Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 16, 2023, 4:15 p.m.	April 16, 2023, 4:21 p.m.

Size	7.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`dd0379a70a71b60b3a81a91d49c88648`
SHA256	`eb070fb1f4a7b4c38f28b71b4ddd4127e839fbb960c471a51f299ef78d7eed87`
CRC32	`24545CC3`
ssdeep	`196608:Vhys2Nil815lcLJh0zKFEoTPIqdpS92OK7a3DI/Gu0q7T:VhyNM05lcLJ7FEo49rKuTiDT`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check PE_Header_Zero - PE File Signature IsPE32 - (no description)

114.exe "C:\Users\test22\AppData\Local\Temp\114.exe"
2032
- 11.exe "C:\Windows\Temp\11.exe"
  2188
- 22.exe "C:\Windows\Temp\22.exe"
  2228
  - RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    2380
- 123.exe "C:\Windows\Temp\123.exe"
  2276
- 321.exe "C:\Windows\Temp\321.exe"
  2320
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --remote-debugging-port=51897 --headless --user-data-dir="C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM" --profile-directory="Default"
    2676
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb8,0xbc,0xc0,0x8c,0xc4,0x7fef3e16e00,0x7fef3e16e10,0x7fef3e16e20
      2744
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\test22\AppData\Local\Temp --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod= --annotation=ver= --initial-client-data=0x180,0x184,0x188,0x17c,0x18c,0x7fef3723d58,0x7fef3723d68,0x7fef3723d78
      2912

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
178.32.215.165	Active	Moloch
45.77.166.103	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (24 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 16, 2023, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 53 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:16 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:16 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:16 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:16 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:16 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:16 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:16 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:16 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:16 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:16 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:16 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:16 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:16 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:16 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:16 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:16 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:16 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:16 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:16 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (37 events)

Time & API	Arguments	Status	Return
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007e2558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007e2558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007e2558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007e2558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007e24d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007e24d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007e24d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007e24d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007e24d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007e24d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007e24d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007e2598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007e2598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007e2758 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0085c758 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0085c758 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007e2b98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008a94f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008a94f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008a9370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00860ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00860ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00860ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00860ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00860b50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00860b50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00860a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00860a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00860a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00860a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00860a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00860ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00860ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00860cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00861410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00861410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008612d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 16, 2023, 4:15 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (50 out of 157 events)

