+0x234d0f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2313487 exception.address: 0x13e4d0f registers.esp: 1439820 registers.edi: 0 registers.eax: 20859687 registers.ebp: 4009013268 registers.edx: 0 registers.ebx: 65786 registers.esi: 2319644651 registers.ecx: 1971716238	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 31 d2 ff 34 10 56 89 e6 e9 7d 02 00 00 54 8b exception.symbol: random+0x234b6b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2313067 exception.address: 0x13e4b6b registers.esp: 1439824 registers.edi: 0 registers.eax: 20885999 registers.ebp: 4009013268 registers.edx: 0 registers.ebx: 65786 registers.esi: 2319644651 registers.ecx: 1971716238	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 50 e9 8c f8 ff ff c7 04 24 c5 8a b7 4f 89 14 exception.symbol: random+0x23537d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2315133 exception.address: 0x13e537d registers.esp: 1439824 registers.edi: 0 registers.eax: 20885999 registers.ebp: 4009013268 registers.edx: 4294943916 registers.ebx: 24811 registers.esi: 2319644651 registers.ecx: 1971716238	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb bb e3 2e 66 7d 81 ec 04 00 00 00 89 04 24 e9 exception.symbol: random+0x237315 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2323221 exception.address: 0x13e7315 registers.esp: 1439824 registers.edi: 0 registers.eax: 20897412 registers.ebp: 4009013268 registers.edx: 1941896294 registers.ebx: 24811 registers.esi: 2319644651 registers.ecx: 526325525	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 53 89 34 24 e9 3d 00 00 00 81 f1 5f c9 97 4b exception.symbol: random+0x23740c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2323468 exception.address: 0x13e740c registers.esp: 1439824 registers.edi: 0 registers.eax: 20872724 registers.ebp: 4009013268 registers.edx: 1941896294 registers.ebx: 0 registers.esi: 2319644651 registers.ecx: 81129	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb e9 1a ff ff ff 68 58 bd 37 40 89 0c 24 89 04 exception.symbol: random+0x23875d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2328413 exception.address: 0x13e875d registers.esp: 1439820 registers.edi: 0 registers.eax: 31429 registers.ebp: 4009013268 registers.edx: 746193419 registers.ebx: 20874751 registers.esi: 2319644651 registers.ecx: 81129	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 57 e9 1f 00 00 00 5b 83 c4 04 51 b9 04 00 00 exception.symbol: random+0x238ec3 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2330307 exception.address: 0x13e8ec3 registers.esp: 1439824 registers.edi: 0 registers.eax: 3939837675 registers.ebp: 4009013268 registers.edx: 4294938512 registers.ebx: 20906180 registers.esi: 2319644651 registers.ecx: 81129	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 31 d2 e9 0e 00 00 00 89 e5 51 b9 9b 6a f6 49 exception.symbol: random+0x24589b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2381979 exception.address: 0x13f589b registers.esp: 1439824 registers.edi: 20959591 registers.eax: 31370 registers.ebp: 4009013268 registers.edx: 3695634190 registers.ebx: 20900786 registers.esi: 9027848 registers.ecx: 2134405603	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 51 81 ec 04 00 00 00 e9 44 00 00 00 81 c3 ff exception.symbol: random+0x245f22 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2383650 exception.address: 0x13f5f22 registers.esp: 1439824 registers.edi: 20959591 registers.eax: 604292951 registers.ebp: 4009013268 registers.edx: 4294939236 registers.ebx: 20900786 registers.esi: 9027848 registers.ecx: 2134405603	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 68 ea c2 6f 3c e9 bf ff ff ff 81 ec 04 00 00 exception.symbol: random+0x246a38 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2386488 exception.address: 0x13f6a38 registers.esp: 1439824 registers.edi: 20962026 registers.eax: 30055 registers.ebp: 4009013268 registers.edx: 1966477928 registers.ebx: 20900786 registers.esi: 4294939756 registers.ecx: 2134405603	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 52 e9 50 01 00 00 81 c6 04 00 00 00 e9 ab 02 exception.symbol: random+0x25a4cc exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2467020 exception.address: 0x140a4cc registers.esp: 1439820 registers.edi: 20992648 registers.eax: 27792 registers.ebp: 4009013268 registers.edx: 1826760 registers.ebx: 1971716070 registers.esi: 21012493 registers.ecx: 2134376448	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 3c 24 89 e7 68 4e 6a 08 3e 89 1c exception.symbol: random+0x25a066 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2465894 exception.address: 0x140a066 registers.esp: 1439824 registers.edi: 0 registers.eax: 27792 registers.ebp: 4009013268 registers.edx: 1826760 registers.ebx: 565493864 registers.esi: 21015473 registers.ecx: 2134376448	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 52 89 0c 24 89 3c 24 53 c7 04 24 1b 5f cf 05 exception.symbol: random+0x267704 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2520836 exception.address: 0x1417704 registers.esp: 1439820 registers.edi: 709277625 registers.eax: 28192 registers.ebp: 4009013268 registers.edx: 108 registers.ebx: 21065349 registers.esi: 4067330366 registers.ecx: 109	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 68 ea 87 27 2f 89 1c 24 e9 b0 f7 ff ff 89 e7 exception.symbol: random+0x2677fc exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2521084 exception.address: 0x14177fc registers.esp: 1439824 registers.edi: 709277625 registers.eax: 28192 registers.ebp: 4009013268 registers.edx: 108 registers.ebx: 21093541 registers.esi: 4067330366 registers.ecx: 109	1
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: fb 68 e1 5b 84 47 89 3c 24 e9 29 00 00 00 01 d9 exception.symbol: random+0x26725b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2519643 exception.address: 0x141725b registers.esp: 1439824 registers.edi: 709277625 registers.eax: 4294942016 registers.ebp: 4009013268 registers.edx: 108 registers.ebx: 21093541 registers.esi: 322689 registers.ecx: 109	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (3 events)

