Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 16, 2023, 12:41 p.m.	Oct. 16, 2023, 12:47 p.m.

Size	2.8MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`5c6b1ca0336366662d0f444e01f96a3a`
SHA256	`386d907ed5a2b26e8161a206bc8ee95dbcf055f44b7428675f590d30d4caa95d`
CRC32	`7AB3E8B2`
ssdeep	`49152:33wcgXPreWtD2BYZ0pjFdI+MfJSBwBZu1cTymDv+H7BBhNYj0He6:wcgfreW0HvEJ6wBMeTTzad3NYQ+6`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE64 - (no description)

gate4.exe "C:\Users\test22\AppData\Local\Temp\gate4.exe"
2564
- AqLCNUYV_7AvOx5vhd2uahj6.exe "C:\Users\test22\Pictures\Minor Policy\AqLCNUYV_7AvOx5vhd2uahj6.exe"
  2260
  - cmd.exe cmd /c .\dxOP.cmd
    2784
    - control.exe cOnTROL.ExE "C:\Users\test22\AppData\Local\Temp\7zS4D82C877\GJ5.A"
      2992
      - rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\test22\AppData\Local\Temp\7zS4D82C877\GJ5.A"
        1152
        
        rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\test22\AppData\Local\Temp\7zS4D82C877\GJ5.A"
        2404
        
        rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\test22\AppData\Local\Temp\7zS4D82C877\GJ5.A"
        2068
- KHOWPA_NrCHzAtN1rLIYWalB.exe "C:\Users\test22\Pictures\Minor Policy\KHOWPA_NrCHzAtN1rLIYWalB.exe"
  2212
  - AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    1592
- PLutVJwMhKkBWy0I4dDNw_rf.exe "C:\Users\test22\Pictures\Minor Policy\PLutVJwMhKkBWy0I4dDNw_rf.exe"
  2224
  - E4520MDs1ERkljMZ6fnSAHxW.exe "C:\Users\test22\Documents\E4520MDs1ERkljMZ6fnSAHxW.exe"
    3296
  - schtasks.exe schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3372
  - schtasks.exe schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3516
- rzNSDBWnOuUp9KZQf1vEEBO8.exe "C:\Users\test22\Pictures\Minor Policy\rzNSDBWnOuUp9KZQf1vEEBO8.exe"
  2240
  - Xc0Lm00.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Xc0Lm00.exe
    2940
    - lU6mc31.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\lU6mc31.exe
      2620
      - lO0dR71.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\lO0dR71.exe
        2376
        
        1ge81gE7.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\1ge81gE7.exe
        2232
        
        2eX5046.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\2eX5046.exe
        3868
- b_BfHcqb3_uTLEMqIjzZAgrW.exe "C:\Users\test22\Pictures\Minor Policy\b_BfHcqb3_uTLEMqIjzZAgrW.exe"
  2268
- UzT3o_eh7ilHUsbNqgRDNpMT.exe "C:\Users\test22\Pictures\Minor Policy\UzT3o_eh7ilHUsbNqgRDNpMT.exe"
  2868
  - 38fcARWiRHfIEOuzqwSxrDuR.exe "C:\Users\test22\Pictures\Minor Policy\38fcARWiRHfIEOuzqwSxrDuR.exe"
    2960
- po63wWbfrnNk9KmTiSB5uUws.exe "C:\Users\test22\Pictures\Minor Policy\po63wWbfrnNk9KmTiSB5uUws.exe"
  1064
- XsoKeqrHlRgEydtPbMRBlV7C.exe "C:\Users\test22\Pictures\Minor Policy\XsoKeqrHlRgEydtPbMRBlV7C.exe"
  1528
- XSZhrhE_Sfn_MkbKHwdmoqte.exe "C:\Users\test22\Pictures\Minor Policy\XSZhrhE_Sfn_MkbKHwdmoqte.exe"
  1852
  - vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    2804
- Bl6sYsQfyg42QbS0gcJUBZ4E.exe "C:\Users\test22\Pictures\Minor Policy\Bl6sYsQfyg42QbS0gcJUBZ4E.exe"
  1780
  - schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
    2452
  - schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
    3132
  - Bl6sYsQfyg42QbS0gcJUBZ4E.exe "C:\Users\test22\Pictures\Minor Policy\Bl6sYsQfyg42QbS0gcJUBZ4E.exe"
    4024
- qnsEAxgbAJ6_unx_zSEOUHz2.exe "C:\Users\test22\Pictures\Minor Policy\qnsEAxgbAJ6_unx_zSEOUHz2.exe"
  1808
  - qnsEAxgbAJ6_unx_zSEOUHz2.exe "C:\Users\test22\Pictures\Minor Policy\qnsEAxgbAJ6_unx_zSEOUHz2.exe"
    2532
    - icacls.exe icacls "C:\Users\test22\AppData\Local\31ff5d08-974d-447f-a18d-b1e6ddd2a356" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      3544
    - qnsEAxgbAJ6_unx_zSEOUHz2.exe "C:\Users\test22\Pictures\Minor Policy\qnsEAxgbAJ6_unx_zSEOUHz2.exe" --Admin IsNotAutoStart IsNotTask
      3736
      - qnsEAxgbAJ6_unx_zSEOUHz2.exe "C:\Users\test22\Pictures\Minor Policy\qnsEAxgbAJ6_unx_zSEOUHz2.exe" --Admin IsNotAutoStart IsNotTask
        3936
- L7QWnBrun6KRKkmF94SkLylb.exe "C:\Users\test22\Pictures\Minor Policy\L7QWnBrun6KRKkmF94SkLylb.exe"
  2860
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
onualituyrs.org	A 91.215.85.209	91.215.85.209
ipinfo.io	A 34.117.59.81	34.117.59.81
vk.com	A 87.240.129.133 A 87.240.132.72 A 87.240.132.67 A 87.240.137.164 A 93.186.225.194 A 87.240.132.78	87.240.132.72
iplogger.org	A 148.251.234.83	148.251.234.83
yandex.ru	A 5.255.255.77 A 77.88.55.88 A 77.88.55.60 A 5.255.255.70	77.88.55.60
twitter.com	A 104.244.42.1	104.244.42.193
sun6-20.userapi.com	A 95.142.206.0	95.142.206.0
sun6-22.userapi.com	A 95.142.206.2	95.142.206.2
www.maxmind.com	A 104.18.145.235 A 104.18.146.235	104.18.146.235
api.myip.com	A 172.67.75.163 A 104.26.9.59 A 104.26.8.59	104.26.8.59
api.2ip.ua	A 104.21.65.24 A 172.67.139.220	172.67.139.220
iplis.ru	A 148.251.234.93	148.251.234.93
dzen.ru	A 62.217.160.2	62.217.160.2
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.4.15
schematize.pw	A 172.67.152.98 A 104.21.32.142	172.67.152.98
telegram.org	A 149.154.167.99	149.154.167.99
sso.passport.yandex.ru	A 213.180.204.24 CNAME passport.yandex.ru	213.180.204.24
sun6-21.userapi.com	A 95.142.206.1	95.142.206.1
jackantonio.top	A 45.132.1.20	45.132.1.20
sun6-23.userapi.com	A 95.142.206.3	95.142.206.3
api.db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15

