Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 4, 2023, 5:28 p.m.	Oct. 4, 2023, 5:31 p.m.

Size	12.6MB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`e16678adff0c94c5c107ff9e3672a6c9`
SHA256	`bacfce630c06766a1c54b55395b84232dfb01a99844a0c732fa45470d9bd434b`
CRC32	`F1A6C318`
ssdeep	`49152:bK32UW/tIMGh2aiASiUyDA147Bf6w9o1grqRykI6c4V/HJY/oFTYpKA3hLAuewii:`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description)

eCVXk3pYsYhZNlI.exe "C:\Users\test22\AppData\Local\Temp\eCVXk3pYsYhZNlI.exe"
2540
- 6WCKE74G.exe "C:\Users\test22\AppData\Local\Temp\TCDD8B2.tmp\6WCKE74G.exe"
  2756
  - 6WCKE74G.tmp "C:\Users\test22\AppData\Local\Temp\is-PJ43B.tmp\6WCKE74G.tmp" /SL5="$5012C,4486469,58368,C:\Users\test22\AppData\Local\Temp\TCDD8B2.tmp\6WCKE74G.exe"
    2804
- XS1WFR6F.exe "C:\Users\test22\AppData\Roaming\Microsoft\XS1WFR6F.exe"
  2888
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
checkip.dyndns.org	A 132.226.8.169 CNAME checkip.dyndns.com A 193.122.130.0 A 132.226.247.73 A 158.101.44.242 A 193.122.6.168	193.122.130.0
rakishev.net	A 104.21.88.34 A 172.67.150.79	104.21.88.34

IP Address	Status	Action
132.226.247.73	Active	Moloch
164.124.101.2	Active	Moloch
172.67.150.79	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2043238	ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49175 -> 172.67.150.79:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 172.67.150.79:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 132.226.247.73:80	2021378	ET POLICY External IP Lookup - checkip.dyndns.org	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49175 172.67.150.79:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=rakishev.net	3b:3e:a0:2d:12:0b:4e:a8:2e:83:37:80:87:de:50:0f:14:a3:24:e9
TLSv1 192.168.56.101:49176 172.67.150.79:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=rakishev.net	3b:3e:a0:2d:12:0b:4e:a8:2e:83:37:80:87:de:50:0f:14:a3:24:e9

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 4, 2023, 5:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 4, 2023, 5:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 4, 2023, 5:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 4, 2023, 5:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 4, 2023, 5:29 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 4, 2023, 5:21 p.m.			0	0
IsDebuggerPresent Oct. 4, 2023, 5:21 p.m.			0	0
IsDebuggerPresent Oct. 4, 2023, 5:29 p.m.			0	0
IsDebuggerPresent Oct. 4, 2023, 5:29 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Mozilla Firefox\nss3.dll

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 4, 2023, 5:21 p.m.		1	1	0

One or more processes crashed (15 events)

