Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 31, 2024, 7:33 a.m.	May 31, 2024, 7:37 a.m.

Size	2.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2f1168a237b3b15e3e2c7b6fd1b41702`
SHA256	`b14a0f96d337a31d280461962eb799c57d0a0e724b8b5d704a040344655cbc95`
CRC32	`BA1C01E9`
ssdeep	`49152:zkmKhyq24kI3qebVa4yFLDqFGov9cVAd69TNqZLNiMNoCya:zkmKEqlkAbklZqFGC9V40ZBNo7a`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

sarra.exe "C:\Users\test22\AppData\Local\Temp\sarra.exe"
1460
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2528
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2616

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.186.192	34.117.186.192
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.4.15

IP Address	Status	Action
104.26.4.15	Active	Moloch
147.45.47.126	Active	Moloch
164.124.101.2	Active	Moloch
34.117.186.192	Active	Moloch
194.54.164.123	Active	Moloch
45.130.41.108	Active	Moloch
51.15.65.182	Active	Moloch
94.232.45.38	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 147.45.47.149:54674 -> 192.168.56.103:49297	2400022	ET DROP Spamhaus DROP Listed Traffic Inbound group 23	Misc Attack
TCP 147.45.47.126:58709 -> 192.168.56.103:49166	2400022	ET DROP Spamhaus DROP Listed Traffic Inbound group 23	Misc Attack
TCP 192.168.56.103:49167 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49167 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49166 -> 147.45.47.126:58709	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 147.45.47.126:58709 -> 192.168.56.103:49166	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 147.45.47.126:58709 -> 192.168.56.103:49166	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 147.45.47.126:58709	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 147.45.47.126:58709	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 147.45.47.126:58709	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49169 104.26.4.15:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=db-ip.com	1f:af:15:cd:f8:f8:ee:30:f9:6e:6e:54:bc:9a:a7:c7:77:70:6d:25

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA May 31, 2024, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:34 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (19 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 31, 2024, 7:33 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:33 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:33 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:33 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:33 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:33 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:33 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:34 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:34 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:34 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:34 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:34 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:34 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:34 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:34 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:34 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:34 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:34 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:34 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 31, 2024, 7:34 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW May 31, 2024, 7:34 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 31, 2024, 7:34 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	ivxhxhfy
section	pljdfxpv
section	.taggant

One or more processes crashed (50 out of 116 events)