Time & API	Arguments	Status	Return
bind Sept. 21, 2024, 9:21 a.m.	ip_address: 127.0.0.1 socket: 940 port: 0	1	0
listen Sept. 21, 2024, 9:21 a.m.	socket: 940 backlog: 5	1	0
accept Sept. 21, 2024, 9:21 a.m.	ip_address: 127.0.0.1 socket: 940 port: 49251	1	960

HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://31.41.244.10/Dem7kTu/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/steam/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.103/e2b1563c6670f193.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/well/random.exe

Performs some HTTP requests (5 events)

request	POST http://31.41.244.10/Dem7kTu/index.php
request	GET http://185.215.113.100/steam/random.exe
request	GET http://185.215.113.103/
request	POST http://185.215.113.103/e2b1563c6670f193.php
request	GET http://185.215.113.103/well/random.exe

Sends data using the HTTP POST Method (2 events)

request	POST http://31.41.244.10/Dem7kTu/index.php
request	POST http://185.215.113.103/e2b1563c6670f193.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 239 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011b1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fe0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ff0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01140000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01150000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73402000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02eb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:13 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003f10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d11000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2840 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2840 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2840 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 9:19 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (42 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process firefox.exe with pid 2356 crashed
Application Crash	Process firefox.exe with pid 2744 crashed
Application Crash	Process firefox.exe with pid 2104 crashed
Application Crash	Process firefox.exe with pid 2372 crashed
Application Crash	Process firefox.exe with pid 1576 crashed
Application Crash	Process firefox.exe with pid 2728 crashed
Application Crash	Process firefox.exe with pid 2416 crashed
Application Crash	Process firefox.exe with pid 2776 crashed
Application Crash	Process firefox.exe with pid 2676 crashed
Application Crash	Process firefox.exe with pid 3232 crashed
Application Crash	Process firefox.exe with pid 3504 crashed
Application Crash	Process firefox.exe with pid 3776 crashed
Application Crash	Process firefox.exe with pid 3860 crashed
Application Crash	Process firefox.exe with pid 1872 crashed
Application Crash	Process firefox.exe with pid 3584 crashed
Application Crash	Process firefox.exe with pid 3844 crashed
Application Crash	Process firefox.exe with pid 2260 crashed
Application Crash	Process firefox.exe with pid 2760 crashed
Application Crash	Process firefox.exe with pid 3904 crashed
Application Crash	Process firefox.exe with pid 3076 crashed
Application Crash	Process firefox.exe with pid 1780 crashed
__exception__ Sept. 21, 2024, 9:12 a.m.	stacktrace: 0xbc1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xbc1f04 registers.r14: 9366856 registers.r15: 8791562098288 registers.rcx: 48 registers.rsi: 8791562029952 registers.r10: 0 registers.rbx: 0 registers.rsp: 9366488 registers.r11: 9369872 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 15965392 registers.rbp: 9366608 registers.rdi: 69312544 registers.rax: 12328704 registers.r13: 9367448	1	0	0
__exception__ Sept. 21, 2024, 9:12 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10156240 registers.r15: 10155744 registers.rcx: 48 registers.rsi: 14706336 registers.r10: 0 registers.rbx: 0 registers.rsp: 10154792 registers.r11: 10156992 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 10155575 registers.rbp: 10154912 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 9:12 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8780528 registers.r15: 8780032 registers.rcx: 48 registers.rsi: 14707104 registers.r10: 0 registers.rbx: 0 registers.rsp: 8779080 registers.r11: 8781280 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 8779863 registers.rbp: 8779200 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 9:12 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9959216 registers.r15: 9958720 registers.rcx: 48 registers.rsi: 14704992 registers.r10: 0 registers.rbx: 0 registers.rsp: 9957768 registers.r11: 9959968 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 9958551 registers.rbp: 9957888 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 9:12 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8779248 registers.r15: 8778752 registers.rcx: 48 registers.rsi: 14707200 registers.r10: 0 registers.rbx: 0 registers.rsp: 8777800 registers.r11: 8780000 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092879440 registers.r12: 8778583 registers.rbp: 8777920 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 9:12 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9565632 registers.r15: 9565136 registers.rcx: 48 registers.rsi: 14706816 registers.r10: 0 registers.rbx: 0 registers.rsp: 9564184 registers.r11: 9566384 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9564967 registers.rbp: 9564304 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 9:13 a.