Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 16, 2024, 7:55 a.m.	Jan. 16, 2024, 7:57 a.m.

Size	4.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`750730cacee06f5b29188ef5050ff7ab`
SHA256	`13379a65ce202076bf26e92ef6da715754b740f5981a82cf5f9b0c2012eb9099`
CRC32	`08595FA7`
ssdeep	`98304:J2Whm1JudM2fKSQkGr9kigOCfp9ueloHjZBG+nBYuEk9:J2ym1Ji5zQpsFo1BfBYu`
PDB Path	wextract.pdb
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet CAB_file_format - CAB archive file UPX_Zero - UPX packed file

done.exe "C:\Users\test22\AppData\Local\Temp\done.exe"
2540
- rl2br93.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\rl2br93.exe
  2616
  - vo5Da73.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\vo5Da73.exe
    2672
    - 1vl60Qv4.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\1vl60Qv4.exe
      2716
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
        2776
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2776 CREDAT:145409
        2860
      - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com
        1356
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0xd0,0xd4,0xd8,0xcc,0xdc,0x7fef426f1e8,0x7fef426f1f8,0x7fef426f208
        2484
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1336 --on-initialized-event-handle=340 --parent-handle=344 /prefetch:6
        2376
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
        2200
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
        2528
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2528.0.1681015973\1088438567" -parentBuildID 20220922151854 -prefsHandle 1248 -prefMapHandle 1240 -prefsLen 24842 -prefMapSize 232769 -appDir "C:\Program Files\Mozilla Firefox\browser" - {197254f6-8390-43de-a3a8-d5a3e1cf0bda} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" 1312 f8fd358 gpu
        2476
    - 4yL902sA.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\4yL902sA.exe
      2272

Name	Response	Post-Analysis Lookup
fbcdn.net	A 157.240.215.35	157.240.215.35
facebook.com	A 157.240.215.35	157.240.215.35
static.xx.fbcdn.net	A 157.240.215.14 CNAME scontent.xx.fbcdn.net	157.240.215.14
fbsbx.com	A 157.240.215.35	157.240.215.35
www.facebook.com	A 157.240.215.35 CNAME star-mini.c10r.facebook.com	157.240.215.35
connect.facebook.net	A 157.240.215.14 CNAME scontent.xx.fbcdn.net	157.240.215.14

IP Address	Status	Action
117.18.232.200	Active	Moloch
157.240.215.14	Active	Moloch
157.240.215.35	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49171 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49178 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49173 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49180 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49187 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49188 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49184 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49182 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49185 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49186 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49189 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49176 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	45:04:8e:02:29:a1:f1:8b:1f:22:0f:34:50:09:8b:3b:b4:94:a3:0a
TLSv1 192.168.56.101:49174 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	45:04:8e:02:29:a1:f1:8b:1f:22:0f:34:50:09:8b:3b:b4:94:a3:0a
TLSv1 192.168.56.101:49171 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	45:04:8e:02:29:a1:f1:8b:1f:22:0f:34:50:09:8b:3b:b4:94:a3:0a
TLSv1 192.168.56.101:49175 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	45:04:8e:02:29:a1:f1:8b:1f:22:0f:34:50:09:8b:3b:b4:94:a3:0a
TLSv1 192.168.56.101:49168 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	45:04:8e:02:29:a1:f1:8b:1f:22:0f:34:50:09:8b:3b:b4:94:a3:0a
TLSv1 192.168.56.101:49169 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	45:04:8e:02:29:a1:f1:8b:1f:22:0f:34:50:09:8b:3b:b4:94:a3:0a
TLSv1 192.168.56.101:49172 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	45:04:8e:02:29:a1:f1:8b:1f:22:0f:34:50:09:8b:3b:b4:94:a3:0a
TLSv1 192.168.56.101:49178 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	45:04:8e:02:29:a1:f1:8b:1f:22:0f:34:50:09:8b:3b:b4:94:a3:0a
TLSv1 192.168.56.101:49177 157.240.215.14:443	None	None	None
TLSv1 192.168.56.101:49173 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	45:04:8e:02:29:a1:f1:8b:1f:22:0f:34:50:09:8b:3b:b4:94:a3:0a
TLSv1 192.168.56.101:49180 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	d6:6a:95:05:2c:a4:41:0f:81:1a:10:70:ba:4f:59:d8:f3:de:8a:51
TLSv1 192.168.56.101:49179 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	45:04:8e:02:29:a1:f1:8b:1f:22:0f:34:50:09:8b:3b:b4:94:a3:0a
TLSv1 192.168.56.101:49187 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	45:04:8e:02:29:a1:f1:8b:1f:22:0f:34:50:09:8b:3b:b4:94:a3:0a
TLSv1 192.168.56.101:49181 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	d6:6a:95:05:2c:a4:41:0f:81:1a:10:70:ba:4f:59:d8:f3:de:8a:51
TLSv1 192.168.56.101:49188 157.240.215.35:443	None	None	None
TLSv1 192.168.56.101:49184 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	d6:6a:95:05:2c:a4:41:0f:81:1a:10:70:ba:4f:59:d8:f3:de:8a:51
TLSv1 192.168.56.101:49182 157.240.215.14:443	None	None	None
TLSv1 192.168.56.101:49185 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	d6:6a:95:05:2c:a4:41:0f:81:1a:10:70:ba:4f:59:d8:f3:de:8a:51
TLSv1 192.168.56.101:49186 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	45:04:8e:02:29:a1:f1:8b:1f:22:0f:34:50:09:8b:3b:b4:94:a3:0a
TLSv1 192.168.56.101:49189 157.240.215.35:443	None	None	None