Time & API	Arguments	Status
__exception__ Oct. 4, 2023, 5:29 p.m.	stacktrace: 0x7704f5 0x7701db CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x72588dde CoUninitializeEE-0x11ff1 mscorwks+0x193cb @ 0x725893cb CoUninitializeEE-0x11fb0 mscorwks+0x1940c @ 0x7258940c CoUninitializeEE-0x11f43 mscorwks+0x19479 @ 0x72589479 CoUninitializeEE-0x8c99 mscorwks+0x22723 @ 0x72592723 CoUninitializeEE-0x8db6 mscorwks+0x22606 @ 0x72592606 CoUninitializeEE-0x1b6a7 mscorwks+0xfd15 @ 0x7257fd15 CoUninitializeEE-0x1b389 mscorwks+0x10033 @ 0x72580033 0x8d083e CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72571b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x72588dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x72596a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x72596a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x72596a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72636a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x726369ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72636eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x726370b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72636fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 ff 50 28 89 45 dc 8b 4d d8 e8 7c 4f 92 6f exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x770788 registers.esp: 2615312 registers.edi: 2615336 registers.eax: 0 registers.ebp: 2615352 registers.edx: 158 registers.ebx: 2615492 registers.esi: 39631524 registers.ecx: 0	1
__exception__ Oct. 4, 2023, 5:29 p.m.	stacktrace: 0x771032 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72571b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x72588dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x72596a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x72596a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x72596a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72636a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x726369ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72636eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x726370b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72636fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 00 6a 00 ff 70 08 6a 04 8b 15 14 21 5a 03 8b exception.instruction: cmp dword ptr [eax], eax exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x771d4f registers.esp: 2617232 registers.edi: 2617408 registers.eax: 0 registers.ebp: 2617264 registers.edx: 1 registers.ebx: 2617468 registers.esi: 40183656 registers.ecx: 40201316	1
__exception__ Oct. 4, 2023, 5:29 p.m.	stacktrace: 0x5dae708 0x5dadfb4 0x774b7b 0x77188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72571b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x72588dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x72596a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x72596a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x72596a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72636a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x726369ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72636eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x726370b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72636fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 41 0c 8b 49 04 ff d0 5d c3 00 00 e4 ef 6f 00 exception.instruction: mov eax, dword ptr [ecx + 0xc] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5dae81c registers.esp: 2615040 registers.edi: 2615096 registers.eax: 0 registers.ebp: 2615040 registers.edx: 2614988 registers.ebx: 40979064 registers.esi: 40972280 registers.ecx: 0	1
__exception__ Oct. 4, 2023, 5:29 p.m.	stacktrace: getJit+0xe3a4 mscorjit+0x534da @ 0x71a634da getJit+0x443a mscorjit+0x49570 @ 0x71a59570 getJit-0x40c50 mscorjit+0x44e6 @ 0x71a144e6 getJit-0x40aca mscorjit+0x466c @ 0x71a1466c getJit-0x3fc12 mscorjit+0x5524 @ 0x71a15524 getJit-0x3fa6b mscorjit+0x56cb @ 0x71a156cb getJit-0x3f356 mscorjit+0x5de0 @ 0x71a15de0 CoUninitializeEE+0x8a14 CreateAssemblyNameObject-0x12373 mscorwks+0x33dd0 @ 0x725a3dd0 CoUninitializeEE+0x8aa9 CreateAssemblyNameObject-0x122de mscorwks+0x33e65 @ 0x725a3e65 CoUninitializeEE+0x8b1c CreateAssemblyNameObject-0x1226b mscorwks+0x33ed8 @ 0x725a3ed8 CoUninitializeEE+0x8895 CreateAssemblyNameObject-0x124f2 mscorwks+0x33c51 @ 0x725a3c51 CoUninitializeEE+0x8657 CreateAssemblyNameObject-0x12730 mscorwks+0x33a13 @ 0x725a3a13 CoUninitializeEE-0x1b547 mscorwks+0xfe75 @ 0x7257fe75 CoUninitializeEE-0x1b389 mscorwks+0x10033 @ 0x72580033 0x8d083e 0x777157 0x77188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72571b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x72588dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x72596a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x72596a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x72596a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72636a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x726369ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72636eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x726370b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72636fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x2345678 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 2613180 registers.edi: 7748484 registers.eax: 2613180 registers.ebp: 2613260 registers.edx: 0 registers.ebx: 8 registers.esi: 7733264 registers.ecx: 1	1
__exception__ Oct. 4, 2023, 5:29 p.m.	stacktrace: getJit+0xe3a4 mscorjit+0x534da @ 0x71a634da getJit+0x443a mscorjit+0x49570 @ 0x71a59570 getJit-0x40c50 mscorjit+0x44e6 @ 0x71a144e6 getJit-0x40aca mscorjit+0x466c @ 0x71a1466c getJit-0x3fc12 mscorjit+0x5524 @ 0x71a15524 getJit-0x3fa6b mscorjit+0x56cb @ 0x71a156cb getJit-0x3f356 mscorjit+0x5de0 @ 0x71a15de0 CoUninitializeEE+0x8a14 CreateAssemblyNameObject-0x12373 mscorwks+0x33dd0 @ 0x725a3dd0 CoUninitializeEE+0x8aa9 CreateAssemblyNameObject-0x122de mscorwks+0x33e65 @ 0x725a3e65 CoUninitializeEE+0x8b1c CreateAssemblyNameObject-0x1226b mscorwks+0x33ed8 @ 0x725a3ed8 CoUninitializeEE+0x8895 CreateAssemblyNameObject-0x124f2 mscorwks+0x33c51 @ 0x725a3c51 CoUninitializeEE+0x8657 CreateAssemblyNameObject-0x12730 