IP Address	Status	Action
104.18.146.235	Active	Moloch
104.244.42.1	Active	Moloch
104.26.4.15	Active	Moloch
104.26.5.15	Active	Moloch
104.26.9.59	Active	Moloch
148.251.234.83	Active	Moloch
148.251.234.93	Active	Moloch
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch
171.22.28.226	Active	Moloch
172.67.139.220	Active	Moloch
172.67.152.98	Active	Moloch
172.67.75.166	Active	Moloch
176.123.9.142	Active	Moloch
185.225.75.171	Active	Moloch
193.42.32.118	Active	Moloch
194.169.175.128	Active	Moloch
194.169.175.232	Active	Moloch
213.180.204.24	Active	Moloch
34.117.59.81	Active	Moloch
45.132.1.20	Active	Moloch
45.15.156.229	Active	Moloch
45.9.74.80	Active	Moloch
62.217.160.2	Active	Moloch
77.88.55.60	Active	Moloch
77.91.68.249	Active	Moloch
87.240.129.133	Active	Moloch
87.240.132.67	Active	Moloch
91.215.85.209	Active	Moloch
94.142.138.131	Active	Moloch
95.142.206.0	Active	Moloch
95.142.206.1	Active	Moloch
95.142.206.2	Active	Moloch
95.142.206.3	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49169 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49171 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49162 -> 94.142.138.131:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
UDP 192.168.56.101:61950 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49164 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49179 -> 172.67.152.98:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49179 -> 172.67.152.98:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.67.152.98:80 -> 192.168.56.101:49182	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49181 -> 172.67.152.98:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.67.152.98:80 -> 192.168.56.101:49181	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49185 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49163 -> 104.26.9.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49163 -> 104.26.9.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:53850 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49185 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49168 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.215.85.209:80 -> 192.168.56.101:49178	2400006	ET DROP Spamhaus DROP Listed Traffic Inbound group 7	Misc Attack
TCP 192.168.56.101:49178 -> 91.215.85.209:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49189 -> 91.215.85.209:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49178 -> 91.215.85.209:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49191 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49167 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49167 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49186 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49186 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49184 -> 172.67.152.98:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49173 -> 171.22.28.226:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 77.91.68.249:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49180 -> 45.132.1.20:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.101:49180 -> 45.132.1.20:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 171.22.28.226:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 171.22.28.226:80	2016698	ET HUNTING Suspicious services.exe in URI	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49175 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 77.91.68.249:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49174 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.67:80 -> 192.168.56.101:49174	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49187 -> 91.215.85.209:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49187 -> 91.215.85.209:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 194.169.175.232:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 171.22.28.226:80 -> 192.168.56.101:49173	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 171.22.28.226:80 -> 192.168.56.101:49173	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 194.169.175.232:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 194.169.175.232:80 -> 192.168.56.101:49176	2014819	ET INFO Packed Executable Download	Misc activity
TCP 77.91.68.249:80 -> 192.168.56.101:49177	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.68.249:80 -> 192.168.56.101:49177	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49188 -> 45.132.1.20:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 194.169.175.232:80 -> 192.168.56.101:49176	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.169.175.232:80 -> 192.168.56.101:49176	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49190 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49190 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.132.1.20:80 -> 192.168.56.101:49188	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.132.1.20:80 -> 192.168.56.101:49188	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 192.168.56.101:49194 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49194 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49195 -> 91.215.85.209:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49196 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49197 -> 91.215.85.209:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49198 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49200 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49200 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49202 -> 95.142.206.0:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49207 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49207 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49209 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49211 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49208 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49208 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49205 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49205 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.215.85.209:443 -> 192.168.56.101:49199	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49204 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49210 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.67:80 -> 192.168.56.101:49210	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49216 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49216 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49201 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.67:80 -> 192.168.56.101:49201	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49218 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49218 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49219 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49219 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49222 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49222 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49212 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49226 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49227 -> 95.142.206.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49213 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49213 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49233 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49234 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49232 -> 95.142.206.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49235 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49235 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49238 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49239 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49241 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49223 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49242 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49224 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49244 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49225 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49228 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49230 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 149.154.167.99:443 -> 192.168.56.101:49254	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49260 -> 77.88.55.60:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49270 -> 213.180.204.24:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49280 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49280 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49280 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49271 -> 193.42.32.118:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49280 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49269 -> 45.15.156.229:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49290 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49279 -> 193.42.32.118:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49281 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49281 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49281 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49301 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49304 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49304 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49305 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49305 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49306 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49309 -> 87.240.129.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49250 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49263 -> 62.217.160.2:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 194.169.175.128:50505 -> 192.168.56.101:49274	2046266	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49274 -> 194.169.175.128:50505	2046269	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49285 -> 194.169.175.232:45451	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49285 -> 194.169.175.232:45451	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49285 -> 194.169.175.232:45451	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 194.169.175.232:45451 -> 192.168.56.101:49285	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.101:49291 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 194.169.175.128:50500 -> 192.168.56.101:49292	2046266	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)	Malware Command and Control Activity Detected
TCP 194.169.175.128:50500 -> 192.168.56.101:49292	2046267	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49302 -> 171.22.28.226:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49302 -> 171.22.28.226:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 171.22.28.226:80 -> 192.168.56.101:49302	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.101:49315 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 171.22.28.226:80 -> 192.168.56.101:49302	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 171.22.28.226:80 -> 192.168.56.101:49302	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49320 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49320 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49320 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 148.251.234.83:443 -> 192.168.56.101:49322	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49325 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49325 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49324 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49243 -> 95.142.206.2:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49324 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.101:49324	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.9.74.80:80 -> 192.168.56.101:49324	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49349 -> 95.142.206.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:60079 -> 164.124.101.2:53	2027026	ET POLICY External IP Address Lookup DNS Query (2ip .ua)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49285 -> 194.169.175.232:45451	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
UDP 192.168.56.101:58269 -> 164.124.101.2:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49292 -> 194.169.175.128:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49255 -> 104.244.42.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49275 -> 104.26.9.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49275 -> 104.26.9.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49276 -> 104.26.9.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49276 -> 104.26.9.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49286 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49286 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49292 -> 194.169.175.128:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49286 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49298 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49298 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49298 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49303 -> 176.123.9.142:37637	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49303 -> 176.123.9.142:37637	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 192.168.56.101:49303 -> 176.123.9.142:37637	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 192.168.56.101:49303 -> 176.123.9.142:37637	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 176.123.9.142:37637 -> 192.168.56.101:49303	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.101:49338 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49340 -> 87.240.129.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.101:49319	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49337 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49337 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49342 -> 172.67.139.220:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49342 -> 172.67.139.220:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49342 -> 172.67.139.220:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49285 -> 194.169.175.232:45451	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 194.169.175.232:45451 -> 192.168.56.101:49285	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.101:49285 -> 194.169.175.232:45451	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49285 -> 194.169.175.232:45451	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49298 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49164 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49286 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49320 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49280 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49171 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49163 104.26.9.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.101:49184 172.67.152.98:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=schematize.pw	07:2c:fc:75:7b:e8:19:a1:55:bd:3e:40:23:6d:51:73:14:7f:49:a9
TLSv1 192.168.56.101:49196 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49202 95.142.206.0:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.101:49227 95.142.206.3:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.101:49233 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49234 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49232 95.142.206.3:443	None	None	None
TLSv1 192.168.56.101:49238 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49241 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49223 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49242 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49244 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49225 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49230 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49260 77.88.55.60:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018	C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=*.xn--d1acpjx3f.xn--p1ai	e4:ba:b2:7f:bf:93:b8:22:10:26:70:37:9c:03:1a:9d:fb:23:17:24
TLSv1 192.168.56.101:49270 213.180.204.24:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018	C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=sso.passport.yandex.ru	3a:82:43:a9:43:9c:c8:90:01:04:4f:74:1b:6c:cd:4b:9b:19:7d:93
TLSv1 192.168.56.101:49290 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49301 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49309 87.240.129.133:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49263 62.217.160.2:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018	C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.dzen.ru	6a:31:14:29:60:07:c9:c6:17:7b:d1:27:ad:53:57:ec:d8:c1:d8:d2
TLSv1 192.168.56.101:49291 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49243 95.142.206.2:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.101:49349 95.142.206.1:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.101:49275 104.26.9.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.101:49276 104.26.9.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.101:49340 87.240.129.133:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49342 172.67.139.220:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=*.2ip.ua	89:d4:db:86:86:4b:66:21:04:8f:0e:6c:cc:a5:4a:d5:67:73:3c:c9

Queries for the computername (18 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 16, 2023, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 16, 2023, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2023, 12:44 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (14 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 16, 2023, 12:44 p.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 12:44 p.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 12:44 p.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 12:44 p.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 12:44 p.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 12:44 p.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 12:44 p.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 12:44 p.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 12:44 p.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 12:44 p.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 12:44 p.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 12:44 p.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 12:44 p.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 12:44 p.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 16, 2023, 12:44 p.m.	buffer: SUCCESS: The scheduled task "WinTrackerSP HR" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2023, 12:44 p.m.	buffer: SUCCESS: The scheduled task "WinTrackerSP LG" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2023, 12:44 p.m.	buffer: SUCCESS: The scheduled task "PowerControl HR" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2023, 12:44 p.m.	buffer: SUCCESS: The scheduled task "PowerControl LG" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (35 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0075b380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0075b380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0075b400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059b370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059b370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059b3f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059b930 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059b9b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059b9b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059baf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059baf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059ba30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x07e68f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x07e68f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x07e68f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006389d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006389d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063b148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063b148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063b088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2023, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063b088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 16, 2023, 12:43 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section	_RDATA
section	.&{
section	.W1R
section	.M t

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	TYPELIB
resource name	None

One or more processes crashed (30 events)