Checks if process is being debugged by a debugger (50 out of 135 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 16, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0
IsDebuggerPresent Jan. 16, 2024, 7:48 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Tries to locate where the browsers are installed (4 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 16, 2024, 7:55 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (5 events)

Time & API	Arguments	Status
__exception__ Jan. 16, 2024, 7:56 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 108000452 registers.edi: 82906476 registers.eax: 108000452 registers.ebp: 108000532 registers.edx: 65536 registers.ebx: 108000816 registers.esi: 2147746133 registers.ecx: 82927600	1
__exception__ Jan. 16, 2024, 7:56 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7617ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7617ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75857bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x761a516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x761a50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x761a530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x761a57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x718a540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x718a52ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x71980ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x76f77e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x76f554f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 77126992 registers.edi: 1953561104 registers.eax: 77126992 registers.ebp: 77127072 registers.edx: 1 registers.ebx: 5359684 registers.esi: 2147746133 registers.ecx: 3440132434	1
__exception__ Jan. 16, 2024, 7:48 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 189132192 registers.r15: 189132632 registers.rcx: 1480 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 112138800 registers.rsp: 189131352 registers.r11: 189135888 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1612 registers.r12: 35042704 registers.rbp: 189131504 registers.rdi: 34782304 registers.rax: 4992512 registers.r13: 189132064	1
__exception__ Jan. 16, 2024, 7:55 a.m.	stacktrace: 4yl902sa+0x31af93 @ 0xe3af93 4yl902sa+0x3168cb @ 0xe368cb 4yl902sa+0x405583 @ 0xf25583 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4yl902sa+0x2645a5 exception.instruction: div eax exception.module: 4yL902sA.exe exception.exception_code: 0xc0000094 exception.offset: 2508197 exception.address: 0xd845a5 registers.esp: 3864348 registers.edi: 15884528 registers.eax: 0 registers.ebp: 3864376 registers.edx: 0 registers.ebx: 3757898495 registers.esi: 13242368 registers.ecx: 45299992	1
__exception__ Jan. 16, 2024, 7:49 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 40787456 registers.r15: 291433480 registers.rcx: 1464 registers.rsi: 314855456 registers.r10: 0 registers.rbx: 314749664 registers.rsp: 291431944 registers.r11: 518 registers.r8: 1994794048 registers.r9: 1928695808 registers.rdx: 1492 registers.r12: 1073453569 registers.rbp: 291432096 registers.rdi: 314760096 registers.rax: 10304512 registers.r13: 291432816	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (26 events)