mscorwks+0x33a13 @ 0x725a3a13 CoUninitializeEE-0x1b547 mscorwks+0xfe75 @ 0x7257fe75 CoUninitializeEE-0x1b389 mscorwks+0x10033 @ 0x72580033 0x8d083e 0x777157 0x77188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72571b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x72588dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x72596a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x72596a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x72596a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72636a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x726369ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72636eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x726370b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72636fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x2345678 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 2613180 registers.edi: 7748484 registers.eax: 2613180 registers.ebp: 2613260 registers.edx: 0 registers.ebx: 8 registers.esi: 7733264 registers.ecx: 1	1
__exception__ Oct. 4, 2023, 5:29 p.m.	stacktrace: 0x777503 0x77188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72571b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x72588dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x72596a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x72596a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x72596a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72636a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x726369ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72636eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x726370b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72636fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 07 68 ff ff ff 7f 6a 00 8b cf e8 9b 24 ec 6b exception.instruction: cmp dword ptr [edi], eax exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5dd1cd5 registers.esp: 2615240 registers.edi: 0 registers.eax: 41028556 registers.ebp: 2615292 registers.edx: 41028556 registers.ebx: 1 registers.esi: 41027648 registers.ecx: 1907121910	1
__exception__ Oct. 4, 2023, 5:29 p.m.	stacktrace: 0x777511 0x77188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72571b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x72588dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x72596a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x72596a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x72596a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72636a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x726369ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72636eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x726370b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72636fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 07 68 ff ff ff 7f 6a 00 8b cf e8 9b 24 ec 6b exception.instruction: cmp dword ptr [edi], eax exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5dd1cd5 registers.esp: 2615240 registers.edi: 0 registers.eax: 41029700 registers.ebp: 2615292 registers.edx: 41029700 registers.ebx: 1 registers.esi: 41028792 registers.ecx: 1907121910	1
__exception__ Oct. 4, 2023, 5:29 p.m.	stacktrace: 0x77188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72571b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x72588dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x72596a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x72596a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x72596a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72636a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x726369ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72636eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x726370b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72636fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 83 78 08 01 0f 9f c0 0f b6 c0 83 7f 08 01 0f 9f exception.instruction: cmp dword ptr [eax + 8], 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x77755f registers.esp: 2615300 registers.edi: 0 registers.eax: 0 registers.ebp: 2617264 registers.edx: 2615240 registers.ebx: 1 registers.esi: 41026128 registers.ecx: 41029912	1
__exception__ Oct. 4, 2023, 5:29 p.m.	stacktrace: 0x77866b 0x77188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72571b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x72588dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x72596a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x72596a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x72596a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72636a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x726369ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72636eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x726370b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72636fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 e8 50 1b e2 6b 89 45 c4 33 d2 89 55 dc 83 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5dd2cd1 registers.esp: 2615232 registers.edi: 2615276 registers.eax: 0 registers.ebp: 2615292 registers.edx: 2615200 registers.ebx: 1 registers.esi: 41045404 registers.ecx: 0	1
__exception__ Oct. 4, 2023, 5:29 p.m.	stacktrace: 0x778a37 0x77188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72571b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x72588dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x72596a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x72596a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x72596a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72636a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x726369ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72636eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x726370b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72636fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 ff 50 5c 39 00 89 45 c8 e9 87 00 00 00 8b exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5dd2fff registers.esp: 2615236 registers.edi: 2615276 registers.eax: 3 registers.ebp: 2615292 registers.edx: 0 registers.ebx: 1 registers.esi: 41048892 registers.ecx: 