Time & API	Arguments	Status
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: WinHttpCloseHandle-0x3e3 winhttp+0x281e @ 0x7330281e WinHttpCloseHandle-0x30d winhttp+0x28f4 @ 0x733028f4 WinHttpCloseHandle+0x53 WinHttpSetOption-0x1318 winhttp+0x2c54 @ 0x73302c54 plutvjwmhkkbwy0i4ddnw_rf+0x2ebe5 @ 0x11febe5 plutvjwmhkkbwy0i4ddnw_rf+0x578e @ 0x11d578e plutvjwmhkkbwy0i4ddnw_rf+0x5739 @ 0x11d5739 plutvjwmhkkbwy0i4ddnw_rf+0x699a @ 0x11d699a plutvjwmhkkbwy0i4ddnw_rf+0xe696 @ 0x11de696 plutvjwmhkkbwy0i4ddnw_rf+0x38373 @ 0x1208373 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 81 79 24 41 41 41 41 0f 85 b4 0d 00 00 83 65 e4 exception.instruction: cmp dword ptr [ecx + 0x24], 0x41414141 exception.exception_code: 0xc0000005 exception.symbol: WinHttpCloseHandle-0x4ae winhttp+0x2753 exception.address: 0x73302753 registers.esp: 2349920 registers.edi: 132 registers.eax: 2349948 registers.ebp: 2349964 registers.edx: 2351124 registers.ebx: 132 registers.esi: 0 registers.ecx: 132	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: WinHttpCloseHandle-0x3e3 winhttp+0x281e @ 0x7330281e WinHttpCloseHandle+0x79 WinHttpSetOption-0x12f2 winhttp+0x2c7a @ 0x73302c7a plutvjwmhkkbwy0i4ddnw_rf+0x2ebe5 @ 0x11febe5 plutvjwmhkkbwy0i4ddnw_rf+0x578e @ 0x11d578e plutvjwmhkkbwy0i4ddnw_rf+0x5739 @ 0x11d5739 plutvjwmhkkbwy0i4ddnw_rf+0x699a @ 0x11d699a plutvjwmhkkbwy0i4ddnw_rf+0xe696 @ 0x11de696 plutvjwmhkkbwy0i4ddnw_rf+0x38373 @ 0x1208373 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 81 79 24 41 41 41 41 0f 85 b4 0d 00 00 83 65 e4 exception.instruction: cmp dword ptr [ecx + 0x24], 0x41414141 exception.exception_code: 0xc0000005 exception.symbol: WinHttpCloseHandle-0x4ae winhttp+0x2753 exception.address: 0x73302753 registers.esp: 2351024 registers.edi: 132 registers.eax: 2351052 registers.ebp: 2351068 registers.edx: 0 registers.ebx: 132 registers.esi: 0 registers.ecx: 132	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 0x738735 0x738506 0x7368e5 0x7364be 0x7334ab 0x732f10 0x732ea3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72262652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7227264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72272e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72327610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72af7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72af4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x738870 registers.esp: 4123892 registers.edi: 4123944 registers.eax: 0 registers.ebp: 4123956 registers.edx: 5501336 registers.ebx: 4125172 registers.esi: 39182664 registers.ecx: 0	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 0x577591 0x5774c5 0x5731dc 0x572e86 0x571b93 0x571b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72262652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7227264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72272e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72327610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72af7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72af4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x577629 registers.esp: 1766108 registers.edi: 41113248 registers.eax: 0 registers.ebp: 1766132 registers.edx: 5979528 registers.ebx: 41113268 registers.esi: 41114068 registers.ecx: 0	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 0x579699 0x579613 0x5785ac 0x577ebc 0x577ca0 0x573201 0x572e86 0x571b93 0x571b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72262652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7227264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72272e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72327610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72af7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72af4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 1e exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x579914 registers.esp: 1765520 registers.edi: 41324352 registers.eax: 43231264 registers.ebp: 1765580 registers.edx: 0 registers.ebx: 41328624 registers.esi: 43231264 registers.ecx: 0	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 0x579699 0x579630 0x5785ac 0x577ebc 0x577ca0 0x573201 0x572e86 0x571b93 0x571b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72262652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7227264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72272e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72327610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72af7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72af4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 1e exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x579914 registers.esp: 1765520 registers.edi: 41324352 registers.eax: 44661280 registers.ebp: 1765580 registers.edx: 0 registers.ebx: 43441240 registers.esi: 44661280 registers.ecx: 0	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 0x579699 0x579630 0x5785ac 0x577ebc 0x577ca0 0x573201 0x572e86 0x571b93 0x571b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72262652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7227264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72272e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72327610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72af7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72af4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 1e exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x579914 registers.esp: 1765520 registers.edi: 41324352 registers.eax: 42256736 registers.ebp: 1765580 registers.edx: 0 registers.ebx: 41063608 registers.esi: 42256736 registers.ecx: 0	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 0x57c099 0x5789dc 0x577ebc 0x577ca0 0x573201 0x572e86 0x571b93 0x571b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72262652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7227264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72272e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72327610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72af7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72af4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 4f exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x57c2e3 registers.esp: 1765536 registers.edi: 40792512 registers.eax: 43849528 registers.ebp: 1765588 registers.edx: 0 registers.ebx: 42629472 registers.esi: 43849528 registers.ecx: 0	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 0x57c099 0x5789dc 0x577ebc 0x577ca0 0x573201 0x572e86 0x571b93 0x571b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72262652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7227264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72272e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72327610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72af7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72af4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 4f exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x57c2e3 registers.esp: 1765536 registers.edi: 40792512 registers.eax: 45232360 registers.ebp: 1765588 registers.edx: 0 registers.ebx: 43979172 registers.esi: 45232360 registers.ecx: 0	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 0x57c099 0x5789dc 0x577ebc 0x577ca0 0x573201 0x572e86 0x571b93 0x571b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72262652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7227264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72272e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72327610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72af7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72af4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 4f exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x57c2e3 registers.esp: 1765536 registers.edi: 40792512 registers.eax: 46582060 registers.ebp: 1765588 registers.edx: 0 registers.ebx: 45362004 registers.esi: 46582060 registers.ecx: 0	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 0x57c369 0x578aa2 0x577ebc 0x577ca0 0x573201 0x572e86 0x571b93 0x571b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72262652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7227264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72272e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72327610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72af7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72af4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 f1 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x57c541 registers.esp: 1765536 registers.edi: 40792512 registers.eax: 0 registers.ebp: 1765588 registers.edx: 0 registers.ebx: 41082104 registers.esi: 41681924 registers.ecx: 0	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 0x57c369 0x578aa2 0x577ebc 0x577ca0 0x573201 0x572e86 0x571b93 0x571b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72262652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7227264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72272e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72327610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72af7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72af4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 f1 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x57c541 registers.esp: 1765536 registers.edi: 40790636 registers.eax: 0 registers.ebp: 1765588 registers.edx: 0 registers.ebx: 41950812 registers.esi: 43170860 registers.ecx: 0	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 0x57c369 0x578aa2 0x577ebc 0x577ca0 0x573201 0x572e86 0x571b93 0x571b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72262652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7227264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72272e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72327610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72af7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72af4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 f1 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x57c541 registers.esp: 1765536 registers.edi: 40790636 registers.eax: 0 registers.ebp: 1765588 registers.edx: 0 registers.ebx: 43439748 registers.esi: 44659796 registers.ecx: 0	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 0x57c699 0x578b44 0x577ebc 0x577ca0 0x573201 0x572e86 0x571b93 0x571b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72262652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7227264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72272e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72327610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72af7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72af4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f 05 ff ff ff eb 0c e8 c8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x57c86a registers.esp: 1765536 registers.edi: 42360492 registers.eax: 0 registers.ebp: 1765588 registers.edx: 0 registers.ebx: 41495404 registers.esi: 42095224 registers.ecx: 0	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 0x57c699 0x578b44 0x577ebc 0x577ca0 0x573201 0x572e86 0x571b93 0x571b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72262652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7227264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72272e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72327610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72af7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72af4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f 05 ff ff ff eb 0c e8 c8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x57c86a registers.esp: 1765536 registers.edi: 42360492 registers.eax: 0 registers.ebp: 1765588 registers.edx: 0 registers.ebx: 42366444 registers.esi: 41819312 registers.ecx: 0	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 0x57c699 0x578b44 0x577ebc 0x577ca0 0x573201 0x572e86 0x571b93 0x571b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72262652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7227264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72272e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72327610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72af7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72af4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f 05 ff ff ff eb 0c e8 c8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x57c86a registers.esp: 1765536 registers.edi: 42360492 registers.eax: 0 registers.ebp: 1765588 registers.edx: 0 registers.ebx: 42090532 registers.esi: 43602504 registers.ecx: 0	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 0x57cc24 0x577ed4 0x577ca0 0x573201 0x572e86 0x571b93 0x571b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72262652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7227264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72272e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72327610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a3f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72af7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72af4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 e0 0f 8f a1 fe ff ff eb 05 e8 d8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x57d05a registers.esp: 1765996 registers.edi: 44149044 registers.eax: 0 registers.ebp: 1766040 registers.edx: 0 registers.ebx: 44142836 registers.esi: 44149728 registers.ecx: 0	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 1ge81ge7+0x1fa2 @ 0x401fa2 exception.instruction_r: f3 aa 8b 45 f0 8b 4d 08 8b 55 10 03 c8 2b d0 52 exception.symbol: 1ge81ge7+0xf088 exception.instruction: stosb byte ptr es:[edi], al exception.module: 1ge81gE7.exe exception.exception_code: 0xc0000005 exception.offset: 61576 exception.address: 0x40f088 registers.esp: 1636996 registers.edi: 4350244 registers.eax: 0 registers.ebp: 1637012 registers.edx: 0 registers.ebx: 0 registers.esi: 4664136 registers.ecx: 12	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 1ge81ge7+0xf054 @ 0x40f054 1ge81ge7+0xf0a0 @ 0x40f0a0 1ge81ge7+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 1ge81ge7+0xefff exception.address: 0x40efff exception.module: 1ge81gE7.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4353968 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 120 registers.ebx: 0 registers.esi: 4664136 registers.ecx: 374	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 1ge81ge7+0xf054 @ 0x40f054 1ge81ge7+0xf0a0 @ 0x40f0a0 1ge81ge7+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 1ge81ge7+0xefff exception.address: 0x40efff exception.module: 1ge81gE7.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4358064 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 120 registers.ebx: 0 registers.esi: 4664136 registers.ecx: 342	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 1ge81ge7+0xf054 @ 0x40f054 1ge81ge7+0xf0a0 @ 0x40f0a0 1ge81ge7+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 1ge81ge7+0xefff exception.address: 0x40efff exception.module: 1ge81gE7.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4362160 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 120 registers.ebx: 0 registers.esi: 4664136 registers.ecx: 310	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 1ge81ge7+0xf054 @ 0x40f054 1ge81ge7+0xf0a0 @ 0x40f0a0 1ge81ge7+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 1ge81ge7+0xefff exception.address: 0x40efff exception.module: 1ge81gE7.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4366256 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 120 registers.ebx: 0 registers.esi: 4664136 registers.ecx: 278	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 1ge81ge7+0xf054 @ 0x40f054 1ge81ge7+0xf0a0 @ 0x40f0a0 1ge81ge7+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 1ge81ge7+0xefff exception.address: 0x40efff exception.module: 1ge81gE7.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4370352 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 120 registers.ebx: 0 registers.esi: 4664136 registers.ecx: 246	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 1ge81ge7+0xf054 @ 0x40f054 1ge81ge7+0xf0a0 @ 0x40f0a0 1ge81ge7+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 1ge81ge7+0xefff exception.address: 0x40efff exception.module: 1ge81gE7.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4374448 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 120 registers.ebx: 0 registers.esi: 4664136 registers.ecx: 214	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 1ge81ge7+0xf054 @ 0x40f054 1ge81ge7+0xf0a0 @ 0x40f0a0 1ge81ge7+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 1ge81ge7+0xefff exception.address: 0x40efff exception.module: 1ge81gE7.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4378544 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 120 registers.ebx: 0 registers.esi: 4664136 registers.ecx: 182	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 1ge81ge7+0xf054 @ 0x40f054 1ge81ge7+0xf0a0 @ 0x40f0a0 1ge81ge7+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 1ge81ge7+0xefff exception.address: 0x40efff exception.module: 1ge81gE7.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4382640 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 120 registers.ebx: 0 registers.esi: 4664136 registers.ecx: 150	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 1ge81ge7+0xf054 @ 0x40f054 1ge81ge7+0xf0a0 @ 0x40f0a0 1ge81ge7+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 1ge81ge7+0xefff exception.address: 0x40efff exception.module: 1ge81gE7.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4386736 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 120 registers.ebx: 0 registers.esi: 4664136 registers.ecx: 118	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 1ge81ge7+0xf054 @ 0x40f054 1ge81ge7+0xf0a0 @ 0x40f0a0 1ge81ge7+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 1ge81ge7+0xefff exception.address: 0x40efff exception.module: 1ge81gE7.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4390832 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 120 registers.ebx: 0 registers.esi: 4664136 registers.ecx: 86	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 1ge81ge7+0xf054 @ 0x40f054 1ge81ge7+0xf0a0 @ 0x40f0a0 1ge81ge7+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 1ge81ge7+0xefff exception.address: 0x40efff exception.module: 1ge81gE7.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4394928 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 120 registers.ebx: 0 registers.esi: 4664136 registers.ecx: 54	1
__exception__ Oct. 16, 2023, 12:44 p.m.	stacktrace: 1ge81ge7+0xf054 @ 0x40f054 1ge81ge7+0xf0a0 @ 0x40f0a0 1ge81ge7+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 1ge81ge7+0xefff exception.address: 0x40efff exception.module: 1ge81gE7.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4399024 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 120 registers.ebx: 0 registers.esi: 4664136 registers.ecx: 22	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (16 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://94.142.138.131/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://94.142.138.131/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://171.22.28.226/download/Services.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://194.169.175.232/autorun.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://77.91.68.249/navi/kur90.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://171.22.28.226/download/Services.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://194.169.175.232/autorun.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://77.91.68.249/navi/kur90.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://45.15.156.229/api/tracemap.php
suspicious_features	Connection to IP address	suspicious_request	GET http://193.42.32.118/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://193.42.32.118/api/firecom.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://45.15.156.229/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://171.22.28.226/download/WWW14_64.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://171.22.28.226/download/WWW14_64.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://45.9.74.80/zinda.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://45.9.74.80/zinda.exe

