Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 21, 2024, 1:49 p.m.	Sept. 21, 2024, 1:58 p.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e0bb28202965797f022195320f3287d5`
SHA256	`64308fda3f0566fbbafed8d1bc257c957310a6dd1b3cc53f232d0b65e206dc24`
CRC32	`1534BB61`
ssdeep	`24576:U8zDHBGaCxNUfGac6MbjmsgGc+XIXQ3wpaJEgeqeqWcGM/eVnv0ySamsqMP6f:UOB9CxmoVPgGrIClgqMhnv0ySLs/Cf`
Yara	themida_packer - themida packer PE_Header_Zero - PE File Signature anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description)

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
1488
- svoutse.exe "C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
  2336
  - 376da640f6.exe "C:\Users\test22\AppData\Local\Temp\1000042001\376da640f6.exe"
    2588
  - 55cf86bf67.exe "C:\Users\test22\AppData\Roaming\1000043000\55cf86bf67.exe"
    2828
  - 561157fcb2.exe "C:\Users\test22\AppData\Local\Temp\1000048001\561157fcb2.exe"
    2356
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      2164
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        2208
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\9af36891-14e2-4960-9330-28c2e6c4cdd4.dmp"
        1656
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\9af36891-14e2-4960-9330-28c2e6c4cdd4.dmp"
        2876
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      2140
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        2600
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\3f42309d-df3c-45c3-9182-d32d2d3f5808.dmp"
        1284
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\3f42309d-df3c-45c3-9182-d32d2d3f5808.dmp"
        2556
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      2364
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        2296
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\fe950943-fc74-4339-9743-298b6f4d5f6e.dmp"
        2916
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\fe950943-fc74-4339-9743-298b6f4d5f6e.dmp"
        2936
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      1952
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        2184
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\05835e05-6121-4708-9111-fa231fd15bbd.dmp"
        1344
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\05835e05-6121-4708-9111-fa231fd15bbd.dmp"
        1676
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      1044
      - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\9bd80c9c-b09a-47ab-a61a-f24b47a41f96.dmp"
        912
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\9bd80c9c-b09a-47ab-a61a-f24b47a41f96.dmp"
        2672
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      2144
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        2716
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2716.0.1065464047\3116012" -parentBuildID 20220922151854 -prefsHandle 1176 -prefMapHandle 1168 -prefsLen 21970 -prefMapSize 232313 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d06d4ee-f454-4852-b362-cca3c9aec234} 2716 "\\.\pipe\gecko-crash-server-pipe.2716" 1240 45f5058 gpu
        3272
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      2252
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        2884
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\1a89e6be-7a47-455c-9541-3c3b3330f95e.dmp"
        3304
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\1a89e6be-7a47-455c-9541-3c3b3330f95e.dmp"
        3472
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      2880
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        184
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\1ad1df49-1767-4777-81d0-942a4e0e0de9.dmp"
        3516
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\1ad1df49-1767-4777-81d0-942a4e0e0de9.dmp"
        3604
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      2784
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        724
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      2368
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        1212
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\bbf14a46-52db-4c51-a02d-9c4a3e7ad641.dmp"
        3824
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\bbf14a46-52db-4c51-a02d-9c4a3e7ad641.dmp"
        3892
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      3176
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        3328
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\88a6e7e5-4d1d-473e-9946-722f2f3b3f49.dmp"
        4072
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\88a6e7e5-4d1d-473e-9946-722f2f3b3f49.dmp"
        3084
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      3412
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        3644
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.215.113.100	Active	Moloch
185.215.113.103	Active	Moloch
31.41.244.10	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 31.41.244.10:80 -> 192.168.56.103:49165	2400001	ET DROP Spamhaus DROP Listed Traffic Inbound group 2	Misc Attack
TCP 192.168.56.103:49166 -> 185.215.113.100:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.100:80 -> 192.168.56.103:49166	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.100:80 -> 192.168.56.103:49166	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.100:80 -> 192.168.56.103:49166	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 185.215.113.100:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 185.215.113.103:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 185.215.113.103:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 185.215.113.103:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.103:80 -> 192.168.56.103:49169	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 185.215.113.103:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.103:80 -> 192.168.56.103:49172	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.103:80 -> 192.168.56.103:49172	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.103:80 -> 192.168.56.103:49172	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.103:80 -> 192.168.56.103:49169	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 185.215.113.103:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 185.215.113.103:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.103:80 -> 192.168.56.103:49169	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.103:80 -> 192.168.56.103:49169	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 185.215.113.103:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.103:80 -> 192.168.56.103:49184	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.103:80 -> 192.168.56.103:49184	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 185.215.113.103:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.103:80 -> 192.168.56.103:49184	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49203 -> 185.215.113.103:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.103:49184 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 185.215.113.103:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49168 -> 31.41.244.10:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49168 -> 31.41.244.10:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49168 -> 31.41.244.10:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49184 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 185.215.113.103:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49184 -> 185.215.113.103:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 185.215.113.103:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameA Sept. 21, 2024, 1:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 21, 2024, 1:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 21, 2024, 1:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 21, 2024, 1:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 21, 2024, 1:49 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 242 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 21, 2024, 1:49 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:49 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:49 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:49 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:49 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:49 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:49 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:49 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:49 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:49 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:49 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:49 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:49 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:49 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:49 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:50 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:50 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:50 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:50 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:50 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:50 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:50 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:50 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:50 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:50 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:50 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:50 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:50 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:50 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:50 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:50 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:50 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:50 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:50 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:50 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:50 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:51 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:51 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:51 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:51 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:51 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:51 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:51 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:51 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:51 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:51 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:51 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:51 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:51 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:51 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 21, 2024, 1:49 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	apaxlpat
section	cryotofr
section	.taggant

One or more processes crashed (50 out of 508 events)