Time & API	Arguments	Status
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: sarra+0x43e0b9 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 4448441 exception.address: 0x120e0b9 registers.esp: 3537492 registers.edi: 0 registers.eax: 1 registers.ebp: 3537508 registers.edx: 20611072 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 81 c3 90 dd f3 2e 81 eb 34 c2 f7 7f 83 ec 04 exception.symbol: sarra+0x18f31f exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 1635103 exception.address: 0xf5f31f registers.esp: 3537456 registers.edi: 1971192040 registers.eax: 25456 registers.ebp: 4006137876 registers.edx: 14483456 registers.ebx: 16117294 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 57 89 e7 52 e9 e8 02 00 00 ff 34 24 5e 57 54 exception.symbol: sarra+0x18f366 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 1635174 exception.address: 0xf5f366 registers.esp: 3537460 registers.edi: 1971192040 registers.eax: 0 registers.ebp: 4006137876 registers.edx: 14483456 registers.ebx: 16120054 registers.esi: 82608465 registers.ecx: 1971388416	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 81 c3 7e cc 3f 2e 03 1c 24 56 be 41 d2 f6 7e exception.symbol: sarra+0x1901fd exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 1638909 exception.address: 0xf601fd registers.esp: 3537456 registers.edi: 1971192040 registers.eax: 27824 registers.ebp: 4006137876 registers.edx: 14483456 registers.ebx: 16120414 registers.esi: 82608465 registers.ecx: 1097966075	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 55 56 81 ec 04 00 00 00 89 0c 24 52 c7 04 24 exception.symbol: sarra+0x1905df exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 1639903 exception.address: 0xf605df registers.esp: 3537460 registers.edi: 4294942496 registers.eax: 27824 registers.ebp: 4006137876 registers.edx: 14483456 registers.ebx: 16148238 registers.esi: 82608465 registers.ecx: 237801	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 53 e9 b5 02 00 00 81 c2 04 00 00 00 87 14 24 exception.symbol: sarra+0x30d483 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3200131 exception.address: 0x10dd483 registers.esp: 3537456 registers.edi: 16157176 registers.eax: 32255 registers.ebp: 4006137876 registers.edx: 2345 registers.ebx: 17681772 registers.esi: 17681246 registers.ecx: 804585472	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 56 50 54 58 05 04 00 00 00 2d 04 00 00 00 33 exception.symbol: sarra+0x30d0a8 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3199144 exception.address: 0x10dd0a8 registers.esp: 3537460 registers.edi: 0 registers.eax: 32255 registers.ebp: 4006137876 registers.edx: 2345 registers.ebx: 17685103 registers.esi: 17681246 registers.ecx: 605325655	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 04 24 e9 ab 02 00 00 51 b9 65 33 exception.symbol: sarra+0x313988 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3225992 exception.address: 0x10e3988 registers.esp: 3537456 registers.edi: 416109510 registers.eax: 32598 registers.ebp: 4006137876 registers.edx: 1279992410 registers.ebx: 17706350 registers.esi: 17708782 registers.ecx: 17706350	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 57 e9 22 01 00 00 81 c4 04 00 00 00 8f 04 24 exception.symbol: sarra+0x313a02 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3226114 exception.address: 0x10e3a02 registers.esp: 3537460 registers.edi: 4294937608 registers.eax: 32598 registers.ebp: 4006137876 registers.edx: 1279992410 registers.ebx: 1259 registers.esi: 17741380 registers.ecx: 17706350	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb e9 59 fb ff ff 50 b8 9a c1 df 5d 2d 64 14 f7 exception.symbol: sarra+0x31aef5 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3256053 exception.address: 0x10eaef5 registers.esp: 3537456 registers.edi: 4992743 registers.eax: 26723 registers.ebp: 4006137876 registers.edx: 17737348 registers.ebx: 1259 registers.esi: 17741380 registers.ecx: 1971442156	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb e9 62 fd ff ff 53 c7 04 24 be d9 43 fc e9 2c exception.symbol: sarra+0x31ad58 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3255640 exception.address: 0x10ead58 registers.esp: 3537460 registers.edi: 4992743 registers.eax: 26723 registers.ebp: 4006137876 registers.edx: 17740195 registers.ebx: 1114345 registers.esi: 0 registers.ecx: 1971442156	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 aa c8 ff ff 87 1c 24 exception.symbol: sarra+0x321962 exception.instruction: in eax, dx exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3283298 exception.address: 0x10f1962 registers.esp: 3537452 registers.edi: 4992743 registers.eax: 1447909480 registers.ebp: 4006137876 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 17744359 registers.ecx: 20	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: sarra+0x321bde exception.address: 0x10f1bde exception.module: sarra.exe exception.exception_code: 0xc000001d exception.offset: 3283934 registers.esp: 3537452 registers.edi: 4992743 registers.eax: 1 registers.ebp: 4006137876 registers.edx: 22104 registers.ebx: 0 registers.esi: 17744359 registers.ecx: 20	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 4f 37 2d 12 01 exception.symbol: sarra+0x321f67 exception.instruction: in eax, dx exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3284839 exception.address: 0x10f1f67 registers.esp: 3537452 registers.edi: 4992743 registers.eax: 1447909480 registers.ebp: 4006137876 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 17744359 registers.ecx: 10	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 04 24 c7 04 24 86 6e 7d exception.symbol: sarra+0x32509e exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3297438 exception.address: 0x10f509e registers.esp: 3537460 registers.edi: 4992743 registers.eax: 29845 registers.ebp: 4006137876 registers.edx: 2130566132 registers.ebx: 72114765 registers.esi: 10 registers.ecx: 17809440	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 68 75 24 e3 54 5a 55 56 be f9 51 bd 7b c1 ee exception.symbol: sarra+0x324efc exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3297020 exception.address: 0x10f4efc registers.esp: 3537460 registers.edi: 4992743 registers.eax: 29845 registers.ebp: 4006137876 registers.edx: 1426090592 registers.ebx: 4294940700 registers.esi: 10 registers.ecx: 17809440	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 55 e8 03 00 00 00 20 5d c3 5d exception.symbol: sarra+0x325ada exception.instruction: int 1 exception.module: sarra.exe exception.exception_code: 0xc0000005 exception.offset: 3300058 exception.address: 0x10f5ada registers.esp: 3537420 registers.edi: 0 registers.eax: 3537420 registers.ebp: 4006137876 registers.edx: 1107951796 registers.ebx: 17783753 registers.esi: 64012 registers.ecx: 1184833141	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 