Time & API	Arguments	Status	Return
bind Jan. 16, 2024, 7:56 a.m.	ip_address: 127.0.0.1 socket: 1392 port: 0	1	0
bind Jan. 16, 2024, 7:56 a.m.	ip_address: 0.0.0.0 socket: 1480 port: 0	1	0
bind Jan. 16, 2024, 7:55 a.m.	ip_address: 127.0.0.1 socket: 1204 port: 0	1	0
bind Jan. 16, 2024, 7:55 a.m.	ip_address: 0.0.0.0 socket: 1360 port: 0	1	0
bind Jan. 16, 2024, 7:55 a.m.	ip_address: 0.0.0.0 socket: 1376 port: 0	1	0
bind Jan. 16, 2024, 7:55 a.m.	ip_address: 0.0.0.0 socket: 1716 port: 0	1	0
bind Jan. 16, 2024, 7:55 a.m.	ip_address: 0.0.0.0 socket: 1680 port: 0	1	0
bind Jan. 16, 2024, 7:55 a.m.	ip_address: 157.240 socket: 1904 port: 0	1	0
bind Jan. 16, 2024, 7:55 a.m.	ip_address: 0.0.0.0 socket: 1920 port: 0	1	0
bind Jan. 16, 2024, 7:55 a.m.	ip_address: 0.0.0.0 socket: 1724 port: 0	1	0
bind Jan. 16, 2024, 7:55 a.m.	ip_address: 0.0.0.0 socket: 1976 port: 0	1	0
bind Jan. 16, 2024, 7:55 a.m.	ip_address: 0.0.0.0 socket: 1904 port: 0	1	0
bind Jan. 16, 2024, 7:55 a.m.	ip_address: 0.0.0.0 socket: 2268 port: 0	1	0
bind Jan. 16, 2024, 7:55 a.m.	ip_address: 0.0.0.0 socket: 2280 port: 0	1	0
bind Jan. 16, 2024, 7:55 a.m.	ip_address: 0.0.0.0 socket: 2380 port: 0	1	0
bind Jan. 16, 2024, 7:55 a.m.	ip_address: 157.240 socket: 2372 port: 0	1	0
bind Jan. 16, 2024, 7:55 a.m.	ip_address: 0.0.0.0 socket: 1376 port: 0	1	0
bind Jan. 16, 2024, 7:55 a.m.	ip_address: 0.0.0.0 socket: 2364 port: 0	1	0
bind Jan. 16, 2024, 7:55 a.m.	ip_address: 0.0.0.0 socket: 2300 port: 0	1	0
bind Jan. 16, 2024, 7:55 a.m.	ip_address: 0.0.0.0 socket: 1360 port: 0	1	0
bind Jan. 16, 2024, 7:55 a.m.	ip_address: 0.0.0.0 socket: 2220 port: 0	1	0
bind Jan. 16, 2024, 7:55 a.m.	ip_address: 0.0.0.0 socket: 2272 port: 0	1	0
bind Jan. 16, 2024, 7:55 a.m.	ip_address: 0.0.0.0 socket: 2344 port: 0	1	0
bind Jan. 16, 2024, 7:48 a.m.	ip_address: 127.0.0.1 socket: 936 port: 0	1	0
listen Jan. 16, 2024, 7:48 a.m.	socket: 936 backlog: 5	1	0
accept Jan. 16, 2024, 7:48 a.m.	ip_address: 127.0.0.1 socket: 936 port: 49205	1	956

Performs some HTTP requests (16 events)

request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://www.facebook.com/login
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/EQ0cyse2DGv.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yV/l/0,cross/om552iOCRxJ.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yJ/l/0,cross/JtVgZ46o85N.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yr/l/0,cross/wMc7fNlPdnA.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/y1/r/0_HoU29ShlI.js?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/y1/r/4lCu2zih0ca.svg
request	GET https://facebook.com/security/hsts-pixel.gif?c=3.2.5
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yE/r/xGzxHIbkRpC.js?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yK/r/Lzd-U--zeLf.js?_nc_x=Ij3Wp8lg5Kz
request	GET https://fbcdn.net/security/hsts-pixel.gif?c=2.5
request	GET https://fbsbx.com/security/hsts-pixel.gif?c=5
request	GET https://connect.facebook.net/security/hsts-pixel.gif
request	GET https://www.facebook.com/favicon.ico

Allocates read-write-execute memory (usually to unpack itself) (50 out of 739 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d14000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d52000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726d1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72af1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72dd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72241000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71881000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72df1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75511000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 region_size: 3936256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f20000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x032e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7589c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7589c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73783000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73827000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757c9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75522000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75862000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74631000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72de1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72dc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d14000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d52000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (6 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Jan. 16, 2024, 7:55 a.m.	number_of_free_clusters: 3252043 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 16, 2024, 7:55 a.m.	number_of_free_clusters: 3252043 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 16, 2024, 7:55 a.m.	number_of_free_clusters: 3250889 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 16, 2024, 7:55 a.m.	number_of_free_clusters: 3250889 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 16, 2024, 7:55 a.m.	number_of_free_clusters: 3249969 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 16, 2024, 7:55 a.m.	number_of_free_clusters: 3249969 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