Time & API	Arguments	Status
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: random+0x3240b9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3293369 exception.address: 0x14440b9 registers.esp: 4389148 registers.edi: 0 registers.eax: 1 registers.ebp: 4389164 registers.edx: 22978560 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 57 bf c7 01 38 67 f7 d7 52 ba bc 86 df 77 e9 exception.symbol: random+0x6d24e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 447054 exception.address: 0x118d24e registers.esp: 4389112 registers.edi: 1971192040 registers.eax: 30895 registers.ebp: 4008423444 registers.edx: 17956864 registers.ebx: 0 registers.esi: 3 registers.ecx: 18402737	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 7b 02 44 22 89 04 24 89 e0 57 bf exception.symbol: random+0x6d353 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 447315 exception.address: 0x118d353 registers.esp: 4389116 registers.edi: 1971192040 registers.eax: 30895 registers.ebp: 4008423444 registers.edx: 17956864 registers.ebx: 0 registers.esi: 3 registers.ecx: 18433632	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb e9 a4 06 00 00 c7 04 24 78 50 bf 7f 5e c1 e6 exception.symbol: random+0x6ce47 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 446023 exception.address: 0x118ce47 registers.esp: 4389116 registers.edi: 0 registers.eax: 30895 registers.ebp: 4008423444 registers.edx: 17956864 registers.ebx: 0 registers.esi: 1373669712 registers.ecx: 18405692	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 68 62 17 4b 25 e9 ed fc ff ff 81 ca 4e 06 fd exception.symbol: random+0x6dfac exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 450476 exception.address: 0x118dfac registers.esp: 4389116 registers.edi: 0 registers.eax: 29089 registers.ebp: 4008423444 registers.edx: 17956864 registers.ebx: 18435151 registers.esi: 236777 registers.ecx: 4294940972	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 57 81 ec 04 00 00 00 89 14 24 55 bd a0 53 bf exception.symbol: random+0x1f697d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2058621 exception.address: 0x131697d registers.esp: 4389116 registers.edi: 18442055 registers.eax: 30295 registers.ebp: 4008423444 registers.edx: 0 registers.ebx: 10223772 registers.esi: 492521 registers.ecx: 20015675	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 68 25 3b 4f 55 89 2c 24 81 ec 04 00 00 00 89 exception.symbol: random+0x1f8b5f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2067295 exception.address: 0x1318b5f registers.esp: 4389112 registers.edi: 19988576 registers.eax: 28750 registers.ebp: 4008423444 registers.edx: 20021900 registers.ebx: 20020650 registers.esi: 20022918 registers.ecx: 1940069169	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 55 e9 a8 f5 ff ff ff 34 24 5b 56 89 e6 81 c6 exception.symbol: random+0x1f913c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2068796 exception.address: 0x131913c registers.esp: 4389116 registers.edi: 19988576 registers.eax: 28750 registers.ebp: 4008423444 registers.edx: 20021900 registers.ebx: 20020650 registers.esi: 20051668 registers.ecx: 1940069169	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb e9 2c ff ff ff 81 c7 81 80 df 15 e9 75 ff ff exception.symbol: random+0x1f8b48 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2067272 exception.address: 0x1318b48 registers.esp: 4389116 registers.edi: 19988576 registers.eax: 28750 registers.ebp: 4008423444 registers.edx: 20021900 registers.ebx: 202985 registers.esi: 20051668 registers.ecx: 4294941480	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb e9 43 00 00 00 ba 04 00 00 00 01 d7 e9 5b fc exception.symbol: random+0x1fdbe9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2087913 exception.address: 0x131dbe9 registers.esp: 4389112 registers.edi: 4861680 registers.eax: 20043465 registers.ebp: 4008423444 registers.edx: 20021900 registers.ebx: 202985 registers.esi: 20051668 registers.ecx: 14288	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 df 05 00 00 5f 81 ec 04 exception.symbol: random+0x1fd833 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2086963 exception.address: 0x131d833 registers.esp: 4389116 registers.edi: 1259 registers.eax: 20075624 registers.ebp: 4008423444 registers.edx: 20021900 registers.ebx: 202985 registers.esi: 20051668 registers.ecx: 4294937952	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 35 d9 ff ff 29 da 81 exception.symbol: random+0x204b14 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2116372 exception.address: 0x1324b14 registers.esp: 4389108 registers.edi: 1259 registers.eax: 1447909480 registers.ebp: 4008423444 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 20058303 registers.ecx: 20	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: random+0x206844 exception.address: 0x1326844 exception.module: random.exe exception.exception_code: 0xc000001d exception.offset: 2123844 registers.esp: 4389108 registers.edi: 1259 registers.eax: 1 registers.ebp: 4008423444 registers.edx: 22104 registers.ebx: 0 registers.esi: 20058303 registers.ecx: 20	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 88 37 2d 12 01 exception.symbol: random+0x2069b2 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2124210 exception.address: 0x13269b2 registers.esp: 4389108 registers.edi: 1259 registers.eax: 1447909480 registers.ebp: 4008423444 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 20058303 registers.ecx: 10	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 50 56 89 14 24 89 34 24 e9 9f 01 00 00 89 14 exception.symbol: random+0x209cd9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2137305 exception.address: 0x1329cd9 registers.esp: 4389116 registers.edi: 1259 registers.eax: 26269 registers.ebp: 4008423444 registers.edx: 2130566132 registers.ebx: 1392536160 registers.esi: 4294943500 registers.ecx: 20120149	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 52 e8 03 00 00 00 20 5a c3 5a exception.symbol: random+0x20a821 exception.instruction: int 1 exception.module: random.exe exception.exception_code: 0xc0000005 exception.offset: 2140193 exception.address: 0x132a821 registers.esp: 4389076 registers.edi: 0 registers.eax: 4389076 registers.ebp: 4008423444 registers.edx: 0 registers.ebx: 20097367 registers.esi: 4294901760 registers.ecx: 313214124	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 50 56 89 14 24 c7 04 24 de 36 bb 6f e9 1c fc exception.symbol: random+0x219a13 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2202131 exception.address: 0x1339a13 registers.esp: 4389116 registers.edi: 18399966 registers.eax: 28754 registers.ebp: 4008423444 registers.edx: 6 registers.ebx: 4294941560 registers.esi: 20185903 registers.ecx: 1058793	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb e9 f3 00 00 00 89 d8 5b 01 f8 5f f7 d8 40 e9 exception.symbol: random+0x21d9e2 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2218466 exception.address: 0x133d9e2 registers.esp: 4389116 registers.edi: 18399966 registers.eax: 31128 registers.ebp: 4008423444 registers.edx: 6 registers.ebx: 1673268492 registers.esi: 20185903 registers.ecx: 20203868	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 50 53 89 3c 24 c7 exception.symbol: random+0x21d6e6 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2217702 exception.address: 0x133d6e6 registers.esp: 4389116 registers.edi: 0 registers.eax: 31128 registers.ebp: 4008423444 registers.edx: 6 registers.ebx: 1673268492 registers.esi: 605849941 registers.ecx: 20175812	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 55 e9 d3 04 00 00 52 57 68 e4 d8 7a 59 5f 81 exception.symbol: random+0x21de2a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2219562 exception.address: 0x133de2a registers.esp: 4389112 registers.edi: 0 registers.eax: 28134 registers.ebp: 4008423444 registers.edx: 864660500 registers.ebx: 20176186 registers.esi: 605849941 registers.ecx: 20175812	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 55 54 5d 50 b8 a3 cd 7f 55 e9 5c 00 00 00 5e exception.symbol: random+0x21e655 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2221653 exception.address: 0x133e655 registers.esp: 4389116 registers.edi: 0 registers.eax: 28134 registers.ebp: 4008423444 registers.edx: 864660500 registers.ebx: 20204320 registers.esi: 605849941 registers.ecx: 20175812	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 52 51 b9 d1 ef ce 37 89 ca 59 81 f2 65 f8 c1 exception.symbol: random+0x21de9a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2219674 exception.address: 0x133de9a registers.esp: 4389116 registers.edi: 0 registers.eax: 262633 registers.ebp: 4008423444 registers.edx: 864660500 registers.ebx: 20179356 registers.esi: 605849941 registers.ecx: 0	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 34 24 be ea 96 e7 7b e9 6c fb ff exception.symbol: random+0x224be6 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2247654 exception.address: 0x1344be6 registers.esp: 4389104 registers.edi: 0 registers.eax: 28206 registers.ebp: 4008423444 registers.edx: 2130566132 registers.ebx: 20203155 registers.esi: 605849941 registers.ecx: 1374224384	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 57 89 04 24 b8 2a 80 d3 3d 81 ec 04 00 00 00 exception.symbol: random+0x224fdf exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2248671 exception.address: 0x1344fdf registers.esp: 4389108 registers.edi: 0 registers.eax: 84201 registers.ebp: 4008423444 registers.edx: 2130566132 registers.ebx: 20231361 registers.esi: 605849941 registers.ecx: 4294941912	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 81 c3 7d 16 ff 3b 81 c3 3e 54 fb 3d 03 1c 24 exception.symbol: random+0x242a91 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2370193 exception.address: 0x1362a91 registers.esp: 4389072 registers.edi: 56308 registers.eax: 26165 registers.ebp: 4008423444 registers.edx: 2130566132 registers.ebx: 20324774 registers.esi: 20320720 registers.ecx: 1374224384	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 09 8d b9 33 89 0c 24 b9 20 11 df exception.symbol: random+0x242740 