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9956712 registers.r15: 8791562098288 registers.rcx: 48 registers.rsi: 8791562029952 registers.r10: 0 registers.rbx: 0 registers.rsp: 9956344 registers.r11: 9959728 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14906464 registers.rbp: 9956464 registers.rdi: 65118240 registers.rax: 13442816 registers.r13: 9957304	1	0	0
__exception__ Sept. 21, 2024, 9:12 a.m.	stacktrace: 0xcc1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcc1f04 registers.r14: 8713568 registers.r15: 8713072 registers.rcx: 48 registers.rsi: 14707296 registers.r10: 0 registers.rbx: 0 registers.rsp: 8712120 registers.r11: 8714320 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 8712903 registers.rbp: 8712240 registers.rdi: 100 registers.rax: 13377280 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 9:20 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8714848 registers.r15: 8714352 registers.rcx: 48 registers.rsi: 14705952 registers.r10: 0 registers.rbx: 0 registers.rsp: 8713400 registers.r11: 8715600 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 8714183 registers.rbp: 8713520 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 9:20 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8780176 registers.r15: 8779680 registers.rcx: 48 registers.rsi: 14707104 registers.r10: 0 registers.rbx: 0 registers.rsp: 8778728 registers.r11: 8780928 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 8779511 registers.rbp: 8778848 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 9:20 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9434816 registers.r15: 9434320 registers.rcx: 48 registers.rsi: 14706240 registers.r10: 0 registers.rbx: 0 registers.rsp: 9433368 registers.r11: 9435568 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 9434151 registers.rbp: 9433488 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 9:20 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8779520 registers.r15: 8779024 registers.rcx: 48 registers.rsi: 14704992 registers.r10: 0 registers.rbx: 0 registers.rsp: 8778072 registers.r11: 8780272 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 8778855 registers.rbp: 8778192 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 9:20 a.m.	stacktrace: 0xcc1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcc1f04 registers.r14: 9108624 registers.r15: 9108128 registers.rcx: 48 registers.rsi: 14704992 registers.r10: 0 registers.rbx: 0 registers.rsp: 9107176 registers.r11: 9109376 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9107959 registers.rbp: 9107296 registers.rdi: 100 registers.rax: 13377280 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 9:20 a.m.	stacktrace: 0xcc1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcc1f04 registers.r14: 9894880 registers.r15: 9894384 registers.rcx: 48 registers.rsi: 14706528 registers.r10: 0 registers.rbx: 0 registers.rsp: 9893432 registers.r11: 9895632 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9894215 registers.rbp: 9893552 registers.rdi: 100 registers.rax: 13377280 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 9:21 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8778928 registers.r15: 8778432 registers.rcx: 48 registers.rsi: 14705568 registers.r10: 0 registers.rbx: 0 registers.rsp: 8777480 registers.r11: 8779680 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 8778263 registers.rbp: 8777600 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 9:21 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9238160 registers.r15: 9237664 registers.rcx: 48 registers.rsi: 14707104 registers.r10: 0 registers.rbx: 0 registers.rsp: 9236712 registers.r11: 9238912 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 9237495 registers.rbp: 9236832 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 9:21 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10156352 registers.r15: 10155856 registers.rcx: 48 registers.rsi: 14705952 registers.r10: 0 registers.rbx: 0 registers.rsp: 10154904 registers.r11: 10157104 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092879440 registers.r12: 10155687 registers.rbp: 10155024 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 9:21 a.m.	stacktrace: 0xcc1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcc1f04 registers.r14: 9697392 registers.r15: 9696896 registers.rcx: 48 registers.rsi: 14706336 registers.r10: 0 registers.rbx: 0 registers.rsp: 9695944 registers.r11: 9698144 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9696727 registers.rbp: 9696064 registers.rdi: 100 registers.rax: 13377280 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 9:21 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10614896 registers.r15: 10614400 registers.rcx: 48 registers.rsi: 14707488 registers.r10: 0 registers.rbx: 0 registers.rsp: 10613448 registers.r11: 10615648 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 10614231 registers.rbp: 10613568 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 9:21 a.m.	stacktrace: 0xcc1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcc1f04 registers.r14: 9238096 registers.r15: 9237600 registers.rcx: 48 registers.rsi: 14705664 registers.r10: 0 registers.rbx: 0 registers.rsp: 9236648 registers.r11: 9238848 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9237431 registers.rbp: 9236768 registers.rdi: 100 registers.rax: 13377280 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 9:22 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9368832 registers.r15: 9368336 registers.rcx: 48 registers.rsi: 14707200 registers.r10: 0 registers.rbx: 0 registers.rsp: 9367384 registers.r11: 9369584 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9368167 registers.rbp: 9367504 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\1000048001\74e2c6ecf7.exe
file	C:\Users\test22\AppData\Local\Temp\1000042001\9689483c43.exe
file	C:\Users\test22\AppData\Roaming\1000043000\23f4812b8e.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Sept. 21, 2024, 9:19 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe	1	1
ShellExecuteExW Sept. 21, 2024, 9:19 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000042001\9689483c43.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000042001\9689483c43.exe	1	1
ShellExecuteExW Sept. 21, 2024, 9:19 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\1000043000\23f4812b8e.exe parameters: filepath: C:\Users\test22\AppData\Roaming\1000043000\23f4812b8e.exe	1	1
ShellExecuteExW Sept. 21, 2024, 9:19 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000048001\74e2c6ecf7.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000048001\74e2c6ecf7.exe	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 21, 2024, 9:12 a.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000017a8b500000 process_handle: 0xffffffffffffffff	1	0	0