An application raised an exception which may be indicative of an exploit crash (7 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2776 crashed
Application Crash	Process chrome.exe with pid 1356 crashed
Application Crash	Process firefox.exe with pid 2528 crashed
__exception__ Jan. 16, 2024, 7:56 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 108000452 registers.edi: 82906476 registers.eax: 108000452 registers.ebp: 108000532 registers.edx: 65536 registers.ebx: 108000816 registers.esi: 2147746133 registers.ecx: 82927600	1	0	0
__exception__ Jan. 16, 2024, 7:56 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7617ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7617ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75857bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x761a516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x761a50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x761a530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x761a57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x718a540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x718a52ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x71980ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x76f77e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x76f554f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 77126992 registers.edi: 1953561104 registers.eax: 77126992 registers.ebp: 77127072 registers.edx: 1 registers.ebx: 5359684 registers.esi: 2147746133 registers.ecx: 3440132434	1	0	0
__exception__ Jan. 16, 2024, 7:48 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 189132192 registers.r15: 189132632 registers.rcx: 1480 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 112138800 registers.rsp: 189131352 registers.r11: 189135888 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1612 registers.r12: 35042704 registers.rbp: 189131504 registers.rdi: 34782304 registers.rax: 4992512 registers.r13: 189132064	1	0	0
__exception__ Jan. 16, 2024, 7:49 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 40787456 registers.r15: 291433480 registers.rcx: 1464 registers.rsi: 314855456 registers.r10: 0 registers.rbx: 314749664 registers.rsp: 291431944 registers.r11: 518 registers.r8: 1994794048 registers.r9: 1928695808 registers.rdx: 1492 registers.r12: 1073453569 registers.rbp: 291432096 registers.rdi: 314760096 registers.rax: 10304512 registers.r13: 291432816	1	0	0

Steals private information from local Internet browsers (44 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Csd Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom Prefix Set
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing IP Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Module Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\ChromeFilenameClientIncident.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Side-Effect Free Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Inclusion Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Managed Mode Settings
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Extension Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-63327DF3-A54.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Resource Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Policy\User Policy
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Download Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Download
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Stability\1356-1705359327884765.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-65A631C8-54C.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\AnyIpMalware.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List Prefix Set
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\7c3c0d47-3543-4480-a553-3550c3e627b4.dmp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3

Creates executable files on the filesystem (9 events)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6WA7nv8.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\vo5Da73.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\Lzd-U--zeLf[1].js
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\1vl60Qv4.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\rl2br93.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\4yL902sA.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\0_HoU29ShlI[1].js
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\5ta8Ft3.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\xGzxHIbkRpC[1].js

Drops an executable to the user AppData folder (6 events)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6WA7nv8.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\rl2br93.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\5ta8Ft3.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\4yL902sA.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\vo5Da73.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\1vl60Qv4.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 16, 2024, 7:55 a.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x07550000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00406a00', u'virtual_address': u'0x0000c000', u'entropy': 7.995496372729164, u'name': u'.rsrc', u'virtual_size': u'0x00407000'}

entropy

7.99549637273

description

A section with a high entropy has been found

entropy

0.992178098676

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (50 out of 953 events)