Performs some HTTP requests (49 events)

request	GET http://94.142.138.131/api/tracemap.php
request	POST http://94.142.138.131/api/firegate.php
request	HEAD http://171.22.28.226/download/Services.exe
request	HEAD http://194.169.175.232/autorun.exe
request	HEAD http://77.91.68.249/navi/kur90.exe
request	HEAD http://jackantonio.top/timeSync.exe
request	GET http://171.22.28.226/download/Services.exe
request	GET http://194.169.175.232/autorun.exe
request	GET http://77.91.68.249/navi/kur90.exe
request	GET http://jackantonio.top/timeSync.exe
request	GET http://45.15.156.229/api/tracemap.php
request	GET http://193.42.32.118/api/tracemap.php
request	POST http://193.42.32.118/api/firecom.php
request	POST http://45.15.156.229/api/firegate.php
request	GET http://www.maxmind.com/geoip/v2.1/city/me
request	HEAD http://171.22.28.226/download/WWW14_64.exe
request	GET http://171.22.28.226/download/WWW14_64.exe
request	HEAD http://45.9.74.80/zinda.exe
request	GET http://45.9.74.80/zinda.exe
request	GET https://api.myip.com/
request	GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request	GET https://schematize.pw/setup294.exe
request	GET https://vk.com/doc52355237_666778887?hash=MsypGwgfzH9k8tAFuGqJl0MJgVVDiak3EKsK8zRZBXP&dl=zbnEaURFd1h1t5v6QgcpBauCKgnVbU0YGtRdWYWulE8&api=1&no_preview=1
request	GET https://sun6-20.userapi.com/c909418/u52355237/docs/d49/167def964d1d/Bot_Clien.bmp?extra=u226KRhFNKTwHJMooCCPzPmniPztLgViu_UdzG-VjX2Hdo2VQ_csORN4_Q0LZziy1wB-axwEO9JNYx174ntsePx0FuTMM0e_GCG405SNGpQvMEhf73KuF7vrvBeRTnAAwZp-CVmWviwj4x0M
request	GET https://vk.com/doc52355237_666962194?hash=6q38NEAvszC9RaRujZr6ZVjib9zBVZremmdPy8csKIw&dl=vi5dQPwpzhvYIPezYQtsimILAKZctT0T5feFndBaxT8&api=1&no_preview=1#55
request	GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
request	GET https://sun6-23.userapi.com/c909628/u52355237/docs/d45/362847a669f2/44.bmp?extra=HTogS9Udy-zScPsV8Lv4flcVw5qsSLuY9mdyAh5RRn5xhDPI8DfW9wtYF2X9SS9jhOM-3_rypQvzo-pT4vmB5SI_QdmT89HOjHvIcqqjQ3qOU-NfnB8XQLZDws7kGj9EbiGU5OrFcamzfHKn
request	GET https://vk.com/doc52355237_666996873?hash=DTmX6GpQzg0mSZJ3QBf9KMyoAQLjAN2VneVoP2TiOB8&dl=3T0LCAZCJSJEhCRk9I2GHnvey9MXQk00H3a77N9btwD&api=1&no_preview=1
request	GET https://sun6-23.userapi.com/c909228/u52355237/docs/d38/fa41d55bfcd2/d3h782af.bmp?extra=x2wWuvzLp9U9MFpMuHZvNeDGbtRLE0wlF7xXDQEgYuMpz0YX4nSn8o70AXGDKhvOM9YscK1wrIJ3gioKVHDTS71MBi-kHvMK6C3w00FHmTA2gPyAb3GAalPr1Iq8MFdFriiC1VsUCrdiBBIt
request	GET https://vk.com/doc52355237_666723616?hash=ZC4RFT6HYu0N5BMvznxOuSILUiBeo5z2g1xHHcrldpw&dl=zwWXc0xksFhKkzynWxdvo03M0BMI9Y0XCitbIZ8FVKc&api=1&no_preview=1
request	GET https://vk.com/doc52355237_666985371?hash=xUCdQotbw4FtZlATzAL4qnHpx7ewB6dgNtlbn7gwXm4&dl=xZf2pdqcEKVJkPKzgfXwyOhSAkzUukUObYzCFT4qurw&api=1&no_preview=1#1
request	GET https://sun6-20.userapi.com/c909228/u52355237/docs/d55/a0f4bd8121f1/PL_Client.bmp?extra=gHHzZgmQ2ix-eyDuXWWUkcOvwwyUCy5E3P9WTu6vphlfKcCiFbxuGjvCO_1EJxvkfs2bGFSfr_9PlZsRCq65LOri_c51dD0gx807OeObF3eM6u1R8XpQ0HJzY5ESz-7d2hCuHgwJqj6q2qx6
request	GET https://sun6-23.userapi.com/c909418/u52355237/docs/d18/6dea2083151c/crypted.bmp?extra=fsba2zHpXvqaKaIs2cqbeh5vyBbuwJUz1GDJrKswAJIhi-uQ6bVTt1ZthUMWNp4RKY7PjMjHY4Ma_mmFnBFnz8T2TeqY1eHF6BqoZPrQTE5hBFV2aHat9V0upNqQz5qlhcM1Nx2yUiz1RdD4
request	GET https://vk.com/doc52355237_666953453?hash=NVFeHD1X6xxwiPyDZ4kbilHig693YsIH5g6X9HkS69s&dl=dzQeH4YkPFmuRHRZXunNV4NBh3hv5ZLppdno3QUFjqD&api=1&no_preview=1#rise
request	GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
request	GET https://vk.com/doc52355237_666904463?hash=UxTczsuPw9hubob0BlwxReQuXuRVMu7K4lkIHd53nfc&dl=pL6TKclvjp9CpzQWGzva7G0EpGDeSydWo0xKWmJnj6o&api=1&no_preview=1#WW11
request	GET https://sun6-22.userapi.com/c909218/u52355237/docs/d2/0ad6080636be/RisePro.bmp?extra=PqUzNShtdQ-VVGbOsb_U5PPXWQnmOykXCr2fivqUjiKkJwon0GTt09KEwh_9I68Dc5f0DQX1ply0EcnMJc9OgcjXAI8IkIAS0jKP-35agrJxkRrVKKABaH75pGdH6_DdpAnsxm5a-uDanq3h
request	GET https://sun6-23.userapi.com/c909518/u52355237/docs/d48/03ed792486f2/WWW11_32.bmp?extra=BDTRbaczcnbNzBo0BOe-ypzZEprOU10IkpkSzte4_V8G371fkmp_shttiZOFe2G1ASGDl-WPX9fz5UxXrtRJAgBkbTqjDYOK0KXnwLo7S-B1oMpIKEG-z8PCsBkFTg520y7LBkTmUfiZSrtb
request	GET https://vk.com/doc52355237_667000543?hash=eKOuemWuRCZmXal2YVj4QW37gepCmLzd9U7bLDKtdnX&dl=Le3z6AAKjnE7RlnXRnVZJtvMGIu3iOAwG2df2VZCSfz&api=1&no_preview=1#test22
request	GET https://sun6-23.userapi.com/c909228/u52355237/docs/d47/bcda7d7ba2d6/test222.bmp?extra=GzyOtEQtKTC3VoTX4BnD-XTSQBc84p66dFqVHCs6w0VNIzwoEOOArPYB4Kra3QYsCY6Q5lJRsdsoheUUeiOTRdVzlgMBxM95pEXkuMRNKZKeX0Vv4pn-zyZtwt586DxQGHtIi7RMD4sCd6BW
request	GET https://yandex.ru/
request	GET https://dzen.ru/?yredirect=true
request	GET https://sso.passport.yandex.ru/push?uuid=0db9eca3-374f-45c1-8887-36a74b181ed4&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
request	GET https://db-ip.com/
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152
request	GET https://api.2ip.ua/geo.json
request	GET https://vk.com/doc52355237_666990393?hash=FTORQeSjuGQM3QZ0VZVmUaPzzMTjiHgVozgZL1VKkLs&dl=WHDNqvgddqa5sNEafsQGa9H9myfZRZuS1RHM37yysD8&api=1&no_preview=1
request	GET https://sun6-21.userapi.com/c237231/u52355237/docs/d27/febee9ba14ad/tmvwr.bmp?extra=KGmYpPVPqL1gWi9xyYdQGc9kE9zKzbY56JcAJV9iuZtoaTKYIdPjQcwEJi0bbYZccEU8xrKK9HW6FyaWz3VwbVmZxYG_2qmXrDvnZSdHp0boKwH__hcxkzXGDY-cpDrcR3ByVwRXBGUFBCA6

Sends data using the HTTP POST Method (4 events)

request	POST http://94.142.138.131/api/firegate.php
request	POST http://193.42.32.118/api/firecom.php
request	POST http://45.15.156.229/api/firegate.php
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

jackantonio.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 3804 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 16, 2023, 12:43 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 12:43 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 12:43 p.m.	process_identifier: 2268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 90112 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006af000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 2268 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 12:43 p.m.	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x707a1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00820000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00830000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:43 p.m.	process_identifier: 1528 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:43 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00440000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72262000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00480000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00415000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00408000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72aa2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1592 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1592 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728a2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7224b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72262000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1592 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

gate4.exe tried to sleep 202 seconds, actually delayed analysis time by 202 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (20 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Oct. 16, 2023, 12:43 p.m.	number_of_free_clusters: 3235948 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 12:43 p.m.	number_of_free_clusters: 3235948 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 12:43 p.m.	number_of_free_clusters: 3235723 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 12:43 p.m.	number_of_free_clusters: 3235723 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 12:44 p.m.	number_of_free_clusters: 3234468 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 12:44 p.m.	number_of_free_clusters: 3234468 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 12:44 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 12:44 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 12:44 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 12:44 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 12:44 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 12:44 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 12:44 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 12:44 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 12:44 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 12:44 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 12:44 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 12:44 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 12:44 p.m.	number_of_free_clusters: 3227707 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 16, 2023, 12:44 p.m.	number_of_free_clusters: 3227707 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (50 out of 2304 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Sync Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Sync Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\flpiciilemghbmfalicajoolhkkenfel\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gojhcdgcpbpfigcaejpfhfegekdgiblk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kkpllkodjeloidieedojogacfhpaihoh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Sync Extension Settings\kkpllkodjeloidieedojogacfhpaihoh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\kmhcihpebfmpgmihbkipmjlmmioameka\CURRENT