An executable file was downloaded by the process svoutse.exe (3 events)

Time & API	Arguments	Status	Return
InternetReadFile Sept. 21, 2024, 9:19 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL¢fífà ÈB"Nà@@NË+@Pð#døñ# Ð#:@à.rsrc à#J@À.idata ð#J@Àhlsayvii$L@àbioqaxivNL+@à.taggant0N"P+@à request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 21, 2024, 9:19 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL¢fífà ÈB"Nà@@NË+@Pð#døñ# Ð#:@à.rsrc à#J@À.idata ð#J@Àhlsayvii$L@àbioqaxivNL+@à.taggant0N"P+@à request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 21, 2024, 9:19 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPEL·îfà"¬ `wÀ @p@@@d\|@ Ô¥ð uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrcÔ¥@ ¦ô@@.relocuð v @B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè]N$èUÆ^ÃUìQSVWùûÿÿ@Ç8ûÿÿ\ÉIPûÿÿ:ûÿÿ\|üÿÿÀi3öVVVhHÉIÿÐÇI9·dýÿÿ[3ö9·4ýÿÿKËè®3ö9·Dýÿÿ3ö9·Týÿÿ·lýÿÿÎè÷º3ÉÇF@Ç9ûÿÿt5MüQMüQûÿÿè/ûÿÿ@ÈèÆ@Ç¸ûÿÿuÎÿlÈIOàÉkOÔÉu3Û_ÜOÄÉãO¤_Ìè`þÿÿè ·dþÿÿÎÇ<ÉIèÿvè¿èYýÿÿè\|ýÿÿè#lýÿÿè)º·\ýÿÿÎÇDÉIètÿvèèóÇLýÿÿ@ÉIY9Týÿÿòÿ·PýÿÿTýÿÿèXèóÇ<ýÿÿ@ÉIY9Dýÿÿñÿ·@ýÿÿDýÿÿè.èóÇ,ýÿÿ@ÉIY94ýÿÿðÿ·0ýÿÿ4ýÿÿèèY$ýÿÿÉù·ýÿÿÎÇ<ÉIè£ÿvèÚçYýÿÿÉãüüÿÿÉéèüÿÿè-ÐüÿÿèÄüÿÿÉÙÌüÿÿ¸üÿÿÉÙlüÿÿÀüÿÿèï\üÿÿèäLüÿÿèÙüÿÿèµ_^[ÉÃ`ýÿÿ°Àt#ÿ0ÿ5MÿÅI`ýÿÿ°ÉtQèØùÿÿF;·dýÿÿfýÿÿë¿qQèþàÎö þÿÿëëVñW3ÿN>è5N$è-N4èsPN`èkPèjÇ¼<ÉI¾À¾Ä¾ÈèiæY8Æ_^ÃVWùÉtQè_·¼ÎÇ<ÉIè6ÿvèmæYèÜO`è¯QO4è§QO$èÄO_^éºVñW3ÿ9~f_^ÃVñjVè×åYYÆ^ÂVñW3ÿ9~wf_^ÃFjÿ4¸è°åYYF$¸G;~sÝëâSVñ3ÛW¾d9u%\|èÿÿÿ¾p9u9=_^[ÃÏèÛëÎÏè=ëÚWùxÿÿÿ@Ç8xÿÿÿhÉIèhOðèóOàèëOÐèãOÀèÛO¬èÓOèËOèÃ\|ÿÿÿÉug_ÃVéË VWñè¶@öÉ _^ÃVqöÜ ^ÃWùu&?ÿu_ÃVw$Ïèij(WèäþYYöuæ^_ÃÿwèÓäYëÏVñÉtQèþÿÿìèP¼è&¬èèèN^éVWù3öD÷ÀN Fþ\|î_^ÃSVñ3ÛW8^ T 8^uNy8ÉtQè~^ ÿ_^[Ã³ëóVñN è²µÎè«µj@VèÐãYYÆ^ÂUìSÙVW{ {u)EÏ0è~µ7ÇGC{ _^[u Æ@]Â8ëÒ@8ëî3ÀÇMd3Éf£2MA¢4Mj 8M <M @M¢PMf£üM ôM øM¹úX M£DM£HM LMÃUìWù rVj@èãYÿuðÎèON8w^ÿ_]ÂUìVuWùVgèëåFO GFGFGF aPèÉåF0G0Ç_^]Â3Ò3À@AQQQQA,ÁQ Q(Q0ÃVñ&NèWèþèó¬èè¼èÝìè LjèEâÇ$\|ÉI ÿ ÇIFÆ^ÃjAZ @êuõÁÃSV5ÆI3ÛWùjXSGfÇG____j[ÇGÿÖSjG)ÿÖSh request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002dc00', u'virtual_address': u'0x00001000', u'entropy': 7.9787112936114815, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.97871129361