url	https://crashpad.chromium.org/bug/new
url	https://crashpad.chromium.org/
url	http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
url	http://dts.search-results.com/sr?lng=
url	http://creativecommons.org/ns
url	https://qc.search.yahoo.com/search?ei=
url	https://cacert.omniroot.com/baltimoreroot.crt09
url	https://codereview.chromium.org/25305002).
url	https://search.yahoo.com/search?ei=
url	http://t1.symcb.com/ThawtePCA.crl0/
url	http://crbug.com/31395.
url	https://support.google.com/chrome/answer/165139
url	http://crbug.com/320723
url	https://www.google.com/chromeca
url	http://crl.starfieldtech.com/sfroot-g2.crl0L
url	https://ct.startssl.com/
url	https://suggest.yandex.com.tr/suggest-ff.cgi?part=
url	https://drive-daily-5.corp.google.com/
url	https://github.com/GoogleChrome/Lighthouse/issues
url	http://www.searchnu.com/favicon.ico
url	https://support.google.com/installer/?product=
url	http://msdn.microsoft.com/en-us/library/ms792901.aspx
url	https://www.najdi.si/search.jsp?q=
url	http://x.ss2.us/x.cer0
url	http://crl.geotrust.com/crls/gtglobal.crl04
url	http://ocsp.verisign.com04
url	https://accounts.google.com/ServiceLogin
url	https://accounts.google.com/OAuthLogin
url	https://search.goo.ne.jp/sgt.jsp?MT=
url	http://ocsp.starfieldtech.com/08
url	http://crl.certum.pl/ca.crl0h
url	http://ator
url	https://suggest.yandex.by/suggest-ff.cgi?part=
url	http://feed.snap.do/?q=
url	https://sp.uk.ask.com/sh/i/a16/favicon/favicon.ico
url	http://www.language
url	http://developer.chrome.com/apps/declare_permissions.html
url	http://www.google.com/chrome/intl/ko/eula_text.html
url	https://www.globalsign.com/repository/03
url	http://www.startssl.com/sfsca.crl0
url	http://UA-Compatible
url	https://se.search.yahoo.com/search?ei=
url	http://EVSecure-ocsp.geotrust.com0
url	https://developers.google.com/web/fundamentals/accessibility/accessible-styles
url	https://mammoth.ct.comodo.com/
url	http://hladaj.atlas.sk/fulltext/?phrase=
url	http://buscador.softonic.com/?q=
url	https://hk.search.yahoo.com/sugg/chrome?output=fxjson
url	https://ph.search.yahoo.com/sugg/chrome?output=fxjson
url	https://log.getdropbox.com/log/ocsp_expect_staple

Yara rule detected in process memory (50 out of 1445 events)

description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	browser info stealer	rule	infoStealer_browser_Zero
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Perform crypto currency mining	rule	BitCoin
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Virtual currency	rule	Virtual_currency_Zero

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Jan. 16, 2024, 7:50 a.m.	status_code: 0xc0000005 process_identifier: 1356 process_handle: 0x00000000000000dc		0	0
NtTerminateProcess Jan. 16, 2024, 7:50 a.m.	status_code: 0xc0000005 process_identifier: 1356 process_handle: 0x00000000000000dc	1	0	0

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2776 CREDAT:145409
cmdline	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2528.0.1681015973\1088438567" -parentBuildID 20220922151854 -prefsHandle 1248 -prefMapHandle 1240 -prefsLen 24842 -prefMapSize 232769 -appDir "C:\Program Files\Mozilla Firefox\browser" - {197254f6-8390-43de-a3a8-d5a3e1cf0bda} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" 1312 f8fd358 gpu
cmdline	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2528.1.1404084512\465466970" -parentBuildID 20220922151854 -prefsHandle 1448 -prefMapHandle 1444 -prefsLen 24887 -prefMapSize 232769 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea260001-f7a8-4c3f-9145-ad1697b469fd} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" 1460 26e3b58 socket
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 16, 2024, 7:48 a.m.	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x00000000000000d8	1	0	0
NtProtectVirtualMemory Jan. 16, 2024, 7:48 a.m.	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x00000000000000d8	1	0	0

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"

Potential code injection by writing to the memory of another process (9 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Jan. 16, 2024, 7:48 a.m.	buffer: base_address: 0x000000013ffe22b0 process_identifier: 2528 process_handle: 0x00000000000000d4	1	1
WriteProcessMemory Jan. 16, 2024, 7:48 a.m.	buffer: base_address: 0x000000013fff0d88 process_identifier: 2528 process_handle: 0x00000000000000d4	1	1
WriteProcessMemory Jan. 16, 2024, 7:48 a.m.	buffer: I»`#û?Aÿã base_address: 0x0000000076d81590 process_identifier: 2528 process_handle: 0x00000000000000d8	1	1
WriteProcessMemory Jan. 16, 2024, 7:48 a.m.	buffer: w base_address: 0x000000013fff0d78 process_identifier: 2528 process_handle: 0x00000000000000d4	1	1
WriteProcessMemory Jan. 16, 2024, 7:48 a.m.	buffer: I» û?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2528 process_handle: 0x00000000000000d8	1	1
WriteProcessMemory Jan. 16, 2024, 7:48 a.m.	buffer: w base_address: 0x000000013fff0d70 process_identifier: 2528 process_handle: 0x00000000000000d4	1	1
WriteProcessMemory Jan. 16, 2024, 7:48 a.m.	buffer: ÏT base_address: 0x000000013ff90108 process_identifier: 2528 process_handle: 0x00000000000000d4	1	1
WriteProcessMemory Jan. 16, 2024, 7:48 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013ffeaae8 process_identifier: 2528 process_handle: 0x00000000000000d4	1	1
WriteProcessMemory Jan. 16, 2024, 7:48 a.m.	buffer: base_address: 0x000000013fff0c78 process_identifier: 2528 process_handle: 0x00000000000000d4	1	1