0	1
__exception__ Oct. 4, 2023, 5:29 p.m.	stacktrace: 0x77188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72571b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x72588dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x72596a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x72596a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x72596a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72636a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x726369ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72636eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x726370b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72636fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 83 78 08 01 0f 9f c0 0f b6 c0 83 7f 08 01 0f 9f exception.instruction: cmp dword ptr [eax + 8], 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x778b22 registers.esp: 2615300 registers.edi: 40309576 registers.eax: 0 registers.ebp: 2617264 registers.edx: 0 registers.ebx: 1 registers.esi: 41046340 registers.ecx: 2615232	1
__exception__ Oct. 4, 2023, 5:29 p.m.	stacktrace: 0x779882 0x77188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72571b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x72588dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x72596a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x72596a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x72596a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72636a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x726369ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72636eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x726370b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72636fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 e8 af 0c e2 6b 89 45 bc 8b ce e8 1d 0e e2 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5dd3b72 registers.esp: 2615192 registers.edi: 0 registers.eax: 0 registers.ebp: 2615292 registers.edx: 2615160 registers.ebx: 1 registers.esi: 0 registers.ecx: 0	1
__exception__ Oct. 4, 2023, 5:29 p.m.	stacktrace: 0x77188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72571b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x72588dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x72596a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x72596a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x72596a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72636a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x726369ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72636eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x726370b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72636fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 83 78 0c 00 0f 8e d3 03 00 00 ff 15 18 88 46 00 exception.instruction: cmp dword ptr [eax + 0xc], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x77a775 registers.esp: 2615300 registers.edi: 40309576 registers.eax: 0 registers.ebp: 2617264 registers.edx: 39457176 registers.ebx: 1 registers.esi: 41076416 registers.ecx: 0	1
__exception__ Oct. 4, 2023, 5:29 p.m.	stacktrace: 0x77ab64 0x77188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72571b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x72588dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x72596a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x72596a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x72596a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72636a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x726369ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72636eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x726370b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72636fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72ba7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72ba4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 e8 ca ff e1 6b 83 78 04 00 0f 84 8f 02 00 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5dd4857 registers.esp: 2615200 registers.edi: 41082952 registers.eax: 0 registers.ebp: 2615292 registers.edx: 2615168 registers.ebx: 1 registers.esi: 41082744 registers.ecx: 0	1
__exception__ Oct. 4, 2023, 5:30 p.m.	stacktrace: system+0x5ada48 @ 0x7181da48 mscorlib+0x1e843f @ 0x71c5843f mscorlib+0x1e83ab @ 0x71c583ab CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72571b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x72588dde CoUninitializeEE-0x11ff1 mscorwks+0x193cb @ 0x725893cb CoUninitializeEE-0x11fb0 mscorwks+0x1940c @ 0x7258940c CoUninitializeEE-0x11f43 mscorwks+0x19479 @ 0x72589479 CreateAssemblyNameObject+0xccc6 DllRegisterServerInternal-0x345d mscorwks+0x52e09 @ 0x725c2e09 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x725c192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x725c18cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x725c17f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x725c197d CreateAssemblyNameObject+0xc655 DllRegisterServerInternal-0x3ace mscorwks+0x52798 @ 0x725c2798 CreateAssemblyNameObject+0xcc46 DllRegisterServerInternal-0x34dd mscorwks+0x52d89 @ 0x725c2d89 CreateAssemblyNameObject+0xcc75 DllRegisterServerInternal-0x34ae mscorwks+0x52db8 @ 0x725c2db8 CreateAssemblyNameObject+0xcd1b DllRegisterServerInternal-0x3408 mscorwks+0x52e5e @ 0x725c2e5e CreateAssemblyNameObject+0xc9dd DllRegisterServerInternal-0x3746 mscorwks+0x52b20 @ 0x725c2b20 CreateAssemblyNameObject+0xc2ef DllRegisterServerInternal-0x3e34 mscorwks+0x52432 @ 0x725c2432 GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x726d805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 00 6a 00 ff 70 08 6a 04 8b 15 14 21 5a 03 8b exception.instruction: cmp dword ptr [eax], eax exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5dd75fe registers.esp: 119337920 registers.edi: 41156724 registers.eax: 0 registers.ebp: 119337952 registers.edx: 1 registers.ebx: 40501372 registers.esi: 41156752 registers.ecx: 41169992	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://checkip.dyndns.org/
suspicious_features	POST method with no referer header				suspicious_request	POST https://rakishev.net/wp-load.php