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2369344 exception.address: 0x1362740 registers.esp: 4389076 registers.edi: 56308 registers.eax: 26165 registers.ebp: 4008423444 registers.edx: 116969 registers.ebx: 20327419 registers.esi: 0 registers.ecx: 1374224384	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb e9 9e f8 ff ff 81 c2 12 fc 3e 79 e9 6d fe ff exception.symbol: random+0x243ece exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2375374 exception.address: 0x1363ece registers.esp: 4389076 registers.edi: 20332407 registers.eax: 0 registers.ebp: 4008423444 registers.edx: 116969 registers.ebx: 527444256 registers.esi: 0 registers.ecx: 605325649	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 57 89 1c 24 bb 53 a0 7e 7e e9 dc fd ff ff 81 exception.symbol: random+0x24478d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2377613 exception.address: 0x136478d registers.esp: 4389072 registers.edi: 20332407 registers.eax: 27464 registers.ebp: 4008423444 registers.edx: 116969 registers.ebx: 673534198 registers.esi: 0 registers.ecx: 20332854	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 04 24 53 e9 c7 00 00 00 exception.symbol: random+0x2441b8 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2376120 exception.address: 0x13641b8 registers.esp: 4389076 registers.edi: 8654688 registers.eax: 27464 registers.ebp: 4008423444 registers.edx: 4294942212 registers.ebx: 673534198 registers.esi: 0 registers.ecx: 20360318	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 52 ba 15 09 67 0d c1 ea 01 e9 8c 01 00 00 b9 exception.symbol: random+0x245ace exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2382542 exception.address: 0x1365ace registers.esp: 4389072 registers.edi: 8654688 registers.eax: 28411 registers.ebp: 4008423444 registers.edx: 973180160 registers.ebx: 673534198 registers.esi: 0 registers.ecx: 20337411	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 29 f6 ff 34 31 ff 34 24 e9 c2 02 00 00 8b 34 exception.symbol: random+0x24562d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2381357 exception.address: 0x136562d registers.esp: 4389076 registers.edi: 8654688 registers.eax: 28411 registers.ebp: 4008423444 registers.edx: 973180160 registers.ebx: 673534198 registers.esi: 0 registers.ecx: 20365822	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 2c 24 53 e9 eb 01 00 00 87 0c 24 exception.symbol: random+0x245a20 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2382368 exception.address: 0x1365a20 registers.esp: 4389076 registers.edi: 8654688 registers.eax: 28411 registers.ebp: 4008423444 registers.edx: 973180160 registers.ebx: 1375758944 registers.esi: 4294941324 registers.ecx: 20365822	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 53 e9 56 05 00 00 51 e9 78 02 00 00 ff 34 24 exception.symbol: random+0x24638c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2384780 exception.address: 0x136638c registers.esp: 4389076 registers.edi: 20339879 registers.eax: 20344288 registers.ebp: 4008423444 registers.edx: 973180160 registers.ebx: 1079408530 registers.esi: 0 registers.ecx: 604277078	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 68 6c ca 24 7c 89 14 24 51 b9 86 b3 ff 3b 51 exception.symbol: random+0x24c3e6 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2409446 exception.address: 0x136c3e6 registers.esp: 4389076 registers.edi: 20339879 registers.eax: 32116 registers.ebp: 4008423444 registers.edx: 20397826 registers.ebx: 18409652 registers.esi: 58536 registers.ecx: 20363279	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 56 68 46 ae da 3a e9 0f fe ff ff 58 e9 cb 01 exception.symbol: random+0x24c69e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2410142 exception.address: 0x136c69e registers.esp: 4389076 registers.edi: 20339879 registers.eax: 32116 registers.ebp: 4008423444 registers.edx: 20368426 registers.ebx: 18409652 registers.esi: 0 registers.ecx: 24811	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 55 e9 99 ff ff ff 01 d0 5a 83 c0 04 e9 ad 01 exception.symbol: random+0x24ecd5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2419925 exception.address: 0x136ecd5 registers.esp: 4389076 registers.edi: 20408502 registers.eax: 32779 registers.ebp: 4008423444 registers.edx: 20368426 registers.ebx: 1813851963 registers.esi: 0 registers.ecx: 24811	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 68 71 24 80 05 89 04 24 89 0c 24 89 e1 81 c1 exception.symbol: random+0x24f03f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2420799 exception.address: 0x136f03f registers.esp: 4389076 registers.edi: 20378798 registers.eax: 0 registers.ebp: 4008423444 registers.edx: 20368426 registers.ebx: 81129 registers.esi: 0 registers.ecx: 24811	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 68 60 b9 5b 7a 89 04 24 b8 1c 6b 7c 3f f7 d0 exception.symbol: random+0x250575 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2426229 exception.address: 0x1370575 registers.esp: 4389072 registers.edi: 20380823 registers.eax: 26599 registers.ebp: 4008423444 registers.edx: 20368426 registers.ebx: 391527906 registers.esi: 0 registers.ecx: 241338361	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 3c 24 57 e9 ad f9 ff ff fb 68 60 exception.symbol: random+0x250568 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2426216 exception.address: 0x1370568 registers.esp: 4389076 registers.edi: 20407422 registers.eax: 26599 registers.ebp: 4008423444 registers.edx: 20368426 registers.ebx: 391527906 registers.esi: 157417 registers.ecx: 4294943688	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 52 89 e2 81 c2 04 00 00 00 83 ea 04 87 14 24 exception.symbol: random+0x26818d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2523533 exception.address: 0x138818d registers.esp: 4389076 registers.edi: 322689 registers.eax: 30985 registers.ebp: 4008423444 registers.edx: 4294938816 registers.ebx: 1969225702 registers.esi: 20509831 registers.ecx: 0	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 68 60 2b 94 00 89 04 24 e9 b0 f7 ff ff 81 c4 exception.symbol: random+0x26f243 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2552387 exception.address: 0x138f243 registers.esp: 4389076 registers.edi: 20482821 registers.eax: 20537867 registers.ebp: 4008423444 registers.edx: 2220072 registers.ebx: 20482789 registers.esi: 20482785 registers.ecx: 1374224384	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 68 0e 41 ef 7f 58 55 50 c7 04 24 93 ca ff 6b exception.symbol: random+0x26eb2b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2550571 exception.address: 0x138eb2b registers.esp: 4389076 registers.edi: 20482821 registers.eax: 20509659 registers.ebp: 4008423444 registers.edx: 2220072 registers.ebx: 3392647528 registers.esi: 0 registers.ecx: 1374224384	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 82 a6 8f 54 e9 00 00 00 00 89 0c exception.symbol: random+0x2755bc exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2577852 exception.address: 0x13955bc registers.esp: 4389076 registers.edi: 20563293 registers.eax: 31401 registers.ebp: 4008423444 registers.edx: 2130566132 registers.ebx: 2029809536 registers.esi: 0 registers.ecx: 1374224384	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 52 e9 8e 03 00 00 52 89 e2 81 c2 04 00 00 00 exception.symbol: random+0x274cc0 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2575552 exception.address: 0x1394cc0 registers.esp: 4389076 registers.edi: 20535049 registers.eax: 6089043 registers.ebp: 4008423444 registers.edx: 0 registers.ebx: 2029809536 registers.esi: 0 registers.ecx: 1374224384	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 50 e9 ad 04 00 00 8b 34 24 81 c4 04 00 00 00 exception.symbol: random+0x2798b2 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2594994 exception.address: 0x13998b2 registers.esp: 4389072 registers.edi: 20535049 registers.eax: 32390 registers.ebp: 4008423444 registers.edx: 106 registers.ebx: 4136470837 registers.esi: 3769129759 registers.ecx: 20551782	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 52 89 e2 56 be 04 00 00 00 01 f2 5e 83 ea 04 exception.symbol: random+0x27a2ff exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2597631 exception.address: 0x139a2ff registers.esp: 4389076 registers.edi: 20535049 registers.eax: 32390 registers.ebp: 4008423444 registers.edx: 0 registers.ebx: 4136470837 registers.esi: 2179172691 registers.ecx: 20554888	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 23 fa ff ff 81 ef e5 d9 dd 57 29 exception.symbol: random+0x28375f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2635615 exception.address: 0x13a375f registers.esp: 4389076 registers.edi: 606896464 registers.eax: 27275 registers.ebp: 4008423444 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 20593616 registers.ecx: 1374224384	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 81 c7 82 ca a2 7a 50 b8 52 c1 bb 6b 81 ef 99 exception.symbol: random+0x2944e1 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2704609 exception.address: 0x13b44e1 registers.esp: 4389072 registers.edi: 20659053 registers.eax: 29697 registers.ebp: 4008423444 registers.edx: 2130566132 registers.ebx: 20595111 registers.esi: 2005598220 registers.ecx: 1374224384	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 f2 19 e7 7f 53 50 c7 04 24 00 2f exception.symbol: random+0x294375 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2704245 exception.address: 0x13b4375 registers.esp: 4389076 registers.edi: 20688750 registers.eax: 29697 registers.ebp: 4008423444 registers.edx: 2130566132 registers.ebx: 20595111 registers.esi: 2005598220 registers.ecx: 1374224384	1
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: fb 56 be d1 91 ff 5f e9 2c fd ff ff 89 0c 24 83 exception.symbol: random+0x2946f9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2705145 exception.address: 0x13b46f9 registers.esp: 4389076 registers.edi: 20662318 registers.eax: 41877608 registers.ebp: 4008423444 registers.edx: 0 registers.ebx: 20595111 registers.esi: 2005598220 registers.ecx: 1374224384	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (3 events)