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00196e00', u'virtual_address': u'0x00304000', u'entropy': 7.953132556512515, u'name': u'slovfzks', u'virtual_size': u'0x00197000'}

entropy

7.95313255651

description

A section with a high entropy has been found

entropy

0.993961021136

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url	https://crash-reports.mozilla.com/submit?id=
url	https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c

Yara rule detected in process memory (50 out of 162 events)

description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

Communicates with host for which no DNS query was performed (3 events)

host	185.215.113.100
host	185.215.113.103
host	31.41.244.10

Allocates execute permission to another process indicative of possible code injection (36 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 21, 2024, 9:12 a.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:12 a.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:12 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:12 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:12 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:12 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:12 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:12 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:12 a.m.	process_identifier: 1576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:12 a.m.	process_identifier: 1576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:12 a.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:12 a.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:12 a.m.	process_identifier: 2416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:12 a.m.	process_identifier: 2416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:20 a.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:20 a.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:20 a.m.	process_identifier: 3232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:20 a.m.	process_identifier: 3232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:20 a.m.	process_identifier: 3504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:20 a.m.	process_identifier: 3504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:20 a.m.	process_identifier: 3776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:20 a.m.	process_identifier: 3776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:20 a.m.	process_identifier: 3144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:20 a.m.	process_identifier: 3144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:20 a.m.	process_identifier: 3584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:20 a.m.	process_identifier: 3584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:21 a.m.	process_identifier: 3844 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:21 a.m.	process_identifier: 3844 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:21 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:21 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:21 a.m.	process_identifier: 3904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:21 a.m.	process_identifier: 3904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:21 a.m.	process_identifier: 1780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:21 a.m.	process_identifier: 1780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:21 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 9:21 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 542 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 21, 2024, 9:19 a.m.	class_name: OLLYDBG window_name:		0	0

A process attempted to delay the analysis task. (2 events)

description	explorer.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds
description	svoutse.exe tried to sleep 1692 seconds, actually delayed analysis time by 1692 seconds

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\9689483c43.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000042001\9689483c43.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\23f4812b8e.exe	reg_value	C:\Users\test22\AppData\Roaming\1000043000\23f4812b8e.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\74e2c6ecf7.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000048001\74e2c6ecf7.exe
file	C:\Windows\Tasks\svoutse.job