Connects to a Dynamic DNS Domain (1 event)

domain

checkip.dyndns.org

Performs some HTTP requests (2 events)

request	GET http://checkip.dyndns.org/
request	POST https://rakishev.net/wp-load.php

Sends data using the HTTP POST Method (1 event)

request

POST https://rakishev.net/wp-load.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 126 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000750000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000008d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40bb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000e40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000fb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a24000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a24000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a24000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a24000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9427a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9432c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94356000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9428c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9427c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9429b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9429d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9428d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9427b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94272000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:21 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9428a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:29 p.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:29 p.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:29 p.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:29 p.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73282000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:29 p.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 5:29 p.m.	process_identifier: 2804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73282000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:23 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 5:29 p.m.	process_identifier: 2888 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Oct. 4, 2023, 5:29 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 8468295145849449705 root_path: C:\Program Files\OpenSSL-Win64\ total_number_of_bytes: 4294967295		0	0
GetDiskFreeSpaceExW Oct. 4, 2023, 5:29 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13306056704 root_path: C:\Program Files\ total_number_of_bytes: 34252779520	1	1	0

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data

Looks up the external IP address (1 event)

domain

checkip.dyndns.org

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\is-274TJ.tmp\_isetup\_isdecmp.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\XS1WFR6F.exe
file	C:\Users\test22\AppData\Local\Temp\TCDD8B2.tmp\6WCKE74G.exe

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Oct. 4, 2023, 5:30 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\ScreenShot filepath: C:\Users\test22\AppData\Roaming\ScreenShot	1	1	0

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\TCDD8B2.tmp\6WCKE74G.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\is-274TJ.tmp\_isetup\_isdecmp.dll
file	C:\Users\test22\AppData\Local\Temp\is-PJ43B.tmp\6WCKE74G.tmp
file	C:\Users\test22\AppData\Local\Temp\TCDD8B2.tmp\6WCKE74G.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 4, 2023, 5:29 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 4, 2023, 5:29 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Queries for potentially installed applications (3 events)

Time & API	Arguments	Return
RegOpenKeyExA Oct. 4, 2023, 5:29 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\OpenSSL Light (64-bit)_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\OpenSSL Light (64-bit)_is1	2
RegOpenKeyExA Oct. 4, 2023, 5:29 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\OpenSSL Light (64-bit)_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\OpenSSL Light (64-bit)_is1	2
RegOpenKeyExA Oct. 4, 2023, 5:29 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Commander base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Commander	2

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Oct. 4, 2023, 5:29 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

XS1WFR6F.exe tried to sleep 2728521 seconds, actually delayed analysis time by 2728521 seconds

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file	C:\Users\test22\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites

Harvests information related to installed instant messenger clients (2 events)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml
registry	HKEY_CURRENT_USER\Software\Paltalk

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Oct. 4, 2023, 5:29 p.m.	thread_identifier: 0 callback_function: 0x008d1682 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00e90000	1	5177767	0