68 b9 2d c2 4b 89 3c 24 89 1c 24 68 97 04 e7 exception.symbol: sarra+0x334ba7 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3361703 exception.address: 0x1104ba7 registers.esp: 3537456 registers.edi: 17842201 registers.eax: 30676 registers.ebp: 4006137876 registers.edx: 6 registers.ebx: 72114987 registers.esi: 1971262480 registers.ecx: 0	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 68 a7 54 a9 50 89 3c 24 bf 1c e7 fb 6d 68 b5 exception.symbol: sarra+0x33467f exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3360383 exception.address: 0x110467f registers.esp: 3537460 registers.edi: 17872877 registers.eax: 30676 registers.ebp: 4006137876 registers.edx: 6 registers.ebx: 72114987 registers.esi: 1971262480 registers.ecx: 0	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 55 c7 04 24 63 e7 86 3e 89 04 24 83 ec 04 89 exception.symbol: sarra+0x334505 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3360005 exception.address: 0x1104505 registers.esp: 3537460 registers.edi: 17845673 registers.eax: 54761 registers.ebp: 4006137876 registers.edx: 0 registers.ebx: 72114987 registers.esi: 1971262480 registers.ecx: 0	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 57 bf b3 c6 f3 7c f7 d7 68 0f 26 96 55 89 14 exception.symbol: sarra+0x33964d exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3380813 exception.address: 0x110964d registers.esp: 3537452 registers.edi: 0 registers.eax: 27461 registers.ebp: 4006137876 registers.edx: 0 registers.ebx: 606898512 registers.esi: 17864917 registers.ecx: 0	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 68 60 b6 98 7f 89 34 24 55 bd 51 78 f5 77 56 exception.symbol: sarra+0x33a011 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3383313 exception.address: 0x110a011 registers.esp: 3537452 registers.edi: 604292944 registers.eax: 17893856 registers.ebp: 4006137876 registers.edx: 1734294132 registers.ebx: 606898512 registers.esi: 17864917 registers.ecx: 4294942116	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 50 e9 8b 07 00 00 57 c7 04 24 00 e8 fe 6d e9 exception.symbol: sarra+0x33bf25 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3391269 exception.address: 0x110bf25 registers.esp: 3537448 registers.edi: 604292944 registers.eax: 25650 registers.ebp: 4006137876 registers.edx: 1734294132 registers.ebx: 831805503 registers.esi: 17864917 registers.ecx: 17874417	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb e9 00 fc ff ff b9 33 6f 58 8c 89 ca e9 ca f8 exception.symbol: sarra+0x33c721 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3393313 exception.address: 0x110c721 registers.esp: 3537452 registers.edi: 604292944 registers.eax: 25650 registers.ebp: 4006137876 registers.edx: 1734294132 registers.ebx: 831805503 registers.esi: 17864917 registers.ecx: 17900067	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb b9 e7 94 bf 75 50 50 89 0c 24 e9 8a fb ff ff exception.symbol: sarra+0x33c2af exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3392175 exception.address: 0x110c2af registers.esp: 3537452 registers.edi: 604292944 registers.eax: 4294944544 registers.ebp: 4006137876 registers.edx: 1734294132 registers.ebx: 84201 registers.esi: 17864917 registers.ecx: 17900067	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 01 2f ff 5e 89 0c 24 b9 13 d1 63 exception.symbol: sarra+0x34d048 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3461192 exception.address: 0x111d048 registers.esp: 3537448 registers.edi: 148 registers.eax: 26136 registers.ebp: 4006137876 registers.edx: 2130566132 registers.ebx: 17943184 registers.esi: 0 registers.ecx: 804585472	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 53 89 34 24 89 0c 24 c7 04 24 79 27 9e 24 52 exception.symbol: sarra+0x34d4e1 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3462369 exception.address: 0x111d4e1 registers.esp: 3537452 registers.edi: 148 registers.eax: 26136 registers.ebp: 4006137876 registers.edx: 2130566132 registers.ebx: 17969320 registers.esi: 0 registers.ecx: 804585472	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 51 89 3c 24 83 ec 04 89 14 24 55 55 c7 04 24 exception.symbol: sarra+0x34cfc9 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3461065 exception.address: 0x111cfc9 registers.esp: 3537452 registers.edi: 148 registers.eax: 26136 registers.ebp: 4006137876 registers.edx: 2130566132 registers.ebx: 17969320 registers.esi: 1342204512 registers.ecx: 4294944016	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb e9 85 04 00 00 57 54 5f 81 c7 04 00 00 00 83 exception.symbol: sarra+0x362824 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3549220 exception.address: 0x1132824 registers.esp: 3537416 registers.edi: 5046272 registers.eax: 30595 registers.ebp: 4006137876 registers.edx: 2130566132 registers.ebx: 23011344 registers.esi: 40968502 registers.ecx: 18032618	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 29 db e9 1d 06 00 00 89 0c 24 50 b8 7f 1c 5c exception.symbol: sarra+0x362b47 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3550023 exception.address: 0x1132b47 registers.esp: 3537420 registers.edi: 5046272 registers.eax: 30595 registers.ebp: 4006137876 registers.edx: 2130566132 registers.ebx: 23011344 registers.esi: 40968502 registers.ecx: 18063213	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 51 89 04 24 51 89 24 24 83 04 24 04 58 05 04 exception.symbol: sarra+0x363499 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3552409 exception.address: 0x1133499 registers.esp: 3537420 registers.edi: 5046272 registers.eax: 76109651 registers.ebp: 4006137876 registers.edx: 2130566132 registers.ebx: 4294940016 registers.esi: 40968502 registers.ecx: 18063213	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 81 eb 9c f8 fe 52 e9 49 06 00 00 81 c3 0e ff exception.symbol: sarra+0x363667 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3552871 exception.address: 0x1133667 registers.esp: 3537416 registers.edi: 5046272 registers.eax: 31080 registers.ebp: 4006137876 registers.edx: 2130566132 registers.ebx: 18036319 registers.esi: 40968502 registers.ecx: 1028678751	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb e9 ab 03 00 00 58 81 e5 49 4a d7 6f 53 68 4c exception.symbol: sarra+0x363d14 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3554580 exception.address: 0x1133d14 registers.esp: 3537420 registers.edi: 1375758944 registers.eax: 0 registers.ebp: 4006137876 registers.edx: 2130566132 registers.ebx: 18039407 registers.esi: 40968502 registers.ecx: 1028678751	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb e9 92 00 00 00 bb 0c ea fb 7f 81 c3 73 d9 e7 exception.symbol: sarra+0x364eb7 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3559095 exception.address: 0x1134eb7 registers.esp: 3537420 registers.edi: 18040045 registers.eax: 26478 