One or more non-whitelisted processes were created (6 events)

parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2528.1.1404084512\465466970" -parentBuildID 20220922151854 -prefsHandle 1448 -prefMapHandle 1444 -prefsLen 24887 -prefMapSize 232769 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea260001-f7a8-4c3f-9145-ad1697b469fd} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" 1460 26e3b58 socket
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2528.0.1681015973\1088438567" -parentBuildID 20220922151854 -prefsHandle 1248 -prefMapHandle 1240 -prefsLen 24842 -prefMapSize 232769 -appDir "C:\Program Files\Mozilla Firefox\browser" - {197254f6-8390-43de-a3a8-d5a3e1cf0bda} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" 1312 f8fd358 gpu
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0xd0,0xd4,0xd8,0xcc,0xdc,0x7fef426f1e8,0x7fef426f1f8,0x7fef426f208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1336 --on-initialized-event-handle=340 --parent-handle=344 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1260,17691637435794417245,7013467555060243768,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=4FF8C1309DC25A60BC177D8B281817DA --mojo-platform-channel-handle=1268 --ignored=" --type=renderer " /prefetch:2

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://127.0.0.1

Appends a known multi-family ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (46 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2716 resumed a thread in remote process 1356
Process injection	Process 2716 resumed a thread in remote process 2200
Process injection	Process 2776 resumed a thread in remote process 2860
Process injection	Process 2200 resumed a thread in remote process 2528
Process injection	Process 2484 resumed a thread in remote process 1356
NtResumeThread Jan. 16, 2024, 7:55 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:55 a.m.	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 2200	1	0	0
NtResumeThread Jan. 16, 2024, 7:55 a.m.	thread_handle: 0x00000388 suspend_count: 1 process_identifier: 2860	1	0	0
NtResumeThread Jan. 16, 2024, 7:48 a.m.	thread_handle: 0x00000000000000cc suspend_count: 1 process_identifier: 2528	1	0	0
NtResumeThread Jan. 16, 2024, 7:48 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:48 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:48 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:48 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2528.0.1681015973\1088438567" -parentBuildID 20220922151854 -prefsHandle 1248 -prefMapHandle 1240 -prefsLen 24842 -prefMapSize 232769 -appDir "C:\Program Files\Mozilla Firefox\browser" - {197254f6-8390-43de-a3a8-d5a3e1cf0bda} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" 1312 f8fd358 gpu
cmdline	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2528.1.1404084512\465466970" -parentBuildID 20220922151854 -prefsHandle 1448 -prefMapHandle 1444 -prefsLen 24887 -prefMapSize 232769 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea260001-f7a8-4c3f-9145-ad1697b469fd} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" 1460 26e3b58 socket