Time & API	Arguments	Status
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: 11+0x4dc0b9 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 5095609 exception.address: 0x13cc0b9 registers.esp: 3406464 registers.edi: 0 registers.eax: 1 registers.ebp: 3406480 registers.edx: 24666112 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: 66 81 38 4d 5a 75 0e 0f b7 50 3c 01 c2 81 3a 50 exception.symbol: 11+0x2b9eb exception.instruction: cmp word ptr [eax], 0x5a4d exception.module: 11.exe exception.exception_code: 0xc0000005 exception.offset: 178667 exception.address: 0xf1b9eb registers.esp: 3406424 registers.edi: 0 registers.eax: 15667200 registers.ebp: 4021919764 registers.edx: 172032 registers.ebx: 0 registers.esi: 0 registers.ecx: 172032	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 68 ab 6c 00 00 e9 c4 fe ff ff 89 1c 24 52 89 exception.symbol: 11+0x2beea exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 179946 exception.address: 0xf1beea registers.esp: 3406428 registers.edi: 1971192040 registers.eax: 30552 registers.ebp: 4021919764 registers.edx: 15663104 registers.ebx: 15794408 registers.esi: 3 registers.ecx: 15842662	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb e9 6c fe ff ff c1 ed 06 e9 2a 00 00 00 81 ec exception.symbol: 11+0x2c8a4 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 182436 exception.address: 0xf1c8a4 registers.esp: 3406432 registers.edi: 1971192040 registers.eax: 30552 registers.ebp: 4021919764 registers.edx: 15663104 registers.ebx: 15794408 registers.esi: 3 registers.ecx: 15873214	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 52 68 1a 29 68 2c e9 00 00 00 00 8b 14 24 e9 exception.symbol: 11+0x2c249 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 180809 exception.address: 0xf1c249 registers.esp: 3406432 registers.edi: 1971192040 registers.eax: 0 registers.ebp: 4021919764 registers.edx: 232681 registers.ebx: 15794408 registers.esi: 3 registers.ecx: 15846066	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 89 34 24 50 68 94 exception.symbol: 11+0x2d6e8 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 186088 exception.address: 0xf1d6e8 registers.esp: 3406428 registers.edi: 15847408 registers.eax: 30007 registers.ebp: 4021919764 registers.edx: 607650784 registers.ebx: 1188991870 registers.esi: 3 registers.ecx: 231231035	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 68 db e8 f1 6c ff 34 24 8b 34 24 51 81 ec 04 exception.symbol: 11+0x2d183 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 184707 exception.address: 0xf1d183 registers.esp: 3406432 registers.edi: 15877415 registers.eax: 30007 registers.ebp: 4021919764 registers.edx: 607650784 registers.ebx: 1188991870 registers.esi: 3 registers.ecx: 231231035	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 68 de 17 6b 42 ff 34 24 ff 34 24 8b 14 24 51 exception.symbol: 11+0x2d1b7 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 184759 exception.address: 0xf1d1b7 registers.esp: 3406432 registers.edi: 15850383 registers.eax: 30007 registers.ebp: 4021919764 registers.edx: 607650784 registers.ebx: 1259 registers.esi: 0 registers.ecx: 231231035	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb e9 88 03 00 00 81 c5 3f ef 0c ab 81 eb 1d 6b exception.symbol: 11+0x40a595 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4236693 exception.address: 0x12fa595 registers.esp: 3406432 registers.edi: 15878144 registers.eax: 29876 registers.ebp: 4021919764 registers.edx: 131072 registers.ebx: 131072 registers.esi: 19898799 registers.ecx: 19929059	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb e9 67 04 00 00 01 ce e9 de fe ff ff 59 68 02 exception.symbol: 11+0x40a7a1 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4237217 exception.address: 0x12fa7a1 registers.esp: 3406432 registers.edi: 15878144 registers.eax: 29876 registers.ebp: 4021919764 registers.edx: 131072 registers.ebx: 19689 registers.esi: 0 registers.ecx: 19902439	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 81 c1 82 29 9b 25 53 bb f3 74 60 7c e9 db 01 exception.symbol: 11+0x40eae4 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4254436 exception.address: 0x12feae4 registers.esp: 3406428 registers.edi: 4294948950 registers.eax: 31975 registers.ebp: 4021919764 registers.edx: 14286 registers.ebx: 19914702 registers.esi: 2005786574 registers.ecx: 19917028	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 29 ff ff 34 0f ff 34 24 8b 1c 24 83 c4 04 e9 exception.symbol: 11+0x40f139 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4256057 exception.address: 0x12ff139 registers.esp: 3406432 registers.edi: 4294948950 registers.eax: 31975 registers.ebp: 4021919764 registers.edx: 14286 registers.ebx: 19914702 registers.esi: 2005786574 registers.ecx: 19949003	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb e9 bc 04 00 00 51 68 69 75 3a 1b 59 57 bf 8e exception.symbol: 11+0x40ec8b exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4254859 exception.address: 0x12fec8b registers.esp: 3406432 registers.edi: 4294937972 registers.eax: 31975 registers.ebp: 4021919764 registers.edx: 14286 registers.ebx: 50665 registers.esi: 2005786574 registers.ecx: 19949003	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 3c 24 55 e9 73 fc ff ff exception.symbol: 11+0x410472 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4260978 exception.address: 0x1300472 registers.esp: 3406428 registers.edi: 4294937972 registers.eax: 31696 registers.ebp: 4021919764 registers.edx: 835435067 registers.ebx: 19922067 registers.esi: 2005786574 registers.ecx: 19949003	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb b9 17 30 5f 02 83 ec 04 e9 45 ff ff ff 89 1c exception.symbol: 11+0x410167 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4260199 exception.address: 0x1300167 registers.esp: 3406432 registers.edi: 4294937972 registers.eax: 199913 registers.ebp: 4021919764 registers.edx: 835435067 registers.ebx: 19925007 registers.esi: 0 registers.ecx: 19949003	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 3e f7 ff ff 29 d3 5a exception.symbol: 11+0x4179f4 exception.instruction: in eax, dx exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4291060 exception.address: 0x13079f4 registers.esp: 3406424 registers.edi: 7876601 registers.eax: 1447909480 registers.ebp: 4021919764 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 19948606 registers.ecx: 20	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: 11+0x416cff exception.address: 0x1306cff exception.module: 11.exe exception.exception_code: 0xc000001d exception.offset: 4287743 registers.esp: 3406424 registers.edi: 7876601 registers.eax: 1 registers.ebp: 4021919764 registers.edx: 22104 registers.ebx: 0 registers.esi: 19948606 registers.ecx: 20	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 5f 2b 38 11 01 exception.symbol: 11+0x41723a exception.instruction: in eax, dx exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4289082 exception.address: 0x130723a registers.esp: 3406424 registers.edi: 7876601 registers.eax: 1447909480 registers.ebp: 4021919764 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 19948606 registers.ecx: 10	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 51 89 e1 81 c1 04 00 00 00 57 bf d8 30 03 06 exception.symbol: 11+0x41d192 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4313490 exception.address: 0x130d192 registers.esp: 3406428 registers.edi: 19974308 registers.eax: 27545 registers.ebp: 4021919764 registers.edx: 2130566132 registers.ebx: 60115514 registers.esi: 10 registers.ecx: 1345847296	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 53 54 8b 1c 24 e9 2b 08 00 00 29 7c 24 08 81 exception.symbol: 11+0x41ca45 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4311621 exception.address: 0x130ca45 registers.esp: 3406432 registers.edi: 20001853 registers.eax: 27545 registers.ebp: 4021919764 registers.edx: 2130566132 registers.ebx: 60115514 registers.esi: 10 registers.ecx: 1345847296	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 56 89 3c 24 bf 2e 38 96 23 51 e9 20 02 00 00 exception.symbol: 11+0x41c8fc exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4311292 exception.address: 0x130c8fc registers.esp: 3406432 registers.edi: 20001853 registers.eax: 27545 registers.ebp: 4021919764 registers.edx: 4294942348 registers.ebx: 3417771872 registers.esi: 10 registers.ecx: 1345847296	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 b9 72 ec f5 6d 80 ca 00 64 8f 05 00 exception.symbol: 11+0x41d4ca exception.instruction: int 1 exception.module: 11.exe exception.exception_code: 0xc0000005 exception.offset: 4314314 exception.address: 0x130d4ca registers.esp: 3406392 registers.edi: 0 registers.eax: 3406392 registers.ebp: 4021919764 registers.edx: 1149894656 registers.ebx: 19977639 registers.esi: 0 registers.ecx: 1149935935	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 50 68 ab 28 df 64 58 57 68 cb 56 00 00 e9 ce exception.symbol: 11+0x427d10 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4357392 exception.address: 0x1317d10 registers.esp: 3406432 registers.edi: 1179202795 registers.eax: 32131 registers.ebp: 4021919764 registers.edx: 6 registers.ebx: 60115811 registers.esi: 0 registers.ecx: 20021293	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb e9 26 06 00 00 81 c4 04 00 00 00 81 ef 02 cd exception.symbol: 11+0x428a63 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4360803 exception.address: 0x1318a63 registers.esp: 3406428 registers.edi: 1179202795 registers.eax: 30797 registers.ebp: 4021919764 registers.edx: 276977744 registers.ebx: 60115811 registers.esi: 20023509 registers.ecx: 1844656430	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb b8 f8 41 4d 32 c1 e8 02 51 b9 2b 0b 5d 26 81 exception.symbol: 11+0x4292a6 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4362918 exception.address: 0x13192a6 registers.esp: 3406432 registers.edi: 4294939220 registers.eax: 7281256 registers.ebp: 4021919764 registers.edx: 276977744 registers.ebx: 60115811 registers.esi: 20054306 registers.ecx: 1844656430	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 68 00 00 00 00 e9 bd 05 00 00 55 5f ff 34 24 exception.symbol: 