registers.ebp: 4006137876 registers.edx: 18066969 registers.ebx: 18039407 registers.esi: 18039437 registers.ecx: 0	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 55 68 00 5c e7 0b e9 75 fd ff ff 83 04 24 04 exception.symbol: sarra+0x364cdd exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3558621 exception.address: 0x1134cdd registers.esp: 3537420 registers.edi: 4294943684 registers.eax: 26478 registers.ebp: 4006137876 registers.edx: 18066969 registers.ebx: 18039407 registers.esi: 18039437 registers.ecx: 3921709920	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 55 bd e6 b0 44 16 87 cd 51 f7 14 24 e9 1f 05 exception.symbol: sarra+0x36acef exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3583215 exception.address: 0x113acef registers.esp: 3537420 registers.edi: 18068604 registers.eax: 29175 registers.ebp: 4006137876 registers.edx: 915381645 registers.ebx: 65804 registers.esi: 3523 registers.ecx: 0	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 57 89 e7 81 c7 04 00 00 00 52 ba 04 00 00 00 exception.symbol: sarra+0x36f2d7 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3601111 exception.address: 0x113f2d7 registers.esp: 3537416 registers.edi: 4024132712 registers.eax: 28225 registers.ebp: 4006137876 registers.edx: 423623929 registers.ebx: 18082530 registers.esi: 18072127 registers.ecx: 441704748	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb e9 0b 00 00 00 81 c4 04 00 00 00 e9 ba f5 ff exception.symbol: sarra+0x36f597 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3601815 exception.address: 0x113f597 registers.esp: 3537420 registers.edi: 4024132712 registers.eax: 28225 registers.ebp: 4006137876 registers.edx: 423623929 registers.ebx: 18110755 registers.esi: 18072127 registers.ecx: 441704748	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 68 51 3a 1f 6d 89 0c 24 e9 bd 0a 00 00 81 c4 exception.symbol: sarra+0x36eb74 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3599220 exception.address: 0x113eb74 registers.esp: 3537420 registers.edi: 4024132712 registers.eax: 28225 registers.ebp: 4006137876 registers.edx: 0 registers.ebx: 18085591 registers.esi: 18072127 registers.ecx: 3939837675	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 52 e9 2d fd ff ff 89 3c 24 bf f1 41 80 ff e9 exception.symbol: sarra+0x37018f exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3604879 exception.address: 0x114018f registers.esp: 3537420 registers.edi: 56202 registers.eax: 27531 registers.ebp: 4006137876 registers.edx: 34154 registers.ebx: 621403018 registers.esi: 636577837 registers.ecx: 18114551	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 55 68 a3 4e 5e 7f 8b 2c 24 83 c4 04 81 c5 f8 exception.symbol: sarra+0x3700f7 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3604727 exception.address: 0x11400f7 registers.esp: 3537420 registers.edi: 4294942332 registers.eax: 27531 registers.ebp: 4006137876 registers.edx: 34154 registers.ebx: 621403018 registers.esi: 157417 registers.ecx: 18114551	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 2c 24 56 e9 a0 00 00 00 c1 e2 06 exception.symbol: sarra+0x372a75 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3615349 exception.address: 0x1142a75 registers.esp: 3537420 registers.edi: 18123841 registers.eax: 27485 registers.ebp: 4006137876 registers.edx: 1660218737 registers.ebx: 4294942716 registers.esi: 4277005973 registers.ecx: 1678313281	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 52 e9 3f 00 00 00 f7 d1 e9 31 fd ff ff 31 f2 exception.symbol: sarra+0x372afc exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3615484 exception.address: 0x1142afc registers.esp: 3537420 registers.edi: 18123841 registers.eax: 4294942712 registers.ebp: 4006137876 registers.edx: 81129 registers.ebx: 4294942716 registers.esi: 4277005973 registers.ecx: 1678313281	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 52 89 e2 81 c2 04 00 00 00 57 e9 d6 fa ff ff exception.symbol: sarra+0x37890d exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3639565 exception.address: 0x114890d registers.esp: 3537416 registers.edi: 18123841 registers.eax: 28354 registers.ebp: 4006137876 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 18121444 registers.ecx: 804585472	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 68 54 69 4f 1e e9 99 06 00 00 81 c4 04 00 00 exception.symbol: sarra+0x378516 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3638550 exception.address: 0x1148516 registers.esp: 3537420 registers.edi: 18123841 registers.eax: 28354 registers.ebp: 4006137876 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 18149798 registers.ecx: 804585472	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 50 89 e0 05 04 00 00 00 2d 04 00 00 00 87 04 exception.symbol: sarra+0x3782ff exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3638015 exception.address: 0x11482ff registers.esp: 3537420 registers.edi: 18123841 registers.eax: 4118109544 registers.ebp: 4006137876 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 18124382 registers.ecx: 0	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb e9 47 01 00 00 68 f7 74 d6 47 89 0c 24 b9 81 exception.symbol: sarra+0x3835bb exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3683771 exception.address: 0x11535bb registers.esp: 3537416 registers.edi: 4024189821 registers.eax: 27432 registers.ebp: 4006137876 registers.edx: 1760760 registers.ebx: 18164710 registers.esi: 36251310 registers.ecx: 19923750	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 50 89 e0 05 04 00 00 00 2d 04 00 00 00 87 04 exception.symbol: sarra+0x3836bf exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3684031 exception.address: 0x11536bf registers.esp: 3537420 registers.edi: 4294942856 registers.eax: 2210629971 registers.ebp: 4006137876 registers.edx: 1760760 registers.ebx: 18192142 registers.esi: 36251310 registers.ecx: 19923750	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb e9 3d 01 00 00 c1 e5 05 52 89 1c 24 55 bd b6 exception.symbol: sarra+0x3966a7 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3761831 exception.address: 0x11666a7 registers.esp: 3537420 registers.edi: 18245692 registers.eax: 3732380344 registers.ebp: 4006137876 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 3915756 registers.ecx: 804585472	1
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: fb 53 bb a3 df 13 75 81 c3 32 e1 b1 6f 81 cb 01 exception.symbol: sarra+0x396bee exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3763182 exception.address: 0x1166bee registers.esp: 3537416 registers.edi: 18245692 registers.eax: 18246077 registers.ebp: 4006137876 registers.edx: 63071696 registers.ebx: 1587079871 registers.esi: 3915756 registers.ecx: 804585472	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET https://db-ip.com/demo/home.php?s=175.208.134.152