Executed a process and injected code into it, probably while unpacking (50 out of 139 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Jan. 16, 2024, 7:55 a.m.	thread_identifier: 2620 thread_handle: 0x0000001c process_identifier: 2616 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\rl2br93.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000124	1	1
CreateProcessInternalW Jan. 16, 2024, 7:55 a.m.	thread_identifier: 2676 thread_handle: 0x0000001c process_identifier: 2672 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\vo5Da73.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000124	1	1
CreateProcessInternalW Jan. 16, 2024, 7:55 a.m.	thread_identifier: 2720 thread_handle: 0x0000001c process_identifier: 2716 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\1vl60Qv4.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000124	1	1
CreateProcessInternalW Jan. 16, 2024, 7:55 a.m.	thread_identifier: 2316 thread_handle: 0x00000124 process_identifier: 2272 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\4yL902sA.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW Jan. 16, 2024, 7:55 a.m.	thread_identifier: 2780 thread_handle: 0x000001f8 process_identifier: 2776 current_directory: C:\Users\test22\AppData\Local\Temp\IXP002.TMP filepath: C:\Program Files (x86)\Internet Explorer\iexplore.exe track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome filepath_r: C:\Program Files (x86)\Internet Explorer\iexplore.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000001f4	1	1
NtResumeThread Jan. 16, 2024, 7:55 a.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 2716	1	0
CreateProcessInternalW Jan. 16, 2024, 7:55 a.m.	thread_identifier: 1336 thread_handle: 0x000002d0 process_identifier: 1356 current_directory: C:\Users\test22\AppData\Local\Temp\IXP002.TMP filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002dc	1	1
NtResumeThread Jan. 16, 2024, 7:55 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 1356	1	0
CreateProcessInternalW Jan. 16, 2024, 7:55 a.m.	thread_identifier: 2220 thread_handle: 0x000002e0 process_identifier: 2200 current_directory: C:\Users\test22\AppData\Local\Temp\IXP002.TMP filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b4	1	1
NtResumeThread Jan. 16, 2024, 7:55 a.m.	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 2200	1	0
CreateProcessInternalW Jan. 16, 2024, 7:55 a.m.	thread_identifier: 2864 thread_handle: 0x00000388 process_identifier: 2860 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2776 CREDAT:145409 filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000038c	1	1
NtResumeThread Jan. 16, 2024, 7:55 a.m.	thread_handle: 0x00000388 suspend_count: 1 process_identifier: 2860	1	0
NtResumeThread Jan. 16, 2024, 7:55 a.m.	thread_handle: 0x00000454 suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread Jan. 16, 2024, 7:55 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2776	1	0
NtGetContextThread Jan. 16, 2024, 7:56 a.m.	thread_handle: 0x00000608	1	0
NtResumeThread Jan. 16, 2024, 7:55 a.m.	thread_handle: 0x00000250 suspend_count: 1 process_identifier: 2860	1	0
NtResumeThread Jan. 16, 2024, 7:55 a.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2860	1	0
NtResumeThread Jan. 16, 2024, 7:55 a.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 2860	1	0
NtResumeThread Jan. 16, 2024, 7:55 a.m.	thread_handle: 0x00000854 suspend_count: 1 process_identifier: 2860	1	0
CreateProcessInternalW Jan. 16, 2024, 7:48 a.m.	thread_identifier: 2504 thread_handle: 0x00000000000000e0 process_identifier: 2484 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0xd0,0xd4,0xd8,0xcc,0xdc,0x7fef426f1e8,0x7fef426f1f8,0x7fef426f208 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000000000e4	1	1
CreateProcessInternalW Jan. 16, 2024, 7:48 a.m.	thread_identifier: 2372 thread_handle: 0x000000000000015c process_identifier: 2376 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1336 --on-initialized-event-handle=340 --parent-handle=344 /prefetch:6 filepath_r: stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000160	1	1
NtResumeThread Jan. 16, 2024, 7:48 a.m.	thread_handle: 0x0000000000000224 suspend_count: 1 process_identifier: 1356	1	0
CreateProcessInternalW Jan. 16, 2024, 7:48 a.m.	thread_identifier: 504 thread_handle: 0x0000000000000648 process_identifier: 300 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1260,17691637435794417245,7013467555060243768,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=4FF8C1309DC25A60BC177D8B281817DA --mojo-platform-channel-handle=1268 --ignored=" --type=renderer " /prefetch:2 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000064c	1	1
CreateProcessInternalW Jan. 16, 2024, 7:48 a.m.	thread_identifier: 2524 thread_handle: 0x00000000000000cc process_identifier: 2528 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 1028 (CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 0 process_handle: 0x00000000000000d4	1	1
WriteProcessMemory Jan. 16, 2024, 7:48 a.m.	buffer: base_address: 0x000000013ffe22b0 process_identifier: 2528 process_handle: 0x00000000000000d4	1	1
WriteProcessMemory Jan. 16, 2024, 7:48 a.m.	buffer: base_address: 0x000000013fff0d88 process_identifier: 2528 process_handle: 0x00000000000000d4	1	1
NtMapViewOfSection Jan. 16, 2024, 7:48 a.m.	section_handle: 0x00000000000000e8 process_identifier: 2528 commit_size: 0 win32_protect: 32 (PAGE_EXECUTE_READ) buffer: base_address: 0x0000000077170000 allocation_type: 0 () section_offset: 0 view_size: 65536 process_handle: 0x00000000000000d8	1	0
NtAllocateVirtualMemory Jan. 16, 2024, 7:48 a.m.	process_identifier: 2528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000077170000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000000000000d8	1	0
WriteProcessMemory Jan. 16, 2024, 7:48 a.m.	buffer: I»`#û?Aÿã base_address: 0x0000000076d81590 process_identifier: 2528 process_handle: 0x00000000000000d8	1	1
WriteProcessMemory Jan. 16, 2024, 7:48 a.m.	buffer: w base_address: 0x000000013fff0d78 process_identifier: 2528 process_handle: 0x00000000000000d4	1	1
WriteProcessMemory Jan. 16, 2024, 7:48 a.m.	buffer: I» û?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2528 process_handle: 0x00000000000000d8	1	1
WriteProcessMemory Jan. 16, 2024, 7:48 a.m.	buffer: w base_address: 0x000000013fff0d70 process_identifier: 2528 process_handle: 0x00000000000000d4	1	1
WriteProcessMemory Jan. 16, 2024, 7:48 a.m.	buffer: ÏT base_address: 0x000000013ff90108 process_identifier: 2528 process_handle: 0x00000000000000d4	1	1
WriteProcessMemory Jan. 16, 2024, 7:48 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013ffeaae8 process_identifier: 2528 process_handle: 0x00000000000000d4	1	1
WriteProcessMemory Jan. 16, 2024, 7:48 a.m.	buffer: base_address: 0x000000013fff0c78 process_identifier: 2528 process_handle: 0x00000000000000d4	1	1
NtResumeThread Jan. 16, 2024, 7:48 a.m.	thread_handle: 0x00000000000000cc suspend_count: 1 process_identifier: 2528	1	0
NtResumeThread Jan. 16, 2024, 7:55 a.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 2272	1	0
NtResumeThread Jan. 16, 2024, 7:48 a.m.	thread_handle: 0x0000000000000128 suspend_count: 1 process_identifier: 2484	1	0
NtGetContextThread Jan. 16, 2024, 7:48 a.m.	thread_handle: 0x0000000000000174	1	0
NtResumeThread Jan. 16, 2024, 7:48 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0
NtGetContextThread Jan. 16, 2024, 7:48 a.m.	thread_handle: 0x0000000000000174	1	0
NtResumeThread Jan. 16, 2024, 7:48 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0
NtGetContextThread Jan. 16, 2024, 7:48 a.m.	thread_handle: 0x0000000000000174	1	0
NtResumeThread Jan. 16, 2024, 7:48 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0
NtGetContextThread Jan. 16, 2024, 7:48 a.m.	thread_handle: 0x0000000000000174	1	0
NtResumeThread Jan. 16, 2024, 7:48 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0
NtGetContextThread Jan. 16, 2024, 7:48 a.m.	thread_handle: 0x0000000000000174	1	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0
NtGetContextThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174	1	0
NtResumeThread Jan. 16, 2024, 7:49 a.m.	thread_handle: 0x0000000000000174 suspend_count: 2 process_identifier: 1356	1	0