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (33 events)

file	C:\Users\test22\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe
file	C:\Users\test22\Pictures\Minor Policy\9Zkfu0WpUyVvK8x53KqrbNVW.exe
file	C:\Users\test22\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\4NS359GB.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\1ge81gE7.exe
file	C:\Users\test22\Pictures\Minor Policy\rzNSDBWnOuUp9KZQf1vEEBO8.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\lO0dR71.exe
file	C:\Users\test22\Pictures\Minor Policy\dD_OaAgULZPwVKyIIbufPXLF.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\3df55Zz.exe
file	C:\ProgramData\WinTrackerSP\WinTrackerSP.exe
file	C:\Users\test22\Pictures\Minor Policy\8wwikrlWZIpYquP0MQt7o7OW.exe
file	C:\Users\test22\Pictures\Minor Policy\oGdR7tPaM7vIWhbGOmZVIISo.exe
file	C:\Users\test22\Pictures\Minor Policy\po63wWbfrnNk9KmTiSB5uUws.exe
file	C:\Users\test22\Documents\E4520MDs1ERkljMZ6fnSAHxW.exe
file	C:\Users\test22\Pictures\Minor Policy\D5aVde9ftGUv1ZHS925jnjV_.exe
file	C:\Users\test22\Pictures\Minor Policy\KHOWPA_NrCHzAtN1rLIYWalB.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\lU6mc31.exe
file	C:\Users\test22\Pictures\Minor Policy\Bl6sYsQfyg42QbS0gcJUBZ4E.exe
file	C:\Users\test22\Pictures\Minor Policy\MvBzp13Zk04S9ZPWbmj9MV9f.exe
file	C:\Users\test22\Pictures\Minor Policy\L7QWnBrun6KRKkmF94SkLylb.exe
file	C:\Users\test22\Pictures\Minor Policy\XSZhrhE_Sfn_MkbKHwdmoqte.exe
file	C:\Users\test22\AppData\Local\Temp\7zS4D82C877\dxoP.cmd
file	C:\Users\test22\Pictures\Minor Policy\UzT3o_eh7ilHUsbNqgRDNpMT.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\2eX5046.exe
file	C:\Users\test22\Pictures\Minor Policy\XsoKeqrHlRgEydtPbMRBlV7C.exe
file	C:\Users\test22\Pictures\Minor Policy\qnsEAxgbAJ6_unx_zSEOUHz2.exe
file	C:\Users\test22\Pictures\Minor Policy\38fcARWiRHfIEOuzqwSxrDuR.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Xc0Lm00.exe
file	C:\Users\test22\Pictures\Minor Policy\AqLCNUYV_7AvOx5vhd2uahj6.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\5dW2zp0.exe
file	C:\Users\test22\Pictures\Minor Policy\PLutVJwMhKkBWy0I4dDNw_rf.exe
file	C:\Users\test22\Pictures\Minor Policy\b_BfHcqb3_uTLEMqIjzZAgrW.exe

Creates hidden or system file (3 events)

Time & API	Arguments	Status	Return
SetFileAttributesW Oct. 16, 2023, 12:34 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1
SetFileAttributesW Oct. 16, 2023, 12:36 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1
SetFileAttributesW Oct. 16, 2023, 12:44 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1

Creates a shortcut to an executable file (5 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\sn.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\readme.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\???.txt.lnk

Creates a suspicious process (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\7zS4D82C877\Gj5.a
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\4NS359GB.exe

Executes one or more WMI queries (2 events)

wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM Win32_DiskDrive

A process created a hidden window (19 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 16, 2023, 12:36 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\AqLCNUYV_7AvOx5vhd2uahj6.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\AqLCNUYV_7AvOx5vhd2uahj6.exe	1	1
ShellExecuteExW Oct. 16, 2023, 12:36 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\KHOWPA_NrCHzAtN1rLIYWalB.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\KHOWPA_NrCHzAtN1rLIYWalB.exe	1	1
ShellExecuteExW Oct. 16, 2023, 12:36 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\PLutVJwMhKkBWy0I4dDNw_rf.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\PLutVJwMhKkBWy0I4dDNw_rf.exe	1	1
ShellExecuteExW Oct. 16, 2023, 12:36 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\rzNSDBWnOuUp9KZQf1vEEBO8.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\rzNSDBWnOuUp9KZQf1vEEBO8.exe	1	1
ShellExecuteExW Oct. 16, 2023, 12:36 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\b_BfHcqb3_uTLEMqIjzZAgrW.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\b_BfHcqb3_uTLEMqIjzZAgrW.exe	1	1
ShellExecuteExW Oct. 16, 2023, 12:36 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\UzT3o_eh7ilHUsbNqgRDNpMT.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\UzT3o_eh7ilHUsbNqgRDNpMT.exe	1	1
ShellExecuteExW Oct. 16, 2023, 12:36 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\9Zkfu0WpUyVvK8x53KqrbNVW.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\9Zkfu0WpUyVvK8x53KqrbNVW.exe	1	1
ShellExecuteExW Oct. 16, 2023, 12:36 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\po63wWbfrnNk9KmTiSB5uUws.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\po63wWbfrnNk9KmTiSB5uUws.exe	1	1
ShellExecuteExW Oct. 16, 2023, 12:36 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\XsoKeqrHlRgEydtPbMRBlV7C.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\XsoKeqrHlRgEydtPbMRBlV7C.exe	1	1
ShellExecuteExW Oct. 16, 2023, 12:36 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\XSZhrhE_Sfn_MkbKHwdmoqte.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\XSZhrhE_Sfn_MkbKHwdmoqte.exe	1	1
ShellExecuteExW Oct. 16, 2023, 12:36 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\Bl6sYsQfyg42QbS0gcJUBZ4E.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\Bl6sYsQfyg42QbS0gcJUBZ4E.exe	1	1
ShellExecuteExW Oct. 16, 2023, 12:36 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\qnsEAxgbAJ6_unx_zSEOUHz2.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\qnsEAxgbAJ6_unx_zSEOUHz2.exe	1	1
ShellExecuteExW Oct. 16, 2023, 12:36 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\L7QWnBrun6KRKkmF94SkLylb.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\L7QWnBrun6KRKkmF94SkLylb.exe	1	1
CreateProcessInternalW Oct. 16, 2023, 12:44 p.m.	thread_identifier: 3376 thread_handle: 0x00000534 process_identifier: 3372 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000053c	1	1
CreateProcessInternalW Oct. 16, 2023, 12:44 p.m.	thread_identifier: 3520 thread_handle: 0x000005dc process_identifier: 3516 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000005d8	1	1
ShellExecuteExW Oct. 16, 2023, 12:37 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\38fcARWiRHfIEOuzqwSxrDuR.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\38fcARWiRHfIEOuzqwSxrDuR.exe	1	1
ShellExecuteExW Oct. 16, 2023, 12:37 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\MvBzp13Zk04S9ZPWbmj9MV9f.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\MvBzp13Zk04S9ZPWbmj9MV9f.exe	1	1
CreateProcessInternalW Oct. 16, 2023, 12:44 p.m.	thread_identifier: 2308 thread_handle: 0x000000e8 process_identifier: 2452 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000f4	1	1
CreateProcessInternalW Oct. 16, 2023, 12:44 p.m.	thread_identifier: 3136 thread_handle: 0x00000260 process_identifier: 3132 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000268	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (25 events)