Allocates read-write-execute memory (usually to unpack itself) (44 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x030d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x030e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03230000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

sarra.exe tried to sleep 299 seconds, actually delayed analysis time by 299 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (19 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW May 31, 2024, 7:34 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 31, 2024, 7:34 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 31, 2024, 7:34 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 31, 2024, 7:34 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 31, 2024, 7:34 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 31, 2024, 7:34 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 31, 2024, 7:34 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 31, 2024, 7:34 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 31, 2024, 7:34 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 31, 2024, 7:34 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 31, 2024, 7:34 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 31, 2024, 7:34 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 31, 2024, 7:34 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 31, 2024, 7:34 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 31, 2024, 7:34 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 31, 2024, 7:34 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 31, 2024, 7:34 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 31, 2024, 7:34 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 31, 2024, 7:34 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (50 out of 5998 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Sync Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Sync Extension Settings\eigblbgjknlfbajkfhopmcojidlgcehm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Sync Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opfgelmcmbiajamepnmloijbpoleiama\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Sync Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\fiikommddbeccaoicoejoniammnalkfa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Sync Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\chgfefjpcobfbnpmiokfjjaglahmnded\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Sync Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\eigblbgjknlfbajkfhopmcojidlgcehm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\loinekcabhlmhjjbocijdoimmejangoa\CURRENT