Time & API	Arguments	Status	Return
bind Sept. 21, 2024, 1:50 p.m.	ip_address: 127.0.0.1 socket: 1112 port: 0	1	0
listen Sept. 21, 2024, 1:50 p.m.	socket: 1112 backlog: 5	1	0
accept Sept. 21, 2024, 1:50 p.m.	ip_address: 127.0.0.1 socket: 1112 port: 49234	1	1128

HTTP traffic contains suspicious features which may be indicative of malware related traffic (12 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://31.41.244.10/Dem7kTu/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.100/steam/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.103/e2b1563c6670f193.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/well/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.103/0d60be0de163924d/vcruntime140.dll

Performs some HTTP requests (12 events)

request	POST http://31.41.244.10/Dem7kTu/index.php
request	GET http://185.215.113.100/steam/random.exe
request	GET http://185.215.113.103/
request	POST http://185.215.113.103/e2b1563c6670f193.php
request	GET http://185.215.113.103/well/random.exe
request	GET http://185.215.113.103/0d60be0de163924d/sqlite3.dll
request	GET http://185.215.113.103/0d60be0de163924d/freebl3.dll
request	GET http://185.215.113.103/0d60be0de163924d/mozglue.dll
request	GET http://185.215.113.103/0d60be0de163924d/msvcp140.dll
request	GET http://185.215.113.103/0d60be0de163924d/nss3.dll
request	GET http://185.215.113.103/0d60be0de163924d/softokn3.dll
request	GET http://185.215.113.103/0d60be0de163924d/vcruntime140.dll