11+0x429a1a exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4364826 exception.address: 0x1319a1a registers.esp: 3406432 registers.edi: 4294939220 registers.eax: 28442 registers.ebp: 4021919764 registers.edx: 20054956 registers.ebx: 60115811 registers.esi: 20054306 registers.ecx: 1844656430	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 50 e9 42 03 00 00 5d 83 c4 04 68 e8 43 00 00 exception.symbol: 11+0x429bb1 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4365233 exception.address: 0x1319bb1 registers.esp: 3406432 registers.edi: 55017 registers.eax: 28442 registers.ebp: 4021919764 registers.edx: 20054956 registers.ebx: 4294941900 registers.esi: 20054306 registers.ecx: 1844656430	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 68 ba 65 00 00 89 04 24 89 2c 24 53 89 e3 81 exception.symbol: 11+0x42eaf3 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4385523 exception.address: 0x131eaf3 registers.esp: 3406424 registers.edi: 20078585 registers.eax: 4294937580 registers.ebp: 4021919764 registers.edx: 20054956 registers.ebx: 65513 registers.esi: 20054306 registers.ecx: 20054956	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb b8 4f 2e 48 2d 53 55 68 9f 4f 00 00 89 14 24 exception.symbol: 11+0x43ad79 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4435321 exception.address: 0x132ad79 registers.esp: 3406424 registers.edi: 1345847296 registers.eax: 28929 registers.ebp: 4021919764 registers.edx: 0 registers.ebx: 1362790332 registers.esi: 20098923 registers.ecx: 1358981728	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 68 a1 32 00 00 e9 2b 00 00 00 b9 3e 56 df 59 exception.symbol: 11+0x44d2bc exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4510396 exception.address: 0x133d2bc registers.esp: 3406392 registers.edi: 4294938832 registers.eax: 30810 registers.ebp: 4021919764 registers.edx: 20202234 registers.ebx: 795741111 registers.esi: 20166023 registers.ecx: 642858344	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb e9 d2 01 00 00 5e 31 d9 5b 51 e9 1c 05 00 00 exception.symbol: 11+0x44d713 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4511507 exception.address: 0x133d713 registers.esp: 3406392 registers.edi: 4294938832 registers.eax: 0 registers.ebp: 4021919764 registers.edx: 269700313 registers.ebx: 20176761 registers.esi: 20166023 registers.ecx: 2355557728	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 31 f6 ff 34 33 ff 34 24 e9 66 00 00 00 f7 d8 exception.symbol: 11+0x44efd2 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4517842 exception.address: 0x133efd2 registers.esp: 3406392 registers.edi: 0 registers.eax: 25712 registers.ebp: 4021919764 registers.edx: 20176884 registers.ebx: 20205416 registers.esi: 20176790 registers.ecx: 0	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 68 c5 3d 00 00 89 04 24 e9 00 00 00 00 b8 4e exception.symbol: 11+0x44f466 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4519014 exception.address: 0x133f466 registers.esp: 3406392 registers.edi: 0 registers.eax: 25712 registers.ebp: 4021919764 registers.edx: 20176884 registers.ebx: 20205416 registers.esi: 4294944124 registers.ecx: 457705	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 57 bf e1 22 76 26 29 fe 5f e9 4b 01 00 00 f7 exception.symbol: 11+0x457359 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4551513 exception.address: 0x1347359 registers.esp: 3406388 registers.edi: 0 registers.eax: 32281 registers.ebp: 4021919764 registers.edx: 2130566132 registers.ebx: 1976696832 registers.esi: 20213545 registers.ecx: 2005532672	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 50 89 34 24 51 89 e1 81 c1 04 00 00 00 50 b8 exception.symbol: 11+0x45785a exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4552794 exception.address: 0x134785a registers.esp: 3406392 registers.edi: 0 registers.eax: 32281 registers.ebp: 4021919764 registers.edx: 2130566132 registers.ebx: 1976696832 registers.esi: 20245826 registers.ecx: 2005532672	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 56 be 58 11 d9 4e 81 ec 04 00 00 00 89 0c 24 exception.symbol: 11+0x457a52 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4553298 exception.address: 0x1347a52 registers.esp: 3406392 registers.edi: 4294938016 registers.eax: 32281 registers.ebp: 4021919764 registers.edx: 734240141 registers.ebx: 1976696832 registers.esi: 20245826 registers.ecx: 2005532672	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 68 67 b5 ab 76 ff 34 24 ff 34 24 e9 5f 00 00 exception.symbol: 11+0x45b4be exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4568254 exception.address: 0x134b4be registers.esp: 3406392 registers.edi: 98537 registers.eax: 25719 registers.ebp: 4021919764 registers.edx: 0 registers.ebx: 4294946296 registers.esi: 0 registers.ecx: 20233397	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 81 c6 13 7d 02 30 81 c6 11 4e 0c 47 55 bd d6 exception.symbol: 11+0x45f72c exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4585260 exception.address: 0x134f72c registers.esp: 3406388 registers.edi: 9175040 registers.eax: 31598 registers.ebp: 4021919764 registers.edx: 1290 registers.ebx: 398229854 registers.esi: 20247968 registers.ecx: 1291	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 29 d2 ff 34 16 81 ec 04 00 00 00 89 2c 24 bd exception.symbol: 11+0x45fb9b exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4586395 exception.address: 0x134fb9b registers.esp: 3406392 registers.edi: 9175040 registers.eax: 31598 registers.ebp: 4021919764 registers.edx: 1290 registers.ebx: 398229854 registers.esi: 20279566 registers.ecx: 1291	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 68 bb 2f 00 00 e9 d4 f7 ff ff 51 89 e1 81 c1 exception.symbol: 11+0x45ff25 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4587301 exception.address: 0x134ff25 registers.esp: 3406392 registers.edi: 2277910251 registers.eax: 31598 registers.ebp: 4021919764 registers.edx: 4294938268 registers.ebx: 398229854 registers.esi: 20279566 registers.ecx: 1291	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 3c 24 51 b9 c4 26 37 1a 89 cf 59 exception.symbol: 11+0x4609be exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4590014 exception.address: 0x13509be registers.esp: 3406388 registers.edi: 20303643 registers.eax: 26186 registers.ebp: 4021919764 registers.edx: 20251816 registers.ebx: 762298129 registers.esi: 20252184 registers.ecx: 762298129	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 68 e5 11 00 00 e9 a7 03 00 00 5e 53 89 e3 81 exception.symbol: 11+0x460a7b exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4590203 exception.address: 0x1350a7b registers.esp: 3406392 registers.edi: 4294943572 registers.eax: 26186 registers.ebp: 4021919764 registers.edx: 81129 registers.ebx: 762298129 registers.esi: 20278370 registers.ecx: 762298129	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 51 89 04 24 89 3c 24 e9 9e f9 ff ff 81 c4 04 exception.symbol: 11+0x465e40 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4611648 exception.address: 0x1355e40 registers.esp: 3406388 registers.edi: 4294943572 registers.eax: 20272762 registers.ebp: 4021919764 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 20256949 registers.ecx: 1345847296	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 68 01 16 00 00 ff 34 24 ff 34 24 5b 83 c4 04 exception.symbol: 11+0x46604c exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4612172 exception.address: 0x135604c registers.esp: 3406392 registers.edi: 4294943572 registers.eax: 20297982 registers.ebp: 4021919764 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 20256949 registers.ecx: 1345847296	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 68 00 35 1d 02 8b 04 24 52 54 5a e9 35 fd ff exception.symbol: 11+0x465fd0 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4612048 exception.address: 0x1355fd0 registers.esp: 3406392 registers.edi: 4294943572 registers.eax: 20275450 registers.ebp: 4021919764 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 38377 registers.ecx: 1345847296	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb e9 b0 02 00 00 bf b3 6c 38 5e 81 f7 66 6f 97 exception.symbol: 11+0x468d63 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4623715 exception.address: 0x1358d63 registers.esp: 3406392 registers.edi: 47964 registers.eax: 30045 registers.ebp: 4021919764 registers.edx: 1968843900 registers.ebx: 20316038 registers.esi: 9551852 registers.ecx: 20113249	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 51 53 e9 d1 f9 ff ff 68 65 06 00 00 89 34 24 exception.symbol: 11+0x4691f7 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4624887 exception.address: 0x13591f7 registers.esp: 3406392 registers.edi: 0 registers.eax: 30045 registers.ebp: 4021919764 registers.edx: 93417 registers.ebx: 20288634 registers.esi: 9551852 registers.ecx: 20113249	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 57 89 1c 24 68 66 70 00 00 89 0c 24 52 ba 8d exception.symbol: 11+0x4738b7 exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4667575 exception.address: 0x13638b7 registers.esp: 3406388 registers.edi: 20317083 registers.eax: 31014 registers.ebp: 4021919764 registers.edx: 20328121 registers.ebx: 20302756 registers.esi: 20302752 registers.ecx: 1345847296	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb e9 36 00 00 00 5b 01 f3 5e e9 05 08 00 00 87 exception.symbol: 11+0x472f7d exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4665213 exception.address: 0x1362f7d registers.esp: 3406392 registers.edi: 8937 registers.eax: 31014 registers.ebp: 4021919764 registers.edx: 20331183 registers.ebx: 0 registers.esi: 20302752 registers.ecx: 1345847296	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: fb 68 0a 1c 00 00 ff 34 24 ff 34 24 5f 53 89 e3 exception.symbol: 11+0x47912f exception.instruction: sti exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4690223 exception.address: 0x136912f registers.esp: 3406392 registers.edi: 47964 registers.eax: 20384766 registers.ebp: 4021919764 registers.edx: 1968843900 registers.ebx: 20337857 registers.esi: 9551852 registers.ecx: 20113249	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (13 events)