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates a suspicious process (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW May 31, 2024, 7:34 a.m.	thread_identifier: 2532 thread_handle: 0x000001c0 process_identifier: 2528 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001c4	1	1	0
CreateProcessInternalW May 31, 2024, 7:34 a.m.	thread_identifier: 2620 thread_handle: 0x000001cc process_identifier: 2616 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001c8	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (9 events)

Time & API	Arguments	Status	Return
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x000004f0 process_name: pw.exe process_identifier: 1688	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x000004f0 process_name: taskhost.exe process_identifier: 912	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x000004f0 process_name: SearchFilterHost.exe process_identifier: 1504	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x000004f0 process_name: sarra.exe process_identifier: 1460	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x000004f0 process_name: svchost.exe process_identifier: 2312	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x000004f0 process_name: mscorsvw.exe process_identifier: 2340	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x000004f0 process_name: cmd.exe process_identifier: 2508	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x000004f0 process_name: conhost.exe process_identifier: 2516	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x000004f0 process_name: pw.exe process_identifier: 2572	1	1

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x000ab400', u'virtual_address': u'0x00001000', u'entropy': 7.924870459568174, u'name': u' \\x00 ', u'virtual_size': u'0x00189000'}

entropy

7.92487045957

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001400', u'virtual_address': u'0x0018a000', u'entropy': 7.564891393494579, u'name': u'.rsrc', u'virtual_size': u'0x00001638'}

entropy

7.56489139349

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00198a00', u'virtual_address': u'0x0043e000', u'entropy': 7.9533010541395015, u'name': u'ivxhxhfy', u'virtual_size': u'0x00199000'}

entropy

7.95330105414

description

A section with a high entropy has been found

entropy

0.995503211991

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Queries for potentially installed applications (50 out of 51 events)

Time & API	Arguments	Status
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExA May 31, 2024, 7:34 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x000004fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Communicates with host for which no DNS query was performed (5 events)

host	147.45.47.126
host	194.54.164.123
host	45.130.41.108
host	51.15.65.182
host	94.232.45.38

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 57 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA May 31, 2024, 7:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 7:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 7:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 7:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 7:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 7:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 7:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 7:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 7:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 7:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 7:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 7:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 7:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 7:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:34 a.m.	class_name: GBDYLLO window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131	reg_value	C:\Users\test22\AppData\Local\RageMP131\RageMP131.exe
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA May 31, 2024, 7:34 a.m.	key_handle: 0x000004fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\ICQ\0001
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Appends a known CryptoMix ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 31, 2024, 7:33 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 aa c8 ff ff 87 1c 24 exception.symbol: sarra+0x321962 exception.instruction: in eax, dx exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3283298 exception.address: 0x10f1962 registers.esp: 3537452 registers.edi: 4992743 registers.eax: 1447909480 registers.ebp: 4006137876 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 17744359 registers.ecx: 20	1	0	0

sarra.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All