Sends data using the HTTP POST Method (2 events)

request	POST http://31.41.244.10/Dem7kTu/index.php
request	POST http://185.215.113.103/e2b1563c6670f193.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 172 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01121000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ec0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ed0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fe0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ff0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01090000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000067a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2336 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2336 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2336 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (20 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process firefox.exe with pid 2208 crashed
Application Crash	Process firefox.exe with pid 2600 crashed
Application Crash	Process firefox.exe with pid 2296 crashed
Application Crash	Process firefox.exe with pid 1044 crashed
Application Crash	Process firefox.exe with pid 2184 crashed
Application Crash	Process firefox.exe with pid 2884 crashed
Application Crash	Process firefox.exe with pid 184 crashed
Application Crash	Process firefox.exe with pid 1212 crashed
Application Crash	Process firefox.exe with pid 3328 crashed
Application Crash	Process firefox.exe with pid 3644 crashed
__exception__ Sept. 21, 2024, 1:42 p.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9106136 registers.r15: 8791541257840 registers.rcx: 48 registers.rsi: 8791541189504 registers.r10: 0 registers.rbx: 0 registers.rsp: 9105768 registers.r11: 9109152 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 14917776 registers.rbp: 9105888 registers.rdi: 68265408 registers.rax: 13442816 registers.r13: 9106728	1	0	0
__exception__ Sept. 21, 2024, 1:48 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10155984 registers.r15: 10155488 registers.rcx: 48 registers.rsi: 14707680 registers.r10: 0 registers.rbx: 0 registers.rsp: 10154536 registers.r11: 10156736 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 10155319 registers.rbp: 10154656 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 1:48 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10025088 registers.r15: 10024592 registers.rcx: 48 registers.rsi: 14705568 registers.r10: 0 registers.rbx: 0 registers.rsp: 10023640 registers.r11: 10025840 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 10024423 registers.rbp: 10023760 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: 0xcb1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcb1f04 registers.r14: 10353680 registers.r15: 10353184 registers.rcx: 48 registers.rsi: 14705184 registers.r10: 0 registers.rbx: 0 registers.rsp: 10352232 registers.r11: 10354432 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 10353015 registers.rbp: 10352352 registers.rdi: 100 registers.rax: 13311744 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8779568 registers.r15: 8779072 registers.rcx: 48 registers.rsi: 14704896 registers.r10: 0 registers.rbx: 0 registers.rsp: 8778120 registers.r11: 8780320 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 8778903 registers.rbp: 8778240 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: 0xbc1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xbc1f04 registers.r14: 9238560 registers.r15: 9238064 registers.rcx: 48 registers.rsi: 15754912 registers.r10: 0 registers.rbx: 0 registers.rsp: 9237112 registers.r11: 9239312 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 9237895 registers.rbp: 9237232 registers.rdi: 100 registers.rax: 12328704 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: 0xa91f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa91f04 registers.r14: 9762992 registers.r15: 9762496 registers.rcx: 48 registers.rsi: 15753472 registers.r10: 0 registers.rbx: 0 registers.rsp: 9761544 registers.r11: 9763744 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9762327 registers.rbp: 9761664 registers.rdi: 100 registers.rax: 11083520 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 1:50 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9303488 registers.r15: 9302992 registers.rcx: 48 registers.rsi: 14704704 registers.r10: 0 registers.rbx: 0 registers.rsp: 9302040 registers.r11: 9304240 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 9302823 registers.rbp: 9302160 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 1:50 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9500128 registers.r15: 9499632 registers.rcx: 48 registers.rsi: 14704896 registers.r10: 0 registers.rbx: 0 registers.rsp: 9498680 registers.r11: 9500880 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 9499463 registers.rbp: 9498800 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 1:50 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10615584 registers.r15: 10615088 registers.rcx: 48 registers.rsi: 14706144 registers.r10: 0 registers.rbx: 0 registers.rsp: 10614136 registers.r11: 10616336 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 10614919 registers.rbp: 10614256 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0

Steals private information from local Internet browsers (50 out of 5864 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\apenkfbbpmhihehmihndmmcdanacolnh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\ciojocpkclfflombbcfigcijjcbkmhaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opfgelmcmbiajamepnmloijbpoleiama\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\fiikommddbeccaoicoejoniammnalkfa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCK\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\fa\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000001\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\naepdomgkenhinolocfifgehidddafch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch\CURRENT

Creates executable files on the filesystem (9 events)

file	C:\Users\test22\AppData\Local\Temp\1000042001\376da640f6.exe
file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\Users\test22\AppData\Roaming\1000043000\55cf86bf67.exe
file	C:\Users\test22\AppData\Local\Temp\1000048001\561157fcb2.exe
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe
file	C:\Users\test22\AppData\Local\Temp\1000042001\376da640f6.exe
file	C:\Users\test22\AppData\Local\Temp\1000048001\561157fcb2.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\1000048001\561157fcb2.exe
file	C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe
file	C:\Users\test22\AppData\Local\Temp\1000042001\376da640f6.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Sept. 21, 2024, 1:49 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe	1	1
ShellExecuteExW Sept. 21, 2024, 1:49 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000042001\376da640f6.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000042001\376da640f6.exe	1	1
ShellExecuteExW Sept. 21, 2024, 1:49 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\1000043000\55cf86bf67.exe parameters: filepath: C:\Users\test22\AppData\Roaming\1000043000\55cf86bf67.exe	1	1
ShellExecuteExW Sept. 21, 2024, 1:49 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000048001\561157fcb2.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000048001\561157fcb2.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (13 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 21, 2024, 1:49 p.m.	snapshot_handle: 0x00000354 process_name: taskhost.exe process_identifier: 1176	1	1
Process32NextW Sept. 21, 2024, 1:49 p.m.	snapshot_handle: 0x00000354 process_name: cmd.exe process_identifier: 840	1	1
Process32NextW Sept. 21, 2024, 1:49 p.m.	snapshot_handle: 0x00000354 process_name: 376da640f6.exe process_identifier: 2588	1	1
Process32NextW Sept. 21, 2024, 1:49 p.m.	snapshot_handle: 0x00000354 process_name: 55cf86bf67.exe process_identifier: 2828	1	1
Process32NextW Sept. 21, 2024, 1:50 p.m.	snapshot_handle: 0x00000508 process_name: svchost.exe process_identifier: 2980	1	1
Process32NextW Sept. 21, 2024, 1:50 p.m.	snapshot_handle: 0x00000508 process_name: mscorsvw.exe process_identifier: 3008	1	1
Process32NextW Sept. 21, 2024, 1:50 p.m.	snapshot_handle: 0x00000508 process_name: mscorsvw.exe process_identifier: 3052	1	1
Process32NextW Sept. 21, 2024, 1:50 p.m.	snapshot_handle: 0x00000508 process_name: sppsvc.exe process_identifier: 2092	1	1
Process32NextW Sept. 21, 2024, 1:50 p.m.	snapshot_handle: 0x00000508 process_name: firefox.exe process_identifier: 2208	1	1
Process32NextW Sept. 21, 2024, 1:50 p.m.	snapshot_handle: 0x00000508 process_name: firefox.exe process_identifier: 2600	1	1
Process32NextW Sept. 21, 2024, 1:50 p.m.	snapshot_handle: 0x00000508 process_name: cmd.exe process_identifier: 2800	1	1
Process32NextW Sept. 21, 2024, 1:50 p.m.	snapshot_handle: 0x00000508 process_name: pw.exe process_identifier: 1680	1	1
Process32NextW Sept. 21, 2024, 1:50 p.m.	snapshot_handle: 0x00000508 process_name: firefox.exe process_identifier: 2184	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000030d80ac0000 process_handle: 0xffffffffffffffff	1	0	0

An executable file was downloaded by the processes svoutse.exe, 376da640f6.exe (10 events)