Time & API	Arguments	Status	Return
Process32NextW Oct. 16, 2023, 12:34 p.m.	snapshot_handle: 0x00000000000003b0 process_name: mobsync.exe process_identifier: 2292	1	1
Process32NextW Oct. 16, 2023, 12:34 p.m.	snapshot_handle: 0x00000000000003b0 process_name: pw.exe process_identifier: 2336	1	1
Process32NextW Oct. 16, 2023, 12:36 p.m.	snapshot_handle: 0x00000000000003a4 process_name: svchost.exe process_identifier: 2100	1	1
Process32NextW Oct. 16, 2023, 12:36 p.m.	snapshot_handle: 0x00000000000003a4 process_name: rzNSDBWnOuUp9KZQf1vEEBO8.exe process_identifier: 2240	1	1
Process32NextW Oct. 16, 2023, 12:36 p.m.	snapshot_handle: 0x00000000000003a4 process_name: PLutVJwMhKkBWy0I4dDNw_rf.exe process_identifier: 2224	1	1
Process32NextW Oct. 16, 2023, 12:36 p.m.	snapshot_handle: 0x00000000000003a4 process_name: cmd.exe process_identifier: 2784	1	1
Process32NextW Oct. 16, 2023, 12:36 p.m.	snapshot_handle: 0x00000000000003a4 process_name: XsoKeqrHlRgEydtPbMRBlV7C.exe process_identifier: 1528	1	1
Process32NextW Oct. 16, 2023, 12:36 p.m.	snapshot_handle: 0x00000000000003a4 process_name: 9Zkfu0WpUyVvK8x53KqrbNVW.exe process_identifier: 1536	1	1
Process32NextW Oct. 16, 2023, 12:36 p.m.	snapshot_handle: 0x00000000000003a4 process_name: XSZhrhE_Sfn_MkbKHwdmoqte.exe process_identifier: 1852	1	1
Process32NextW Oct. 16, 2023, 12:36 p.m.	snapshot_handle: 0x00000000000003a4 process_name: Bl6sYsQfyg42QbS0gcJUBZ4E.exe process_identifier: 1780	1	1
Process32NextW Oct. 16, 2023, 12:36 p.m.	snapshot_handle: 0x00000000000003a4 process_name: qnsEAxgbAJ6_unx_zSEOUHz2.exe process_identifier: 1808	1	1
Process32NextW Oct. 16, 2023, 12:36 p.m.	snapshot_handle: 0x00000000000003a4 process_name: L7QWnBrun6KRKkmF94SkLylb.exe process_identifier: 2860	1	1
Process32NextW Oct. 16, 2023, 12:36 p.m.	snapshot_handle: 0x00000000000003a4 process_name: Xc0Lm00.exe process_identifier: 2940	1	1
Process32NextW Oct. 16, 2023, 12:36 p.m.	snapshot_handle: 0x00000000000003a4 process_name: AppLaunch.exe process_identifier: 1592	1	1
Process32NextW Oct. 16, 2023, 12:36 p.m.	snapshot_handle: 0x00000000000003a4 process_name: rundll32.exe process_identifier: 1152	1	1
Process32NextW Oct. 16, 2023, 12:36 p.m.	snapshot_handle: 0x00000000000003a4 process_name: lU6mc31.exe process_identifier: 2620	1	1
Process32NextW Oct. 16, 2023, 12:36 p.m.	snapshot_handle: 0x00000000000003a4 process_name: taskhost.exe process_identifier: 2976	1	1
Process32NextW Oct. 16, 2023, 12:36 p.m.	snapshot_handle: 0x00000000000003a4 process_name: cmd.exe process_identifier: 700	1	1
Process32NextW Oct. 16, 2023, 12:36 p.m.	snapshot_handle: 0x00000000000003a4 process_name: conhost.exe process_identifier: 1804	1	1
Process32NextW Oct. 16, 2023, 12:36 p.m.	snapshot_handle: 0x00000000000003a4 process_name: inject-x86.exe process_identifier: 204	1	1
Process32NextW Oct. 16, 2023, 12:44 p.m.	snapshot_handle: 0x00000480 process_name: SearchProtocolHost.exe process_identifier: 1140	1	1
Process32NextW Oct. 16, 2023, 12:44 p.m.	snapshot_handle: 0x00000480 process_name: SearchFilterHost.exe process_identifier: 1596	1	1
Process32NextW Oct. 16, 2023, 12:44 p.m.	snapshot_handle: 0x00000480 process_name: rundll32.exe process_identifier: 2068	1	1
Process32NextW Oct. 16, 2023, 12:44 p.m.	snapshot_handle: 0x00000480 process_name: conhost.exe process_identifier: 2964	1	1
Process32NextW Oct. 16, 2023, 12:44 p.m.	snapshot_handle: 0x00000480 process_name: inject-x86.exe process_identifier: 3112	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 1064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00820000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the processes gate4.exe, plutvjwmhkkbwy0i4ddnw_rf.exe, uzt3o_eh7ilhusbnqgrdnpmt.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile Oct. 16, 2023, 12:34 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÉÉeà ,Ê#0@0cû@@Txð_à5à_ÔÐ_@ð!@.textï `.rdata«0@@.dataüà@À.vmp#0ì `.vmp#1dð!@À.vmp#2@Ó="Ô= `.relocÔà_Ü=@@.rsrcà5ð_üâ=@@öZbëWpû%ò;J&]\WÚ[ZlhQbJ"¤[º^ request_handle: 0x0000000000cc000c	1	1
InternetReadFile Oct. 16, 2023, 12:34 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $ oNrCNrCNrCBDrCBÁrCBZrCB_rCB]rCBKrCNrCÍrCBzrCBOrCBOrCBOrCRichNrCPELÛÒ+eà"0-@@@´PP´<`°ð¦0¦@@$.text/0 `.rdataüz@\|4@@.data@À °@À.palvàxº@À.reloc°`2@B¹HËAèö h~?AèèYÃÌÌÌÌÌÌÌÌÌÌUW\|$éÿÿÿÿwoÇEÿsWÿt$}UèÄ_]ÂSßËVûÿÿÿv»ÿÿÿë ¸;ØBØCPèWÿt$ð}Vu]è?ÄÆ>^[_]ÂèLÌÌÌÌÌÌÌÌÌÌÌÌVñWÀFPÇAAfÖD$ÀPèÄÇ¨AAÆ^ÂVñWÀFPÇAAfÖD$ÀPèÔÄÇ´AAÆ^ÂWÀÁfÖAÇA¼AAÇ´AAÃÌÌÌÌÌÌÌÌVñWÀFPÇAAfÖD$ÀPèÄÆ^ÂÌÌÌÌÌÌAÇAAPèÉYÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌVñFÇAAPè¦ÄöD$tjVè ÄÆ^ÂÌÌÌSÜìäðÄUkl$ììØ¡ÀA3ÅEüVWutèh¶säÿ5VEè"WÀEhÈÿ5VEf,ÿÿÿf4ÿÿÿf<ÿÿÿfDÿÿÿfLÿÿÿfTÿÿÿf\ÿÿÿfdÿÿÿèÌE¤WÀ¡<àAÄ)EE¬Ç(ÿÿÿDÇE3ÀtèÁðAAf¡(BA}°fEèÇþE°BAEÀBAEÐó~ BAfÖEàffGÇfÀuôE¹P(ÿÿÿ¾0BAPjjjjjjjE°ó¥PÿUÀÁsrèrh'&e{ÿ5VEè ÄE¨rsé^jhjjjÿÿÐøh©Åð¿}Çÿ5VEèÔhRÃÿ5VEðèÂÄxÿÿÿsréWÿuÿÖÀFÀuéh2«ð®ÿ5VEèÄtÿÿÿjjQ¤ÁQÿuÿÐE¬j@h04àAÿ°PàA\|ÿÿÿÿ1ÿuÿU¨h$$Xÿ5VEðu¨è8M¬ÄEEPÿ±TàAhàAVÿuÿU¤öu jÿu request_handle: 0x0000000000cc0084	1	1
InternetReadFile Oct. 16, 2023, 12:34 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $×â%KÔKÔKÔöåNÕKÔöåHÕKÔöåOÕKÔöåJÕKÔJÔ KÔöåCÕKÔöå´ÔKÔöåIÕKÔRichKÔPELâ`bà dà`j@ üÌ@Á ¢´ÀÀT@ .textcd `.dataHh@À.idataR j@@.rsrcÐÀÂ\|@@.reloc >@B@P@¤@p@¢@È@u j@°i@@o@àÀ012P4ð4BIPJÐJ`KÀK LÀLÐLàOcÀc`g°i j`jàlðn@oppr radvapi32.dllCheckTokenMembership" .INF[]RebootAdvancedINFVersionsetupx.dllsetupapi.dll.BATSeShutdownPrivilegeadvpack.dllDelNodeRunDLL32*...wininit.ini%luSoftware\Microsoft\Windows\CurrentVersion\App Paths\Kernel32.dllHeapSetInformationTITLEEXTRACTOPTINSTANCECHECKVERCHECKDecryptFileALICENSE<None>REBOOTSHOWWINDOWADMQCMDUSRQCMDRUNPROGRAMPOSTRUNPROGRAMFINISHMSGLoadString() Error. Could not load string resource.CABINETFILESIZESPACKINSTSPACEUPROMPTIXP%03d.TMPIXPi386mipsalphappcA:\msdownld.tmpTMP4351$.TMPRegServerUPDFILE%luControl Panel\Desktop\ResourceLo request_handle: 0x0000000000cc009c	1	1
InternetReadFile Oct. 16, 2023, 12:34 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Þ#òªBùBùBùõ]ùBù^ùBùõ]ùBùõ]ùBùJÃùBùBùBùJÁùBù¬dùÙBù¬dùBùß6ùBùßùBù]DùBùRichBùPELËn\à/N°@@ç¼áx0°°.textE `.rdata:°<@@.datað#ðØ@À.sxdata Ú@À.rsrc0Ü@@éÆ@ðA;ÆTðA;ÃUìì$ESVW£XñAè$ Àuº\µA3Éè=§é¼è3Lÿÿÿè;&Mäè3&Mè+&Mè#&ÿÔ°APMØè7&EäLÿÿÿPMØèuÿuØèq!Ytÿÿÿèî%tÿÿÿè2MäèLMäèù)3ÛhXµAMä]è¤!Àt#EäMäÀÆEPè&MäèMäèÀ)hÿÿÿè¯"tÿÿÿhÿÿÿPhTðAº@ðAèÛÀu8]uº(µA3ÉèK¦j[éNh$µAXÿÿÿè¬%MÌè>%9lÿÿÿ=±AÆdÿÿÿÏMðèÌÖUðhÿÿÿèÙ*Àu8]uºµA3Éèç¥j[é³hµAUðMØèÌ-hô´AUðMÀè¼-hè´AUð@ÿÿÿè©-@ÿÿÿºä´Aèð ÀtdÿÿÿºØ´AMðèQ-;Ã\|MðXÿÿÿÀPèÄ%9]Ä8]j$ÿuØÿuÀSÿ×øtzÿµ@ÿÿÿèÉÿuÀèÁÿuØè¹ÄMðè ÿuÌè¦ÿµXÿÿÿèÿµhÿÿÿèÿµtÿÿÿèÿuè}ÿuèuÿuäèmÿµLÿÿÿèbÄ éhÌ´AUðM´è½,PMÌè%ÿu´è9UðM´Ç$À´Aè,PMèì$ÿu´èUðM´Ç$¬´Aèw,PMèÉ$ÿu´èóÿµ@ÿÿÿèèÿuÀèàÿuØèØÄMðè- M]èK#ÿ5°±AMèð6Àu8]uºd´A3Éè¤j[éòjèi;ÃYtÈèðë3ö;ótVÿPÎèwÀtº<´A3ÉèÓ£éüEM¨Pè#Mð]ÿèÊ"EðtÿÿÿPEÿPE¨ÿµdÿÿÿÎPèù;Ãt\|8]uaøt8]ÿtjUðYèK request_handle: 0x0000000000cc0060	1	1
InternetReadFile Oct. 16, 2023, 12:34 p.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $PÑäJ1¿·J1¿·J1¿·Tc;·l1¿·Tc·Y1¿·Tc<·+1¿·m÷Ä·G1¿·J1¾·Ì1¿·Tc5·K1¿·Tc+·K1¿·Tc.·K1¿·RichJ1¿·PEL¶µ>dà Ä> @Ð" $,ø: ", 0-@ä.text¤ `.dataä_ @À.rsrcø <(@@.reloc& "(d@B0ôú <Rf~ ¼Ôì&8Vj¬ÂàðÚ6N\p¦¾ÒÞò $4TnxÊ´"xfª¼Èàø(6BPZp ¾ÒÞìúBP\r¨°¼ÊÚð "<N\v¦¶ÆØêü$0@VLÐ¾²rÉ;@YE@Lw@è´@¡@î¹@ýw@ì®%eHp-p!bad allocationÌ-@8@8@Unknown exceptionà-@²<@ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~=EncodePointerKERNEL32.DLLDecodePointerFlsFreeFlsSetValueFlsGetValueFlsAllocCorExitProcessmscoree.dllruntime error TLOSS error SING error DOMAIN error R6034 An application has made a request_handle: 0x0000000000cc006c	1	1
InternetReadFile Oct. 16, 2023, 12:44 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdLËeð"ø0æ,Ç@»<h`¡´à¦, LHÐ¤Pzí(è ÷0 ` vÁ1@@ $à4@À ÈW6@@ üp7@@.vmp#0R{7@@ T&:@@.idata0:@À.tls@:À.themida`;P:`à.vmp#1¢Ï'°u `.vmp#2@À.vmp#3è?f@f`h.reloc¤ÐLf@.rsrc¦,à.Nf@@óÔíÖÞ¡lû³J¦äNÄópP²,?±´Ð³ð&¡"=´níZ[²¢·íRU´ÒÇÀ´"¿®ªøìÈ¡Xð¦!ËÈÙ®r±z04 ´o:±DÃ¡Ð7íR®¯Ò+'´¬È¡p5ÇW²2Ã¡*ó¢È¸Ì¤Ì°æ¡íX\ÍâÌ&YS®ÜT®Ö²èÌm°7æÍíòÆfB®° Èº¯JÝ LTíª®¨ÌFA¦¿ÇBN´@ÙÍ´ðz¡þZ±ÒKÇ"È¤È®çÍXu°Æ´Bø:±ØØ òÖ±Ñ®±¶ª®X²¡8ÎÝ³m àh»ÌDIË¬%®ØÍ"íé ÒÄÞ\|Èâÿ³,k±t'´\|Ð>'ËrðJ¡$TøJ®å¼v±ÒkË0ÏËø\|È ÈÆ¥¯L> ÀF® request_handle: 0x00cc000c	1	1
InternetReadFile Oct. 16, 2023, 12:37 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $]üMoooBoBoBoÌoÌ oÌ5oBooºoomooRichoPELÚXdàZÈo;p@`@Èàd à0p PÓpdÔÀÓ@p.textYZ `.rdatad\|p~^@@.datah$ðÜ@À.rsrcà ô@@.relocp 0"ö@BhP6BèÏ(YÃÌÌÌÌhð5Bè¿(YÃÌÌÌÌj h\ÃB¹ûBèÿh°6Bè(YÃÌÌÌj hÃB¹Cèßh7Bè~(YÃÌÌÌjh¤ÃB¹Cè¿hp7Bè^(YÃÌÌÌj h¬ÃB¹üBèhÐ7Bè>(YÃÌÌÌjhÐÃB¹DCèh08Bè(YÃÌÌÌjhäÃB¹´úBè_h8Bèþ'YÃÌÌÌjh[ÃB¹ÔCè?hð8BèÞ'YÃÌÌÌjh[ÃB¹LCèhP9Bè¾'YÃÌÌÌjh[ÃB¹¬üBèÿh°9Bè'YÃÌÌÌjh[ÃB¹TúBèßh:Bè~'YÃÌÌÌjhÄB¹DûBè¿hp:Bè^'YÃÌÌÌjhÄB¹tCèhÐ:Bè>'YÃÌÌÌjh ÄB¹<ýBèh0;Bè'YÃÌÌÌjh4ÄB¹\Cè_h;Bèþ&YÃÌÌÌj(hDÄB¹LCè?hð;BèÞ&YÃÌÌÌjhpÄB¹ÿBèhP<Bè¾&YÃÌÌÌjh\|ÄB¹ìCèÿh°<Bè&YÃÌÌÌjDhÄB¹tCèßh=Bè~&YÃÌÌÌj\hÐÄB¹düBè¿hp=Bè^&YÃÌÌÌjh0ÅB¹TýBèhÐ=Bè>&YÃÌÌÌjh@ÅB¹\|ùBèh0>Bè&YÃÌÌÌjhHÅB¹\|ÿBè_h>Bèþ%YÃÌÌÌj<hdÅB¹LùBè?hð>BèÞ%YÃÌÌÌjh¤ÅB¹4ùBèhP?Bè¾%YÃÌÌÌjh´ÅB¹ôCèÿh°?Bè%YÃÌÌÌjhÌÅB¹Cèßh@Bè~%YÃÌÌÌjXhàÅB¹,þBè¿hp@Bè^%YÃÌÌÌjh<ÆB¹CèhÐ@Bè>%YÃÌÌÌjhTÆB¹ÜCèh0ABè%YÃÌÌÌjh`ÆB¹DCè_hABèþ$YÃÌÌÌjhlÆB¹$úBè?hðABèÞ$YÃÌÌÌ request_handle: 0x0000000000cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0026c000', u'virtual_address': u'0x00400000', u'entropy': 7.893024197841578, u'name': u'.M t', u'virtual_size': u'0x0026bfb8'}