Potential code injection by writing to the memory of another process (50 out of 162 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: base_address: 0x000000013fb922b0 process_identifier: 2356 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: base_address: 0x000000013fba0d88 process_identifier: 2356 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: I»`#¶?Aÿã base_address: 0x0000000076d81590 process_identifier: 2356 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: Ôy base_address: 0x000000013fba0d78 process_identifier: 2356 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: I» ¶?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2356 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: Ôy base_address: 0x000000013fba0d70 process_identifier: 2356 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: ÏT base_address: 0x000000013fb40108 process_identifier: 2356 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013fb9aae8 process_identifier: 2356 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: base_address: 0x000000013fba0c78 process_identifier: 2356 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: base_address: 0x000000013fb922b0 process_identifier: 2744 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: base_address: 0x000000013fba0d88 process_identifier: 2744 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: I»`#¶?Aÿã base_address: 0x0000000076d81590 process_identifier: 2744 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: Bc base_address: 0x000000013fba0d78 process_identifier: 2744 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: I» ¶?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2744 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: Bc base_address: 0x000000013fba0d70 process_identifier: 2744 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: ÏT base_address: 0x000000013fb40108 process_identifier: 2744 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013fb9aae8 process_identifier: 2744 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: base_address: 0x000000013fba0c78 process_identifier: 2744 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: base_address: 0x000000013fb922b0 process_identifier: 2104 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: base_address: 0x000000013fba0d88 process_identifier: 2104 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: I»`#¶?Aÿã base_address: 0x0000000076d81590 process_identifier: 2104 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: u9 base_address: 0x000000013fba0d78 process_identifier: 2104 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: I» ¶?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2104 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: u9 base_address: 0x000000013fba0d70 process_identifier: 2104 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: ÏT base_address: 0x000000013fb40108 process_identifier: 2104 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013fb9aae8 process_identifier: 2104 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: base_address: 0x000000013fba0c78 process_identifier: 2104 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: base_address: 0x000000013fb922b0 process_identifier: 2372 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: base_address: 0x000000013fba0d88 process_identifier: 2372 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: I»`#¶?Aÿã base_address: 0x0000000076d81590 process_identifier: 2372 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: âQ base_address: 0x000000013fba0d78 process_identifier: 2372 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: I» ¶?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2372 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: âQ base_address: 0x000000013fba0d70 process_identifier: 2372 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: ÏT base_address: 0x000000013fb40108 process_identifier: 2372 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013fb9aae8 process_identifier: 2372 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: base_address: 0x000000013fba0c78 process_identifier: 2372 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: base_address: 0x000000013fb922b0 process_identifier: 1576 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: base_address: 0x000000013fba0d88 process_identifier: 1576 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: I»`#¶?Aÿã base_address: 0x0000000076d81590 process_identifier: 1576 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: Üu base_address: 0x000000013fba0d78 process_identifier: 1576 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: I» ¶?Aÿã base_address: 0x0000000076d57a90 process_identifier: 1576 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: Üu base_address: 0x000000013fba0d70 process_identifier: 1576 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: ÏT base_address: 0x000000013fb40108 process_identifier: 1576 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013fb9aae8 process_identifier: 1576 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: base_address: 0x000000013fba0c78 process_identifier: 1576 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: base_address: 0x000000013fb922b0 process_identifier: 2728 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: base_address: 0x000000013fba0d88 process_identifier: 2728 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: I»`#¶?Aÿã base_address: 0x0000000076d81590 process_identifier: 2728 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: C base_address: 0x000000013fba0d78 process_identifier: 2728 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: I» ¶?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2728 process_handle: 0x0000000000000050	1	1

One or more non-whitelisted processes were created (32 events)

parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\3d625017-5073-4e56-bd3a-cd5921e5d492.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\d2eae037-8988-407b-a6d3-f86b71ff5ff3.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\32e0ed30-e778-4679-84dc-c44141c2515a.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\350d8c5a-c101-4457-962f-25918f282ee7.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\07e8335b-76ca-4bf2-8a37-b0334d058974.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\f29ca694-0d34-4a80-ae96-f8a58931ccab.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\dea64fbd-5898-45e2-b245-2e4b2398afe3.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\ae0965bd-8ece-4bc0-8b9e-f361bd7860fc.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\b28664aa-ac75-4768-b7de-b27000e704b6.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\6dc696bd-ac7d-473e-ba28-8b077e44d305.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\a8b9f685-5eda-4121-ae2f-a3256eb94ea8.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\8ca021dc-c7d6-49fb-8ed5-8b29fc5fbf04.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\7a0a2923-f4a5-492a-95ea-ca19ba432f81.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\841baca1-9369-4a7a-93ca-dc0c45b62afe.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account