Time & API	Arguments	Status	Return
InternetReadFile Sept. 21, 2024, 1:49 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL¢fífà ÈB"0Nà@`N/d,@Pð#døñ# Ð#:@à.rsrc à#J@À.idata ð#J@Àtfiqpddr $L@àgemdllob Nb+@à.taggant00N"h+@à request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 21, 2024, 1:49 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL¢fífà ÈB"0Nà@`N/d,@Pð#døñ# Ð#:@à.rsrc à#J@À.idata ð#J@Àtfiqpddr $L@àgemdllob Nb+@à.taggant00N"h+@à request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 21, 2024, 1:49 p.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPELGîfà"¬ `wÀ @p@@@d\|@ H¤ð uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrcH¤@ ¦ô@@.relocuð v @B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè]N$èUÆ^ÃUìQSVWùûÿÿ@Ç8ûÿÿ\ÉIPûÿÿ:ûÿÿ\|üÿÿÀi3öVVVhHÉIÿÐÇI9·dýÿÿ[3ö9·4ýÿÿKËè®3ö9·Dýÿÿ3ö9·Týÿÿ·lýÿÿÎè÷º3ÉÇF@Ç9ûÿÿt5MüQMüQûÿÿè/ûÿÿ@ÈèÆ@Ç¸ûÿÿuÎÿlÈIOàÉkOÔÉu3Û_ÜOÄÉãO¤_Ìè`þÿÿè ·dþÿÿÎÇ<ÉIèÿvè¿èYýÿÿè\|ýÿÿè#lýÿÿè)º·\ýÿÿÎÇDÉIètÿvèèóÇLýÿÿ@ÉIY9Týÿÿòÿ·PýÿÿTýÿÿèXèóÇ<ýÿÿ@ÉIY9Dýÿÿñÿ·@ýÿÿDýÿÿè.èóÇ,ýÿÿ@ÉIY94ýÿÿðÿ·0ýÿÿ4ýÿÿèèY$ýÿÿÉù·ýÿÿÎÇ<ÉIè£ÿvèÚçYýÿÿÉãüüÿÿÉéèüÿÿè-ÐüÿÿèÄüÿÿÉÙÌüÿÿ¸üÿÿÉÙlüÿÿÀüÿÿèï\üÿÿèäLüÿÿèÙüÿÿèµ_^[ÉÃ`ýÿÿ°Àt#ÿ0ÿ5MÿÅI`ýÿÿ°ÉtQèØùÿÿF;·dýÿÿfýÿÿë¿qQèþàÎö þÿÿëëVñW3ÿN>è5N$è-N4èsPN`èkPèjÇ¼<ÉI¾À¾Ä¾ÈèiæY8Æ_^ÃVWùÉtQè_·¼ÎÇ<ÉIè6ÿvèmæYèÜO`è¯QO4è§QO$èÄO_^éºVñW3ÿ9~f_^ÃVñjVè×åYYÆ^ÂVñW3ÿ9~wf_^ÃFjÿ4¸è°åYYF$¸G;~sÝëâSVñ3ÛW¾d9u%\|èÿÿÿ¾p9u9=_^[ÃÏèÛëÎÏè=ëÚWùxÿÿÿ@Ç8xÿÿÿhÉIèhOðèóOàèëOÐèãOÀèÛO¬èÓOèËOèÃ\|ÿÿÿÉug_ÃVéË VWñè¶@öÉ _^ÃVqöÜ ^ÃWùu&?ÿu_ÃVw$Ïèij(WèäþYYöuæ^_ÃÿwèÓäYëÏVñÉtQèþÿÿìèP¼è&¬èèèN^éVWù3öD÷ÀN Fþ\|î_^ÃSVñ3ÛW8^ T 8^uNy8ÉtQè~^ ÿ_^[Ã³ëóVñN è²µÎè«µj@VèÐãYYÆ^ÂUìSÙVW{ {u)EÏ0è~µ7ÇGC{ _^[u Æ@]Â8ëÒ@8ëî3ÀÇMd3Éf£2MA¢4Mj 8M <M @M¢PMf£üM ôM øM¹úX M£DM£HM LMÃUìWù rVj@èãYÿuðÎèON8w^ÿ_]ÂUìVuWùVgèëåFO GFGFGF aPèÉåF0G0Ç_^]Â3Ò3À@AQQQQA,ÁQ Q(Q0ÃVñ&NèWèþèó¬èè¼èÝìè LjèEâÇ$\|ÉI ÿ ÇIFÆ^ÃjAZ @êuõÁÃSV5ÆI3ÛWùjXSGfÇG____j[ÇGÿÖSjG)ÿÖSh request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 21, 2024, 1:49 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 21, 2024, 1:49 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 21, 2024, 1:49 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 21, 2024, 1:49 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 21, 2024, 1:49 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 21, 2024, 1:49 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 21, 2024, 1:49 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002dc00', u'virtual_address': u'0x00001000', u'entropy': 7.981707229582577, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.98170722958

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001a4e00', u'virtual_address': u'0x00324000', u'entropy': 7.954465828144738, u'name': u'apaxlpat', u'virtual_size': u'0x001a5000'}

entropy

7.95446582814

description

A section with a high entropy has been found

entropy

0.99414114514

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url	https://crash-reports.mozilla.com/submit?id=
url	https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c

Yara rule detected in process memory (50 out of 99 events)

description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

Queries for potentially installed applications (50 out of 52 events)

Time & API	Arguments	Status
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExA Sept. 21, 2024, 1:49 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2716.0.1065464047\3116012" -parentBuildID 20220922151854 -prefsHandle 1176 -prefMapHandle 1168 -prefsLen 21970 -prefMapSize 232313 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d06d4ee-f454-4852-b362-cca3c9aec234} 2716 "\\.\pipe\gecko-crash-server-pipe.2716" 1240 45f5058 gpu

Communicates with host for which no DNS query was performed (3 events)

host	185.215.113.100
host	185.215.113.103
host	31.41.244.10

Allocates execute permission to another process indicative of possible code injection (22 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:48 p.m.	process_identifier: 2296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:48 p.m.	process_identifier: 2296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:49 p.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:50 p.m.	process_identifier: 3328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:50 p.m.	process_identifier: 3328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:50 p.m.	process_identifier: 3644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:50 p.m.	process_identifier: 3644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 562 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 21, 2024, 1:49 p.m.	class_name: OLLYDBG window_name:		0	0

A process attempted to delay the analysis task. (4 events)

description	55cf86bf67.exe tried to sleep 324 seconds, actually delayed analysis time by 324 seconds
description	explorer.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds
description	376da640f6.exe tried to sleep 239 seconds, actually delayed analysis time by 239 seconds
description	svoutse.exe tried to sleep 1264 seconds, actually delayed analysis time by 1264 seconds