entropy

7.89302419784

description

A section with a high entropy has been found

entropy

0.880369187078

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (5 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 16, 2023, 12:44 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 16, 2023, 12:44 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 16, 2023, 12:44 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 16, 2023, 12:44 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 16, 2023, 12:44 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (2 events)

process	gate4.exe
process	uzt3o_eh7ilhusbnqgrdnpmt.exe

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://www.openssl.org/support/faq.html

Yara rule detected in process memory (50 out of 69 events)

description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications smtp	rule	Network_SMTP_dotNet
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero

Queries for potentially installed applications (50 out of 78 events)

Time & API	Arguments	Status
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000480 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x00000488 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1
RegOpenKeyExW Oct. 16, 2023, 12:44 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003d4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Oct. 16, 2023, 12:44 p.m.	regkey_r: AddressBook base_handle: 0x000003d4 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Oct. 16, 2023, 12:44 p.m.	regkey_r: Connection Manager base_handle: 0x000003d4 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Oct. 16, 2023, 12:44 p.m.	regkey_r: DirectDrawEx base_handle: 0x000003d4 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Oct. 16, 2023, 12:44 p.m.	regkey_r: EditPlus base_handle: 0x000003d4 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Oct. 16, 2023, 12:44 p.m.	regkey_r: ENTERPRISE base_handle: 0x000003d4 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Oct. 16, 2023, 12:44 p.m.	regkey_r: Fontcore base_handle: 0x000003d4 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Oct. 16, 2023, 12:44 p.m.	regkey_r: Google Chrome base_handle: 0x000003d4 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Oct. 16, 2023, 12:44 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000003d4 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Oct. 16, 2023, 12:44 p.m.	regkey_r: IE40 base_handle: 0x000003d4 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Oct. 16, 2023, 12:44 p.m.	regkey_r: IE4Data base_handle: 0x000003d4 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Oct. 16, 2023, 12:44 p.m.	status_code: 0x00000005 process_identifier: 3956 process_handle: 0x0000002c		0	0
NtTerminateProcess Oct. 16, 2023, 12:44 p.m.	status_code: 0x00000005 process_identifier: 3956 process_handle: 0x0000002c	1	0	0

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 1f272f32a3617f3c74084ed07b30244765d35c03

Communicates with host for which no DNS query was performed (10 events)

host	171.22.28.226
host	176.123.9.142
host	185.225.75.171
host	193.42.32.118
host	194.169.175.128
host	194.169.175.232
host	45.15.156.229
host	45.9.74.80
host	77.91.68.249
host	94.142.138.131

Allocates execute permission to another process indicative of possible code injection (6 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Oct. 16, 2023, 12:43 p.m.	process_identifier: 1592 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 2804 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000040	1	0
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 2532 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000c4	1	0
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 3936 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000c4	1	0
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 3956 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c		3221225496
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 4092 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c	1	0

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService Oct. 16, 2023, 12:44 p.m.	service_handle: 0x00646248 service_name: WinDefend control_code: 1		0	0
ControlService Oct. 16, 2023, 12:44 p.m.	service_handle: 0x00646590 service_name: wuauserv control_code: 1	1	1	0

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (11 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5	reg_value	C:\Users\test22\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP003.TMP\"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper	reg_value	"C:\Users\test22\AppData\Local\31ff5d08-974d-447f-a18d-b1e6ddd2a356\qnsEAxgbAJ6_unx_zSEOUHz2.exe" --AutoStart
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk
cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

DEP was bypassed by marking part of the stack executable by the process E4520MDs1ERkljMZ6fnSAHxW.exe (8 events)

Time & API	Arguments	Return
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 3296 region_size: 4096 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000028c000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 3296 region_size: 4096 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000028d000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 3296 region_size: 4096 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000028e000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 3296 region_size: 4096 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000028f000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 3296 region_size: 4096 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000028c000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 3296 region_size: 4096 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000028d000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 3296 region_size: 4096 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000028e000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 3296 region_size: 4096 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000028f000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Drops a binary and executes it (2 events)

file	C:\Users\test22\Pictures\Minor Policy\Bl6sYsQfyg42QbS0gcJUBZ4E.exe
file	C:\Users\test22\Pictures\Minor Policy\MvBzp13Zk04S9ZPWbmj9MV9f.exe

Harvests credentials from local FTP client softwares (3 events)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3868 manipulating memory of non-child process 3956
Process injection	Process 3868 manipulating memory of non-child process 4092
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 3956 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c		3221225496	0
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 4092 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000011c	1	0	0