Time & API	Arguments	Status	Return
bind April 16, 2023, 4:15 p.m.	ip_address: 0.0.0.0 socket: 1276 port: 0	1	0
bind April 16, 2023, 4:15 p.m.	ip_address: 0.0.0.0 socket: 1336 port: 0	1	0
bind April 16, 2023, 4:15 p.m.	ip_address: 0.0.0.0 socket: 1336 port: 0	1	0
bind April 16, 2023, 4:15 p.m.	ip_address: 0.0.0.0 socket: 1352 port: 0	1	0
bind April 16, 2023, 4:15 p.m.	ip_address: 0.0.0.0 socket: 1352 port: 0	1	0
bind April 16, 2023, 4:15 p.m.	ip_address: 0.0.0.0 socket: 1340 port: 0	1	0
bind April 16, 2023, 4:15 p.m.	ip_address: 0.0.0.0 socket: 1340 port: 0	1	0
bind April 16, 2023, 4:15 p.m.	ip_address: 0.0.0.0 socket: 1336 port: 0	1	0
bind April 16, 2023, 4:15 p.m.	ip_address: 0.0.0.0 socket: 1340 port: 0	1	0
bind April 16, 2023, 4:15 p.m.	ip_address: 0.0.0.0 socket: 1340 port: 0	1	0
bind April 16, 2023, 4:16 p.m.	ip_address: 127.0.0.1 socket: 1172 port: 51897	1	0
listen April 16, 2023, 4:16 p.m.	socket: 1172 backlog: 10	1	0
accept April 16, 2023, 4:16 p.m.	ip_address: socket: 1172 port: 0		-1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 2098 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74871000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75001000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75161000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75760000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b31000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d22000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d11000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74871000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748712d0 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75001000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75001014 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75091000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x754017d0 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755f0000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75760000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75760070 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75a60000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b31000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b319a8 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d22000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d2224c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x754b0000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b31000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b31394 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d21000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76b21000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d11000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d11350 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74871000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74871188 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75001000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x750011c8 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75091000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x750910ec process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75161000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x751610e4 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7540180c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755f0000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755f035c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x754b0000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x754b0270 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b31000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b313a8 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d21000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d2124c process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76b21000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76b21198 process_handle: 0xffffffff		3221225477