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\376da640f6.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000042001\376da640f6.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\55cf86bf67.exe	reg_value	C:\Users\test22\AppData\Roaming\1000043000\55cf86bf67.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\561157fcb2.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000048001\561157fcb2.exe
file	C:\Windows\Tasks\svoutse.job

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Potential code injection by writing to the memory of another process (50 out of 99 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013f0d22b0 process_identifier: 2208 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013f0e0d88 process_identifier: 2208 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I»`# ?Aÿã base_address: 0x0000000077711590 process_identifier: 2208 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: } base_address: 0x000000013f0e0d78 process_identifier: 2208 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I» ?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2208 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: } base_address: 0x000000013f0e0d70 process_identifier: 2208 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: ÏT base_address: 0x000000013f080108 process_identifier: 2208 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f0daae8 process_identifier: 2208 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013f0e0c78 process_identifier: 2208 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013f0d22b0 process_identifier: 2600 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013f0e0d88 process_identifier: 2600 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I»`# ?Aÿã base_address: 0x0000000077711590 process_identifier: 2600 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: k base_address: 0x000000013f0e0d78 process_identifier: 2600 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I» ?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2600 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: k base_address: 0x000000013f0e0d70 process_identifier: 2600 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: ÏT base_address: 0x000000013f080108 process_identifier: 2600 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f0daae8 process_identifier: 2600 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013f0e0c78 process_identifier: 2600 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:48 p.m.	buffer: base_address: 0x000000013f0d22b0 process_identifier: 2296 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:48 p.m.	buffer: base_address: 0x000000013f0e0d88 process_identifier: 2296 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:48 p.m.	buffer: I»`# ?Aÿã base_address: 0x0000000077711590 process_identifier: 2296 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:48 p.m.	buffer: y base_address: 0x000000013f0e0d78 process_identifier: 2296 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:48 p.m.	buffer: I» ?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2296 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:48 p.m.	buffer: y base_address: 0x000000013f0e0d70 process_identifier: 2296 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:48 p.m.	buffer: ÏT base_address: 0x000000013f080108 process_identifier: 2296 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:48 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f0daae8 process_identifier: 2296 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:48 p.m.	buffer: base_address: 0x000000013f0e0c78 process_identifier: 2296 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: base_address: 0x000000013f0d22b0 process_identifier: 2184 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: base_address: 0x000000013f0e0d88 process_identifier: 2184 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: I»`# ?Aÿã base_address: 0x0000000077711590 process_identifier: 2184 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: Å base_address: 0x000000013f0e0d78 process_identifier: 2184 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: I» ?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2184 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: Å base_address: 0x000000013f0e0d70 process_identifier: 2184 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: ÏT base_address: 0x000000013f080108 process_identifier: 2184 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f0daae8 process_identifier: 2184 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: base_address: 0x000000013f0e0c78 process_identifier: 2184 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: base_address: 0x000000013f0d22b0 process_identifier: 2716 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: base_address: 0x000000013f0e0d88 process_identifier: 2716 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: I»`# ?Aÿã base_address: 0x0000000077711590 process_identifier: 2716 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: Ç base_address: 0x000000013f0e0d78 process_identifier: 2716 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: I» ?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2716 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: Ç base_address: 0x000000013f0e0d70 process_identifier: 2716 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: ÏT base_address: 0x000000013f080108 process_identifier: 2716 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f0daae8 process_identifier: 2716 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: base_address: 0x000000013f0e0c78 process_identifier: 2716 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: base_address: 0x000000013f0d22b0 process_identifier: 2884 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: base_address: 0x000000013f0e0d88 process_identifier: 2884 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: I»`# ?Aÿã base_address: 0x0000000077711590 process_identifier: 2884 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: Ô base_address: 0x000000013f0e0d78 process_identifier: 2884 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:49 p.m.	buffer: I» ?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2884 process_handle: 0x0000000000000050	1	1

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA Sept. 21, 2024, 1:49 p.m.	key_handle: 0x00000358 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\00000004
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

One or more non-whitelisted processes were created (21 events)

parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\88a6e7e5-4d1d-473e-9946-722f2f3b3f49.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\05835e05-6121-4708-9111-fa231fd15bbd.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\9af36891-14e2-4960-9330-28c2e6c4cdd4.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\3f42309d-df3c-45c3-9182-d32d2d3f5808.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2716.0.1065464047\3116012" -parentBuildID 20220922151854 -prefsHandle 1176 -prefMapHandle 1168 -prefsLen 21970 -prefMapSize 232313 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d06d4ee-f454-4852-b362-cca3c9aec234} 2716 "\\.\pipe\gecko-crash-server-pipe.2716" 1240 45f5058 gpu
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\1ad1df49-1767-4777-81d0-942a4e0e0de9.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\1a89e6be-7a47-455c-9541-3c3b3330f95e.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\fe950943-fc74-4339-9743-298b6f4d5f6e.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\bbf14a46-52db-4c51-a02d-9c4a3e7ad641.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\9bd80c9c-b09a-47ab-a61a-f24b47a41f96.dmp"