Appends a known multi-family ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (36 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2604 resumed a thread in remote process 2356
Process injection	Process 2672 resumed a thread in remote process 2744
Process injection	Process 196 resumed a thread in remote process 2104
Process injection	Process 284 resumed a thread in remote process 2372
Process injection	Process 1304 resumed a thread in remote process 1576
Process injection	Process 2872 resumed a thread in remote process 2728
Process injection	Process 1156 resumed a thread in remote process 2416
Process injection	Process 536 resumed a thread in remote process 2676
Process injection	Process 1092 resumed a thread in remote process 3232
Process injection	Process 3416 resumed a thread in remote process 3504
Process injection	Process 3700 resumed a thread in remote process 3776
Process injection	Process 4036 resumed a thread in remote process 3144
Process injection	Process 412 resumed a thread in remote process 3584
Process injection	Process 3672 resumed a thread in remote process 3844
Process injection	Process 3192 resumed a thread in remote process 2260
Process injection	Process 3520 resumed a thread in remote process 3904
Process injection	Process 2824 resumed a thread in remote process 1780
Process injection	Process 4112 resumed a thread in remote process 4232
NtResumeThread Sept. 21, 2024, 9:12 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2356	1	0	0
NtResumeThread Sept. 21, 2024, 9:12 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2744	1	0	0
NtResumeThread Sept. 21, 2024, 9:12 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2104	1	0	0
NtResumeThread Sept. 21, 2024, 9:12 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2372	1	0	0
NtResumeThread Sept. 21, 2024, 9:12 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1576	1	0	0
NtResumeThread Sept. 21, 2024, 9:12 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2728	1	0	0
NtResumeThread Sept. 21, 2024, 9:12 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2416	1	0	0
NtResumeThread Sept. 21, 2024, 9:20 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2676	1	0	0
NtResumeThread Sept. 21, 2024, 9:20 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3232	1	0	0
NtResumeThread Sept. 21, 2024, 9:20 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3504	1	0	0
NtResumeThread Sept. 21, 2024, 9:20 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3776	1	0	0
NtResumeThread Sept. 21, 2024, 9:20 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3144	1	0	0
NtResumeThread Sept. 21, 2024, 9:20 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3584	1	0	0
NtResumeThread Sept. 21, 2024, 9:21 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3844	1	0	0
NtResumeThread Sept. 21, 2024, 9:21 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2260	1	0	0
NtResumeThread Sept. 21, 2024, 9:21 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3904	1	0	0
NtResumeThread Sept. 21, 2024, 9:21 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1780	1	0	0
NtResumeThread Sept. 21, 2024, 9:21 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 4232	1	0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 21, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 56 89 14 24 c7 04 24 45 exception.symbol: random+0x1e99f7 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2005495 exception.address: 0x13999f7 registers.esp: 1439856 registers.edi: 4009496 registers.eax: 1447909480 registers.ebp: 4009013268 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 20551509 registers.ecx: 20	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 521 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 21, 2024, 9:19 a.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 2576	1	0
CreateProcessInternalW Sept. 21, 2024, 9:19 a.m.	thread_identifier: 2844 thread_handle: 0x000003dc process_identifier: 2840 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e4	1	1
NtResumeThread Sept. 21, 2024, 9:19 a.m.	thread_handle: 0x000001a0 suspend_count: 1 process_identifier: 2840	1	0
CreateProcessInternalW Sept. 21, 2024, 9:19 a.m.	thread_identifier: 3040 thread_handle: 0x00000474 process_identifier: 3036 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000042001\9689483c43.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000042001\9689483c43.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000042001\9689483c43.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000478	1	1
CreateProcessInternalW Sept. 21, 2024, 9:19 a.m.	thread_identifier: 2184 thread_handle: 0x00000460 process_identifier: 1400 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\1000043000\23f4812b8e.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\1000043000\23f4812b8e.exe" filepath_r: C:\Users\test22\AppData\Roaming\1000043000\23f4812b8e.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000470	1	1
CreateProcessInternalW Sept. 21, 2024, 9:19 a.m.	thread_identifier: 2564 thread_handle: 0x00000458 process_identifier: 2568 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000048001\74e2c6ecf7.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000048001\74e2c6ecf7.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000048001\74e2c6ecf7.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000484	1	1
CreateProcessInternalW Sept. 21, 2024, 9:19 a.m.	thread_identifier: 2516 thread_handle: 0x00000134 process_identifier: 2604 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Sept. 21, 2024, 9:19 a.m.	thread_identifier: 2676 thread_handle: 0x00000138 process_identifier: 2672 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Sept. 21, 2024, 9:19 a.m.	thread_identifier: 940 thread_handle: 0x00000134 process_identifier: 196 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Sept. 21, 2024, 9:19 a.m.	thread_identifier: 300 thread_handle: 0x00000138 process_identifier: 284 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Sept. 21, 2024, 9:19 a.m.	thread_identifier: 544 thread_handle: 0x00000134 process_identifier: 1304 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Sept. 21, 2024, 9:19 a.m.	thread_identifier: 2852 thread_handle: 0x00000138 process_identifier: 2872 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Sept. 21, 2024, 9:19 a.m.	