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 2676 crashed
__exception__ April 16, 2023, 4:16 p.m.	stacktrace: 0x180004 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 fc 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x180004 registers.r14: 207418296 registers.r15: 127385488 registers.rcx: 1392 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 207417552 registers.rsp: 207417272 registers.r11: 207421168 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1400 registers.r12: 207417912 registers.rbp: 207417408 registers.rdi: 127077408 registers.rax: 1572864 registers.r13: 293986656	1	0	0

Steals private information from local Internet browsers (50 out of 98 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\QuotaManager-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Google Profile.ico
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Shortcuts-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Favicons
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Reporting and NEL
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Safe Browsing Cookies-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Visited Links
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Shortcuts
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Top Sites
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Safe Browsing Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Application Cache\Index
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\DevToolsActivePort
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\QuotaManager
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Last Version
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Top Sites-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\TransportSecurity
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\000006.log
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Local Storage\leveldb\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\previews_opt_out.db-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\blob_storage
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Code Cache\js
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Code Cache
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Last Browser
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Reporting and NEL-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Code Cache\wasm
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\in_progress_download_metadata_store
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Trust Tokens-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Service Worker\Database\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Login Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Local Storage\leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Origin Bound Certs
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Code Cache\js\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\GPUCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\Cookies-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\chrome_shutdown_ms.txt
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\MANIFEST-000004
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Default\previews_opt_out.db