Appends a known multi-family ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (22 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2164 resumed a thread in remote process 2208
Process injection	Process 2140 resumed a thread in remote process 2600
Process injection	Process 2364 resumed a thread in remote process 2296
Process injection	Process 1952 resumed a thread in remote process 2184
Process injection	Process 2144 resumed a thread in remote process 2716
Process injection	Process 2252 resumed a thread in remote process 2884
Process injection	Process 2880 resumed a thread in remote process 184
Process injection	Process 2784 resumed a thread in remote process 724
Process injection	Process 2368 resumed a thread in remote process 1212
Process injection	Process 3176 resumed a thread in remote process 3328
Process injection	Process 3412 resumed a thread in remote process 3644
NtResumeThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2208	1	0	0
NtResumeThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2600	1	0	0
NtResumeThread Sept. 21, 2024, 1:48 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2296	1	0	0
NtResumeThread Sept. 21, 2024, 1:49 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2184	1	0	0
NtResumeThread Sept. 21, 2024, 1:49 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2716	1	0	0
NtResumeThread Sept. 21, 2024, 1:49 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2884	1	0	0
NtResumeThread Sept. 21, 2024, 1:49 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 184	1	0	0
NtResumeThread Sept. 21, 2024, 1:49 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 724	1	0	0
NtResumeThread Sept. 21, 2024, 1:49 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1212	1	0	0
NtResumeThread Sept. 21, 2024, 1:50 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3328	1	0	0
NtResumeThread Sept. 21, 2024, 1:50 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3644	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 21, 2024, 1:49 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 35 d9 ff ff 29 da 81 exception.symbol: random+0x204b14 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2116372 exception.address: 0x1324b14 registers.esp: 4389108 registers.edi: 1259 registers.eax: 1447909480 registers.ebp: 4008423444 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 20058303 registers.ecx: 20	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 309 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 21, 2024, 1:49 p.m.	thread_handle: 0x000001e8 suspend_count: 1 process_identifier: 1488	1	0
CreateProcessInternalW Sept. 21, 2024, 1:49 p.m.	thread_identifier: 2340 thread_handle: 0x000003e0 process_identifier: 2336 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e8	1	1
NtResumeThread Sept. 21, 2024, 1:49 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2336	1	0
CreateProcessInternalW Sept. 21, 2024, 1:49 p.m.	thread_identifier: 2592 thread_handle: 0x0000046c process_identifier: 2588 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000042001\376da640f6.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000042001\376da640f6.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000042001\376da640f6.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000468	1	1
CreateProcessInternalW Sept. 21, 2024, 1:49 p.m.	thread_identifier: 2832 thread_handle: 0x0000043c process_identifier: 2828 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\1000043000\55cf86bf67.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\1000043000\55cf86bf67.exe" filepath_r: C:\Users\test22\AppData\Roaming\1000043000\55cf86bf67.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000484	1	1
CreateProcessInternalW Sept. 21, 2024, 1:49 p.m.	thread_identifier: 2348 thread_handle: 0x00000434 process_identifier: 2356 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000048001\561157fcb2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000048001\561157fcb2.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000048001\561157fcb2.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000490	1	1
CreateProcessInternalW Sept. 21, 2024, 1:49 p.m.	thread_identifier: 2168 thread_handle: 0x0000012c process_identifier: 2164 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000130	1	1
CreateProcessInternalW Sept. 21, 2024, 1:49 p.m.	thread_identifier: 2252 thread_handle: 0x00000130 process_identifier: 2140 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000012c	1	1
CreateProcessInternalW Sept. 21, 2024, 1:49 p.m.	thread_identifier: 2316 thread_handle: 0x0000012c process_identifier: 2364 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000130	1	1
CreateProcessInternalW Sept. 21, 2024, 1:49 p.m.	thread_identifier: 940 thread_handle: 0x00000130 process_identifier: 1952 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000012c	1	1
CreateProcessInternalW Sept. 21, 2024, 1:50 p.m.	thread_identifier: 1668 thread_handle: 0x0000012c process_identifier: 1044 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000130	1	1
CreateProcessInternalW Sept. 21, 2024, 1:50 p.m.	thread_identifier: 1896 thread_handle: 0x00000130 process_identifier: 2144 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000012c	1	1
CreateProcessInternalW Sept. 21, 2024, 1:50 p.m.	thread_identifier: 1884 thread_handle: 0x0000012c process_identifier: 2252 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000130	1	1
CreateProcessInternalW Sept. 21, 2024, 1:50 p.m.	thread_identifier: 800 thread_handle: 0x00000130 process_identifier: 2880 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000012c	1	1
CreateProcessInternalW Sept. 21, 2024, 1:50 p.m.	thread_identifier: 1896 thread_handle: 0x0000012c process_identifier: 2784 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000130	1	1
CreateProcessInternalW Sept. 21, 2024, 1:50 p.m.	thread_identifier: 2560 thread_handle: 0x00000130 process_identifier: 2368 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000012c	1	1
CreateProcessInternalW Sept. 21, 2024, 1:50 p.m.	thread_identifier: 3180 thread_handle: 0x0000012c process_identifier: 3176 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000130	1	1
CreateProcessInternalW Sept. 21, 2024, 1:51 p.m.	thread_identifier: 3416 thread_handle: 0x00000130 process_identifier: 3412 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000012c	1	1
CreateProcessInternalW Sept. 21, 2024, 1:42 p.m.	thread_identifier: 2212 thread_handle: 0x0000000000000044 process_identifier: 2208 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 1028 (CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 0 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013f0d22b0 process_identifier: 2208 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013f0e0d88 process_identifier: 2208 process_handle: 0x000000000000004c	1	1
NtMapViewOfSection Sept. 21, 2024, 1:42 p.m.	section_handle: 0x0000000000000060 process_identifier: 2208 commit_size: 0 win32_protect: 32 (PAGE_EXECUTE_READ) buffer: base_address: 0x000000007d170000 allocation_type: 0 () section_offset: 0 view_size: 65536 process_handle: 0x0000000000000050	1	0
NtAllocateVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000000007d170000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000050	1	0
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I»`# ?Aÿã base_address: 0x0000000077711590 process_identifier: 2208 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: } base_address: 0x000000013f0e0d78 process_identifier: 2208 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I» ?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2208 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: } base_address: 0x000000013f0e0d70 process_identifier: 2208 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: ÏT base_address: 0x000000013f080108 process_identifier: 2208 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f0daae8 process_identifier: 2208 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013f0e0c78 process_identifier: 2208 process_handle: 0x000000000000004c	1	1
NtResumeThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000170 suspend_count: 1 process_identifier: 2208	1	0
NtGetContextThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000230	1	0
NtGetContextThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000238	1	0
NtGetContextThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x000000000000023c	1	0
NtGetContextThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000240	1	0
NtGetContextThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000244	1	0
NtGetContextThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000248	1	0
NtResumeThread Sept. 21, 2024, 1:43 p.m.	thread_handle: 0x0000000000000230 suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread Sept. 21, 2024, 1:43 p.m.	thread_handle: 0x0000000000000238 suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread Sept. 21, 2024, 1:43 p.m.	thread_handle: 0x000000000000023c suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread Sept. 21, 2024, 1:43 p.m.	thread_handle: 0x0000000000000240 suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread Sept. 21, 2024, 1:43 p.m.	thread_handle: 0x0000000000000248 suspend_count: 1 process_identifier: 2208	1	0
CreateProcessInternalW Sept. 21, 2024, 1:43 p.m.	thread_identifier: 1680 thread_handle: 0x0000000000000210 process_identifier: 1656 current_directory: filepath: track: 1 command_line: "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\9af36891-14e2-4960-9330-28c2e6c4cdd4.dmp" filepath_r: stack_pivoted: 0 creation_flags: 150994976 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_NO_WINDOW\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000000000000e0	1	1
CreateProcessInternalW Sept. 21, 2024, 1:42 p.m.	thread_identifier: 2620 thread_handle: 0x0000000000000044 process_identifier: 2600 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 1028 (CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 0 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013f0d22b0 process_identifier: 2600 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013f0e0d88 process_identifier: 2600 process_handle: 0x000000000000004c	1	1
NtMapViewOfSection Sept. 21, 2024, 1:42 p.m.	section_handle: 0x0000000000000060 process_identifier: 2600 commit_size: 0 win32_protect: 32 (PAGE_EXECUTE_READ) buffer: base_address: 0x000000006b930000 allocation_type: 0 () section_offset: 0 view_size: 65536 process_handle: 0x0000000000000050	1	0
NtAllocateVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000000006b930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000050	1	0
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I»`# ?Aÿã base_address: 0x0000000077711590 process_identifier: 2600 process_handle: 0x0000000000000050	1	1

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All