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Executed a process and injected code into it, probably while unpacking (32 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 4, 2023, 5:21 p.m.	thread_handle: 0x00000000000000cc suspend_count: 1 process_identifier: 2540	1	0
NtResumeThread Oct. 4, 2023, 5:21 p.m.	thread_handle: 0x000000000000013c suspend_count: 1 process_identifier: 2540	1	0
NtResumeThread Oct. 4, 2023, 5:21 p.m.	thread_handle: 0x000000000000017c suspend_count: 1 process_identifier: 2540	1	0
NtResumeThread Oct. 4, 2023, 5:21 p.m.	thread_handle: 0x000000000000020c suspend_count: 1 process_identifier: 2540	1	0
NtGetContextThread Oct. 4, 2023, 5:21 p.m.	thread_handle: 0x00000000000000d0	1	0
NtGetContextThread Oct. 4, 2023, 5:21 p.m.	thread_handle: 0x00000000000000d0	1	0
NtResumeThread Oct. 4, 2023, 5:21 p.m.	thread_handle: 0x00000000000000d0 suspend_count: 1 process_identifier: 2540	1	0
NtGetContextThread Oct. 4, 2023, 5:21 p.m.	thread_handle: 0x00000000000000d0	1	0
NtGetContextThread Oct. 4, 2023, 5:21 p.m.	thread_handle: 0x00000000000000d0	1	0
NtGetContextThread Oct. 4, 2023, 5:21 p.m.	thread_handle: 0x00000000000000d0	1	0
NtSetContextThread Oct. 4, 2023, 5:21 p.m.	registers.r14: 2814520 registers.r15: 53120608 registers.rcx: 106 registers.rsi: 0 registers.r10: 0 registers.rbx: 6588902 registers.rsp: 2813600 registers.r11: 4461410 registers.r8: 53120696 registers.r9: 1 registers.rip: 8791591845536 registers.rdx: 4461411 registers.r12: 53120680 registers.rbp: 2813768 registers.rdi: 321590744 registers.rax: 6588902 registers.r13: 0 thread_handle: 0x00000000000000d0 process_identifier: 2540	1	0
NtResumeThread Oct. 4, 2023, 5:21 p.m.	thread_handle: 0x00000000000000d0 suspend_count: 1 process_identifier: 2540	1	0
NtResumeThread Oct. 4, 2023, 5:21 p.m.	thread_handle: 0x000000000000021c suspend_count: 1 process_identifier: 2540	1	0
CreateProcessInternalW Oct. 4, 2023, 5:22 p.m.	thread_identifier: 2760 thread_handle: 0x00000000000003a8 process_identifier: 2756 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\TCDD8B2.tmp\6WCKE74G.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\TCDD8B2.tmp\6WCKE74G.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\TCDD8B2.tmp\6WCKE74G.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003b0	1	1
NtResumeThread Oct. 4, 2023, 5:22 p.m.	thread_handle: 0x0000000000000340 suspend_count: 1 process_identifier: 2540	1	0
CreateProcessInternalW Oct. 4, 2023, 5:22 p.m.	thread_identifier: 2892 thread_handle: 0x00000000000003b0 process_identifier: 2888 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\XS1WFR6F.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\XS1WFR6F.exe" filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\XS1WFR6F.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003c8	1	1
NtResumeThread Oct. 4, 2023, 5:22 p.m.	thread_handle: 0x000000000000039c suspend_count: 1 process_identifier: 2540	1	0
CreateProcessInternalW Oct. 4, 2023, 5:22 p.m.	thread_identifier: 0 thread_handle: 0x0000000000000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\TCDDBEA.tmp\4B11M5M7.exe track: 0 command_line: "C:\Users\test22\AppData\Local\Temp\TCDDBEA.tmp\4B11M5M7.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\TCDDBEA.tmp\4B11M5M7.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000000		0
CreateProcessInternalW Oct. 4, 2023, 5:29 p.m.	thread_identifier: 2808 thread_handle: 0x00000134 process_identifier: 2804 current_directory: filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\is-PJ43B.tmp\6WCKE74G.tmp" /SL5="$5012C,4486469,58368,C:\Users\test22\AppData\Local\Temp\TCDD8B2.tmp\6WCKE74G.exe" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000012c	1	1
NtResumeThread Oct. 4, 2023, 5:29 p.m.	thread_handle: 0x000001a8 suspend_count: 1 process_identifier: 2804	1	0
NtResumeThread Oct. 4, 2023, 5:29 p.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 2888	1	0
NtResumeThread Oct. 4, 2023, 5:29 p.m.	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 2888	1	0
NtResumeThread Oct. 4, 2023, 5:29 p.m.	thread_handle: 0x000002b8 suspend_count: 1 process_identifier: 2888	1	0
NtResumeThread Oct. 4, 2023, 5:29 p.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2888	1	0
NtResumeThread Oct. 4, 2023, 5:29 p.m.	thread_handle: 0x00000464 suspend_count: 1 process_identifier: 2888	1	0
NtResumeThread Oct. 4, 2023, 5:29 p.m.	thread_handle: 0x00000694 suspend_count: 1 process_identifier: 2888	1	0
NtResumeThread Oct. 4, 2023, 5:29 p.m.	thread_handle: 0x000006d8 suspend_count: 1 process_identifier: 2888	1	0
NtResumeThread Oct. 4, 2023, 5:29 p.m.	thread_handle: 0x000006ec suspend_count: 1 process_identifier: 2888	1	0
NtResumeThread Oct. 4, 2023, 5:29 p.m.	thread_handle: 0x00000780 suspend_count: 1 process_identifier: 2888	1	0
NtResumeThread Oct. 4, 2023, 5:30 p.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 2888	1	0
NtResumeThread Oct. 4, 2023, 5:30 p.m.	thread_handle: 0x000007ac suspend_count: 1 process_identifier: 2888	1	0
NtResumeThread Oct. 4, 2023, 5:30 p.m.	thread_handle: 0x000007e0 suspend_count: 1 process_identifier: 2888	1	0

eCVXk3pYsYhZNlI.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All