Creates executable files on the filesystem (4 events)

file	C:\Windows\Temp\11.exe
file	C:\Windows\Temp\22.exe
file	C:\Windows\Temp\321.exe
file	C:\Windows\Temp\123.exe

Drops a binary and executes it (4 events)

file	C:\Windows\Temp\11.exe
file	C:\Windows\Temp\22.exe
file	C:\Windows\Temp\123.exe
file	C:\Windows\Temp\321.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 16, 2023, 4:15 p.m.	flags: 1158 family: 0	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0000e200', u'virtual_address': u'0x0005d000', u'entropy': 6.802287495720708, u'name': u'.rsrc', u'virtual_size': u'0x0000e034'}

entropy

6.80228749572

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 16, 2023, 4:15 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 16, 2023, 4:16 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 16, 2023, 4:16 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (1 event)

process

system

Yara rule detected in process memory (9 events)

description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 102 events)

Time & API	Arguments	Status
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: 7-Zip base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: AddressBook base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: Adobe AIR base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: Connection Manager base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: DirectDrawEx base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: EditPlus base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: Fontcore base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: Google Chrome base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: IE40 base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: IE4Data base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: IE5BAKEX base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: IEData base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: MobileOptionPack base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: Office15.PROPLUSR base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: SchedulingAgent base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: WIC base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW April 16, 2023, 4:15 p.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x000003fc key_handle: 0x00000404 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Terminates another process (3 events)

Time & API	Arguments	Status
NtTerminateProcess April 16, 2023, 4:16 p.m.	status_code: 0xffffffff process_identifier: 2320 process_handle: 0x0000053c
NtTerminateProcess April 16, 2023, 4:16 p.m.	status_code: 0xc0000005 process_identifier: 2676 process_handle: 0x000000000000018c
NtTerminateProcess April 16, 2023, 4:16 p.m.	status_code: 0xc0000005 process_identifier: 2676 process_handle: 0x000000000000018c	1

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: a681423d920ec6b6b62963eb3f194979487b2276

Communicates with host for which no DNS query was performed (2 events)

host	178.32.215.165
host	45.77.166.103

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2380 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000068	1	0	0

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 146 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA April 16, 2023, 4:15 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 16, 2023, 4:15 p.m.	class_name: pediy06 window_name:		0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation April 16, 2023, 4:15 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (2 events)

description	321.exe tried to sleep 2728202 seconds, actually delayed analysis time by 2728202 seconds
description	11.exe tried to sleep 320 seconds, actually delayed analysis time by 320 seconds

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory April 16, 2023, 4:15 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2380 process_handle: 0x00000068	1	1	0

Collects information about installed applications (50 out of 76 events)

Time & API	Arguments	Status
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000404 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000330 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000330 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000330 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000330 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000330 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000330 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000330 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000330 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000330 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000330 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000330 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW April 16, 2023, 4:15 p.m.	key_handle: 0x00000330 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2228 called NtSetContextThread to modify thread in remote process 2380
NtSetContextThread April 16, 2023, 4:15 p.m.	registers.eip: 2005598660 registers.esp: 1506008 registers.edi: 0 registers.eax: 4333438 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000064 process_identifier: 2380	1	0	0