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win32.Downloader.rc
ALYac	Generic.Dacic.1055.47FAC0A2
VIPRE	Gen:Heur.Crifi.1
Sangfor	Trojan.Msil.Agent.Ae9m
K7AntiVirus	Trojan ( 005aad751 )
K7GW	Trojan ( 005aad751 )
Cybereason	malicious.0ad089
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	multiple detections
APEX	Malicious
McAfee	GenericRXMR-KT!731056B82906
Avast	Win32:TrojanX-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	VHO:Trojan-PSW.Win32.RisePro.gen
Rising	Stealer.RisePro!8.176E1 (CLOUD)
F-Secure	Heuristic.HEUR/AGEN.1365153
DrWeb	Trojan.PWS.Stealer.38305
TrendMicro	TrojanSpy.Win32.RISEPRO.YXEAPZ
Sophos	Generic ML PUA (PUA)
Ikarus	Trojan.Crypt
Jiangmin	Trojan.Script.awbz
Google	Detected
Avira	HEUR/AGEN.1365153
Antiy-AVL	RiskWare/MSIL.DllInject
Gridinsoft	Spy.Win32.Redline.lu!heur
Microsoft	Trojan:MSIL/RiseProStealer.AAOF!MTB
ZoneAlarm	VHO:Trojan-PSW.Win32.RisePro.gen
Varist	W32/Kryptik.JKR.gen!Eldorado
Malwarebytes	Spyware.PasswordStealer
Zoner	Probably Heur.ExeHeaderL
SentinelOne	Static AI - Malicious SFX
Fortinet	MSIL/Agent.SYF!tr.pws
AVG	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_70% (D)

done.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All