thread_identifier: 648 thread_handle: 0x00000134 process_identifier: 1156 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Sept. 21, 2024, 9:19 a.m.	thread_identifier: 2812 thread_handle: 0x00000138 process_identifier: 2776 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Sept. 21, 2024, 9:20 a.m.	thread_identifier: 1656 thread_handle: 0x00000134 process_identifier: 536 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Sept. 21, 2024, 9:20 a.m.	thread_identifier: 920 thread_handle: 0x00000138 process_identifier: 1092 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Sept. 21, 2024, 9:20 a.m.	thread_identifier: 3420 thread_handle: 0x00000134 process_identifier: 3416 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Sept. 21, 2024, 9:20 a.m.	thread_identifier: 3704 thread_handle: 0x00000138 process_identifier: 3700 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Sept. 21, 2024, 9:20 a.m.	thread_identifier: 3864 thread_handle: 0x00000134 process_identifier: 3860 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Sept. 21, 2024, 9:20 a.m.	thread_identifier: 4040 thread_handle: 0x00000138 process_identifier: 4036 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Sept. 21, 2024, 9:20 a.m.	thread_identifier: 3212 thread_handle: 0x00000134 process_identifier: 1872 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Sept. 21, 2024, 9:20 a.m.	thread_identifier: 1088 thread_handle: 0x00000138 process_identifier: 412 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Sept. 21, 2024, 9:20 a.m.	thread_identifier: 3616 thread_handle: 0x00000134 process_identifier: 3672 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Sept. 21, 2024, 9:21 a.m.	thread_identifier: 2036 thread_handle: 0x00000138 process_identifier: 3192 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Sept. 21, 2024, 9:21 a.m.	thread_identifier: 3528 thread_handle: 0x00000134 process_identifier: 3520 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Sept. 21, 2024, 9:21 a.m.	thread_identifier: 2796 thread_handle: 0x00000138 process_identifier: 2760 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Sept. 21, 2024, 9:21 a.m.	thread_identifier: 1172 thread_handle: 0x00000134 process_identifier: 2824 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Sept. 21, 2024, 9:21 a.m.	thread_identifier: 2124 thread_handle: 0x00000138 process_identifier: 3076 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Sept. 21, 2024, 9:21 a.m.	thread_identifier: 4116 thread_handle: 0x00000134 process_identifier: 4112 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Sept. 21, 2024, 9:12 a.m.	thread_identifier: 2628 thread_handle: 0x0000000000000044 process_identifier: 2356 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 1028 (CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 0 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: base_address: 0x000000013fb922b0 process_identifier: 2356 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: base_address: 0x000000013fba0d88 process_identifier: 2356 process_handle: 0x000000000000004c	1	1
NtMapViewOfSection Sept. 21, 2024, 9:12 a.m.	section_handle: 0x0000000000000060 process_identifier: 2356 commit_size: 0 win32_protect: 32 (PAGE_EXECUTE_READ) buffer: base_address: 0x0000000079d40000 allocation_type: 0 () section_offset: 0 view_size: 65536 process_handle: 0x0000000000000050	1	0
NtAllocateVirtualMemory Sept. 21, 2024, 9:12 a.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000079d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000050	1	0
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: I»`#¶?Aÿã base_address: 0x0000000076d81590 process_identifier: 2356 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: Ôy base_address: 0x000000013fba0d78 process_identifier: 2356 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: I» ¶?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2356 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: Ôy base_address: 0x000000013fba0d70 process_identifier: 2356 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: ÏT base_address: 0x000000013fb40108 process_identifier: 2356 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013fb9aae8 process_identifier: 2356 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 9:12 a.m.	buffer: base_address: 0x000000013fba0c78 process_identifier: 2356 process_handle: 0x000000000000004c	1	1
NtResumeThread Sept. 21, 2024, 9:12 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2356	1	0
NtResumeThread Sept. 21, 2024, 9:12 a.m.	thread_handle: 0x0000000000000170 suspend_count: 1 process_identifier: 2356	1	0
NtGetContextThread Sept. 21, 2024, 9:12 a.m.	thread_handle: 0x0000000000000234	1	0
NtGetContextThread Sept. 21, 2024, 9:12 a.m.	thread_handle: 0x000000000000023c	1	0
NtGetContextThread Sept. 21, 2024, 9:12 a.m.	thread_handle: 0x0000000000000240	1	0
NtGetContextThread Sept. 21, 2024, 9:12 a.m.	thread_handle: 0x0000000000000244	1	0
NtGetContextThread Sept. 21, 2024, 9:12 a.m.	thread_handle: 0x0000000000000248	1	0
NtGetContextThread Sept. 21, 2024, 9:12 a.m.	thread_handle: 0x000000000000024c	1	0
NtGetContextThread Sept. 21, 2024, 9:12 a.m.	thread_handle: 0x0000000000000250	1	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetectMalware
tehtris	Generic.Malware
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Themida.tc
ALYac	Gen:Variant.Kryptik.260
Cylance	Unsafe
VIPRE	Gen:Variant.Kryptik.260
CrowdStrike	win/malicious_confidence_90% (D)
BitDefender	Gen:Variant.Kryptik.260
Arcabit	Trojan.Kryptik.260
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Gen:Variant.Kryptik.260
Emsisoft	Gen:Variant.Kryptik.260 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!CB218D4896BA
Trapmine	malicious.moderate.ml.score
CTX	exe.unknown.kryptik
Sophos	Mal/Stealc-A
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.cb218d4896ba79bb
Google	Detected
Avira	TR/Crypt.TPM.Gen
Gridinsoft	Trojan.Heur!.038120A1
Microsoft	Trojan:Win32/Sabsik.FL.A!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Kryptik.260
Varist	W32/Agent.JDU.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R645974
McAfee	Themida-FWSE!CB218D4896BA
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Amadey
Zoner	Probably Heur.ExeHeaderL
AVG	Win32:Evo-gen [Trj]

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All