One or more non-whitelisted processes were created (3 events)

parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb8,0xbc,0xc0,0x8c,0xc4,0x7fef3e16e00,0x7fef3e16e10,0x7fef3e16e20
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\test22\AppData\Local\Temp --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod= --annotation=ver= --initial-client-data=0x180,0x184,0x188,0x17c,0x18c,0x7fef3723d58,0x7fef3723d68,0x7fef3723d78
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=916,3076318337519257171,11100046202377916358,131072 --headless --headless --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=928 /prefetch:2

Resumed a suspended thread in a remote process potentially indicative of process injection (30 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2228 resumed a thread in remote process 2380
Process injection	Process 2912 resumed a thread in remote process 2676
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x00000064 suspend_count: 1 process_identifier: 2380	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0	0

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation April 16, 2023, 4:15 p.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 3e f7 ff ff 29 d3 5a exception.symbol: 11+0x4179f4 exception.instruction: in eax, dx exception.module: 11.exe exception.exception_code: 0xc0000096 exception.offset: 4291060 exception.address: 0x13079f4 registers.esp: 3406424 registers.edi: 7876601 registers.eax: 1447909480 registers.ebp: 4021919764 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 19948606 registers.ecx: 20	1	0	0

Detects the presence of Wine emulator (1 event)

registry

HKEY_CURRENT_USER\Software\Wine

Executed a process and injected code into it, probably while unpacking (50 out of 96 events)

Time & API	Arguments	Status	Return
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x00000180 suspend_count: 1 process_identifier: 2032	1	0
CreateProcessInternalW April 16, 2023, 4:15 p.m.	thread_identifier: 2192 thread_handle: 0x0000027c process_identifier: 2188 current_directory: C:\Windows\Temp filepath: C:\Windows\Temp\11.exe track: 1 command_line: "C:\Windows\Temp\11.exe" filepath_r: C:\Windows\Temp\11.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000278	1	1
CreateProcessInternalW April 16, 2023, 4:15 p.m.	thread_identifier: 2232 thread_handle: 0x000001c4 process_identifier: 2228 current_directory: C:\Windows\Temp filepath: C:\Windows\Temp\22.exe track: 1 command_line: "C:\Windows\Temp\22.exe" filepath_r: C:\Windows\Temp\22.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a4	1	1
CreateProcessInternalW April 16, 2023, 4:15 p.m.	thread_identifier: 2280 thread_handle: 0x000001bc process_identifier: 2276 current_directory: C:\Windows\Temp filepath: C:\Windows\Temp\123.exe track: 1 command_line: "C:\Windows\Temp\123.exe" filepath_r: C:\Windows\Temp\123.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a4	1	1
CreateProcessInternalW April 16, 2023, 4:15 p.m.	thread_identifier: 2324 thread_handle: 0x000001c0 process_identifier: 2320 current_directory: C:\Windows\Temp filepath: C:\Windows\Temp\321.exe track: 1 command_line: "C:\Windows\Temp\321.exe" filepath_r: C:\Windows\Temp\321.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a4	1	1
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x000001c4 suspend_count: 1 process_identifier: 2188	1	0
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 2188	1	0
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x00000280 suspend_count: 1 process_identifier: 2188	1	0
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x000002c0 suspend_count: 1 process_identifier: 2188	1	0
NtGetContextThread April 16, 2023, 4:15 p.m.	thread_handle: 0x000001c8	1	0
NtGetContextThread April 16, 2023, 4:15 p.m.	thread_handle: 0x000001c8	1	0
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 2188	1	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x000003fc suspend_count: 1 process_identifier: 2188	1	0
CreateProcessInternalW April 16, 2023, 4:15 p.m.	thread_identifier: 2384 thread_handle: 0x00000064 process_identifier: 2380 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000068	1	1
NtGetContextThread April 16, 2023, 4:15 p.m.	thread_handle: 0x00000064	1	0
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2380 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000068	1	0
WriteProcessMemory April 16, 2023, 4:15 p.m.	buffer: base_address: 0x00400000 process_identifier: 2380 process_handle: 0x00000068	1	1
WriteProcessMemory April 16, 2023, 4:15 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2380 process_handle: 0x00000068	1	1
NtSetContextThread April 16, 2023, 4:15 p.m.	registers.eip: 2005598660 registers.esp: 1506008 registers.edi: 0 registers.eax: 4333438 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000064 process_identifier: 2380	1	0
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x00000064 suspend_count: 1 process_identifier: 2380	1	0
NtGetContextThread April 16, 2023, 4:15 p.m.	thread_handle: 0xfffffffe	1	0
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 2320	1	0
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2320	1	0
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x000001d4 suspend_count: 1 process_identifier: 2320	1	0
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 2320	1	0
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 2320	1	0
CreateProcessInternalW April 16, 2023, 4:15 p.m.	thread_identifier: 2680 thread_handle: 0x00000330 process_identifier: 2676 current_directory: C:\Windows\Temp filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --remote-debugging-port=51897 --headless --user-data-dir="C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM" --profile-directory="Default" filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000338	1	1
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x000004ac suspend_count: 1 process_identifier: 2320	1	0
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x000004b8 suspend_count: 1 process_identifier: 2320	1	0
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x000004d4 suspend_count: 1 process_identifier: 2320	1	0
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x00000514 suspend_count: 1 process_identifier: 2320	1	0
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x00000528 suspend_count: 1 process_identifier: 2320	1	0
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2380	1	0
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2380	1	0
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x000001bc suspend_count: 1 process_identifier: 2380	1	0
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x000001f0 suspend_count: 1 process_identifier: 2380	1	0
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x0000000000000080 suspend_count: 1 process_identifier: 2676	1	0
CreateProcessInternalW April 16, 2023, 4:15 p.m.	thread_identifier: 2748 thread_handle: 0x00000000000000c8 process_identifier: 2744 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User DataSUIZM" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb8,0xbc,0xc0,0x8c,0xc4,0x7fef3e16e00,0x7fef3e16e10,0x7fef3e16e20 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000000000cc	1	1
CreateProcessInternalW April 16, 2023, 4:15 p.m.	thread_identifier: 2916 thread_handle: 0x0000000000000190 process_identifier: 2912 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\test22\AppData\Local\Temp --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod= --annotation=ver= --initial-client-data=0x180,0x184,0x188,0x17c,0x18c,0x7fef3723d58,0x7fef3723d68,0x7fef3723d78 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000194	1	1
CreateProcessInternalW April 16, 2023, 4:16 p.m.	thread_identifier: 2844 thread_handle: 0x00000000000004c4 process_identifier: 508 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=916,3076318337519257171,11100046202377916358,131072 --headless --headless --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=928 /prefetch:2 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000578	1	1
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x00000000000000f0 suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread April 16, 2023, 4:15 p.m.	thread_handle: 0x00000000000000d4 suspend_count: 1 process_identifier: 2912	1	0
NtGetContextThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8	1	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0
NtGetContextThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8	1	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0
NtGetContextThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8	1	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0
NtGetContextThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8	1	0
NtResumeThread April 16, 2023, 4:16 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2676	1	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Lionic	Trojan.Win32.HTA.4!c
MicroWorld-eScan	Trojan.GenericKD.66436112
FireEye	Generic.mg.dd0379a70a71b60b
CAT-QuickHeal	Trojan.Miner.KG5
ALYac	Gen:Trojan.Heur.TP.h!X@bOO9GAfi
Malwarebytes	Generic.Malware/Suspicious
VIPRE	Gen:Trojan.Heur.TP.h!X@bOO9GAfi
Sangfor	Trojan.Win32.Agent.Vo9r
Alibaba	TrojanSpy:Win32/Stealer.297720cb
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Heur.TP.E9EF88
Cyren	W32/Themida.S.gen!Eldorado
Symantec	Trojan Horse
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.Win32.HTA.ri
BitDefender	Trojan.GenericKD.66436112
NANO-Antivirus	Virus.Win32.Gen.ccmw
Avast	Win32:CrypterX-gen [Trj]
Tencent	Win32.Trojan-Spy.Stealer.Cwnw
Sophos	Mal/Generic-S
F-Secure	Heuristic.HEUR/AGEN.1363295
DrWeb	Trojan.Inject4.56241
TrendMicro	TrojanSpy.Win32.REDLINE.YXDDPZ
McAfee-GW-Edition	BehavesLike.Win32.Generic.wc
Emsisoft	Trojan.GenericKD.66436112 (B)
SentinelOne	Static AI - Malicious SFX
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1363295
MAX	malware (ai score=86)
Gridinsoft	Malware.Win32.RedLine.bot
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	HEUR:Trojan-Spy.Win32.Stealer.gen
GData	Win32.Trojan-Stealer.Cordimik.E27ZIZ
Google	Detected
McAfee	Artemis!DD0379A70A71
Cylance	unsafe
TrendMicro-HouseCall	TrojanSpy.Win32.REDLINE.YXDDPZ
Rising	Trojan.Generic@AI.84 (RDML:yVMBhx1lKddJ/L+pe0GB4A)
Yandex	Trojan.Agent!Fw87TM+XcPM
Ikarus	Trojan.Win32.Crypt
Fortinet	W32/Kryptik.HPND!tr
BitDefenderTheta	Gen:NN.ZexaF.36132.mvW@ai@Txld
AVG	Win32:CrypterX-gen [Trj]
DeepInstinct	MALICIOUS

114.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All