Potential code injection by writing to the memory of another process (11 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3868 injected into non-child 4092
WriteProcessMemory Oct. 16, 2023, 12:43 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL?Vcà0È¬ç @ à@ÈæSV©À H.text$Ç È `.rsrcV©ªÊ@@.relocÀt@B base_address: 0x00400000 process_identifier: 1592 process_handle: 0x0000002c	1	1	0
WriteProcessMemory Oct. 16, 2023, 12:43 p.m.	buffer: à 7 base_address: 0x0043c000 process_identifier: 1592 process_handle: 0x0000002c	1	1	0
WriteProcessMemory Oct. 16, 2023, 12:43 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 1592 process_handle: 0x0000002c	1	1	0
WriteProcessMemory Oct. 16, 2023, 12:44 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2804 process_handle: 0x00000040	1	1	0
WriteProcessMemory Oct. 16, 2023, 12:44 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2532 process_handle: 0x000000c4	1	1	0
WriteProcessMemory Oct. 16, 2023, 12:44 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3936 process_handle: 0x000000c4	1	1	0
WriteProcessMemory Oct. 16, 2023, 12:44 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPEL`x,eà$¸A@@ @L(ààðÐ/à @@.text) `.rdataxa@b.@@.datah#°@À.rsrcàà@@.relocÐ/ð0 @B base_address: 0x00400000 process_identifier: 4092 process_handle: 0x0000011c	1	1	0
WriteProcessMemory Oct. 16, 2023, 12:44 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þZB@¶B@¶B@¶B@¶B@¶BH¶B]B^BÈTBµB`°BC¶BHÇBHÇBHÇBHÇBHÇBHÇBHÇBHÇBHÇB¶BLÇBLÇBLÇBLÇBLÇBLÇBLÇB..þÿÿÿ þÿÿÿuÐù¾cyåú¦eÍiLÅ?þDVÐü!Êû×6}¼$ÁªaÐº;ëZèy©Ä@éã¶úæô;;¥¹Ò3[ 1à©ÜÞÙ#,ss3WILÈ½y+ qPøkú¢¼ÇmµúÂÆâs5}àO£tdïôfGj}É¬:ø÷¹â&÷c&ÀÇ@zÞcÅgÓÑëGïNn3g\|ÔZØ²¤G> b&}LºFwXÍ\|[x¦D@q#4m$>äÂö>/ö8Iå¸7ÐGñD¨íòDñ¥Ñ&\qÀÒJ²Z $\ÒVi×´v8·´Æ&Àÿ>Ì<[ÏlEfMdý\|îoK¡JnÜnÔÏ¯ ïµÃFòÜxAayÛOw(ì³Ö-ÆÆõA5«V¥0½REAãýñbG-¨¦¥ [Êþdã0[okûhn¤ÛB±±!S^¥4\Áéj8ªJÛ®!2É)C¨ñgÕ{@ÜMZ¶ß?þ÷}M¯,ëïõ Û³OS÷=B9Àc\#Ã\9§ 0b;(Ïÿ©(ÎZï¨ðóe^4>ØxúI"WÂB°%/í¯¼áy?Ó( ÖüMÝð·7¢L{éü=·Ë¡gÇmPvl\|Sâ DÄêq¯où¾Ì !sì©M7<wòÂ,-<L1Ò ¿ü/wÌð¹DPÐò°=þoÊÐðÒ¶eÆzoaªd>aùr)0Þ sÉzdÎD8@¸Þ¿åK@X¥³jj&å"ª¯L¤E©ÊæpÏ_éKr¢OÝTmªÛªuZE)J2^D{ðR¤%£§õ¼wX"Æ®ë"~"ê<äPu¶ç5G}¹~ó³Pr<LÌu ítuuDæÔúäfÂî4Ñ@#j-ÂÒ£ÑÉºgÍZê·í2>[Ììgu½CPHçëhºö-áN($q$ãeË°þm*âk3²Jd¼I?Ó#J0ÊDêQâZb&'Ô ¦g¡Æ^_/\|B.?AVbad_exception@std@@\|B.?AVexception@std@@\|B.?AVtype_info@@ base_address: 0x0042b000 process_identifier: 4092 process_handle: 0x0000011c	1	1	0
WriteProcessMemory Oct. 16, 2023, 12:44 p.m.	buffer: 0 H`à}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042e000 process_identifier: 4092 process_handle: 0x0000011c	1	1	0
WriteProcessMemory Oct. 16, 2023, 12:44 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 4092 process_handle: 0x0000011c	1	1	0

Code injection by writing an executable or DLL to the memory of another process (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3868 injected into non-child 4092
WriteProcessMemory Oct. 16, 2023, 12:43 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL?Vcà0È¬ç @ à@ÈæSV©À H.text$Ç È `.rsrcV©ªÊ@@.relocÀt@B base_address: 0x00400000 process_identifier: 1592 process_handle: 0x0000002c	1	1	0
WriteProcessMemory Oct. 16, 2023, 12:44 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPEL`x,eà$¸A@@ @L(ààðÐ/à @@.text) `.rdataxa@b.@@.datah#°@À.rsrcàà@@.relocÐ/ð0 @B base_address: 0x00400000 process_identifier: 4092 process_handle: 0x0000011c	1	1	0

Collects information about installed applications (50 out of 54 events)

Time & API	Arguments	Status
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Oct. 16, 2023, 12:44 p.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 16, 2023, 12:44 p.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\ICQ\0001
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Network activity contains more than one unique useragent (2 events)

process	gate4.exe				useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
process	qnsEAxgbAJ6_unx_zSEOUHz2.exe				useragent	Microsoft Internet Explorer

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (10 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2212 called NtSetContextThread to modify thread in remote process 1592
Process injection	Process 1852 called NtSetContextThread to modify thread in remote process 2804
Process injection	Process 1808 called NtSetContextThread to modify thread in remote process 2532
Process injection	Process 3736 called NtSetContextThread to modify thread in remote process 3936
Process injection	Process 3868 called NtSetContextThread to modify thread in remote process 4092
NtSetContextThread Oct. 16, 2023, 12:43 p.m.	registers.eip: 1995571652 registers.esp: 4127840 registers.edi: 0 registers.eax: 4384542 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 1592	1	0	0
NtSetContextThread Oct. 16, 2023, 12:44 p.m.	registers.eip: 1995571652 registers.esp: 1769184 registers.edi: 0 registers.eax: 4510638 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000002c process_identifier: 2804	1	0	0
NtSetContextThread Oct. 16, 2023, 12:44 p.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000c0 process_identifier: 2532	1	0	0
NtSetContextThread Oct. 16, 2023, 12:44 p.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000c0 process_identifier: 3936	1	0	0
NtSetContextThread Oct. 16, 2023, 12:44 p.m.	registers.eip: 1995571652 registers.esp: 1374664 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000120 process_identifier: 4092	1	0	0

Appends a known CryptoMix ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet

Resumed a suspended thread in a remote process potentially indicative of process injection (10 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2212 resumed a thread in remote process 1592
Process injection	Process 1852 resumed a thread in remote process 2804
Process injection	Process 1808 resumed a thread in remote process 2532
Process injection	Process 2532 resumed a thread in remote process 3736
Process injection	Process 3736 resumed a thread in remote process 3936
NtResumeThread Oct. 16, 2023, 12:44 p.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 1592	1	0	0
NtResumeThread Oct. 16, 2023, 12:44 p.m.	thread_handle: 0x0000002c suspend_count: 1 process_identifier: 2804	1	0	0
NtResumeThread Oct. 16, 2023, 12:44 p.m.	thread_handle: 0x000000c0 suspend_count: 1 process_identifier: 2532	1	0	0
NtResumeThread Oct. 16, 2023, 12:44 p.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 3736	1	0	0
NtResumeThread Oct. 16, 2023, 12:44 p.m.	thread_handle: 0x000000c0 suspend_count: 1 process_identifier: 3936	1	0	0

Uses suspicious command line tools or Windows utilities (1 event)

cmdline

icacls "C:\Users\test22\AppData\Local\31ff5d08-974d-447f-a18d-b1e6ddd2a356" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Uses Sysinternals tools in order to add additional command line functionality (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

185.225.75.171:22233

Disables Windows Security features (36 events)

description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D815E199-BA9C-48E2-8905-C85812756B3A}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AAC0582-87E2-4EE0-8D90-4C5F053E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AAC0582-87E2-4EE0-8D90-4C5F053E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D7F0FBB4-3702-4374-A403-2DCCEEB56B0D}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D815E199-BA9C-48E2-8905-C85812756B3A}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D815E199-BA9C-48E2-8905-C85812756B3A}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AAC0582-87E2-4EE0-8D90-4C5F053E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AAC0582-87E2-4EE0-8D90-4C5F053E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D815E199-BA9C-48E2-8905-C85812756B3A}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D815E199-BA9C-48E2-8905-C85812756B3A}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D815E199-BA9C-48E2-8905-C85812756B3A}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D7F0FBB4-3702-4374-A403-2DCCEEB56B0D}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D7F0FBB4-3702-4374-A403-2DCCEEB56B0D}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AAC0582-87E2-4EE0-8D90-4C5F053E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AAC0582-87E2-4EE0-8D90-4C5F053E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D7F0FBB4-3702-4374-A403-2DCCEEB56B0D}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D7F0FBB4-3702-4374-A403-2DCCEEB56B0D}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D7F0FBB4-3702-4374-A403-2DCCEEB56B0D}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D815E199-BA9C-48E2-8905-C85812756B3A}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AAC0582-87E2-4EE0-8D90-4C5F053E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D7F0FBB4-3702-4374-A403-2DCCEEB56B0D}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AAC0582-87E2-4EE0-8D90-4C5F053E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D815E199-BA9C-48E2-8905-C85812756B3A}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D815E199-BA9C-48E2-8905-C85812756B3A}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D7F0FBB4-3702-4374-A403-2DCCEEB56B0D}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D7F0FBB4-3702-4374-A403-2DCCEEB56B0D}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AAC0582-87E2-4EE0-8D90-4C5F053E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D7F0FBB4-3702-4374-A403-2DCCEEB56B0D}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AAC0582-87E2-4EE0-8D90-4C5F053E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D815E199-BA9C-48E2-8905-C85812756B3A}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable

Executed a process and injected code into it, probably while unpacking (50 out of 110 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 16, 2023, 12:36 p.m.	thread_identifier: 2256 thread_handle: 0x0000000000000934 process_identifier: 2260 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\AqLCNUYV_7AvOx5vhd2uahj6.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\AqLCNUYV_7AvOx5vhd2uahj6.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\AqLCNUYV_7AvOx5vhd2uahj6.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000984	1	1
CreateProcessInternalW Oct. 16, 2023, 12:36 p.m.	thread_identifier: 2232 thread_handle: 0x0000000000000950 process_identifier: 2212 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\KHOWPA_NrCHzAtN1rLIYWalB.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\KHOWPA_NrCHzAtN1rLIYWalB.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\KHOWPA_NrCHzAtN1rLIYWalB.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000968	1	1
CreateProcessInternalW Oct. 16, 2023, 12:36 p.m.	thread_identifier: 2272 thread_handle: 0x0000000000000918 process_identifier: 2224 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\PLutVJwMhKkBWy0I4dDNw_rf.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\PLutVJwMhKkBWy0I4dDNw_rf.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\PLutVJwMhKkBWy0I4dDNw_rf.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000000000000095c	1	1
CreateProcessInternalW Oct. 16, 2023, 12:36 p.m.	thread_identifier: 2236 thread_handle: 0x0000000000000954 process_identifier: 2240 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\rzNSDBWnOuUp9KZQf1vEEBO8.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\rzNSDBWnOuUp9KZQf1vEEBO8.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\rzNSDBWnOuUp9KZQf1vEEBO8.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000964	1	1
CreateProcessInternalW Oct. 16, 2023, 12:36 p.m.	thread_identifier: 2228 thread_handle: 0x0000000000000928 process_identifier: 2268 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\b_BfHcqb3_uTLEMqIjzZAgrW.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\b_BfHcqb3_uTLEMqIjzZAgrW.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\b_BfHcqb3_uTLEMqIjzZAgrW.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000008e8	1	1
CreateProcessInternalW Oct. 16, 2023, 12:36 p.m.	thread_identifier: 2876 thread_handle: 0x0000000000000e20 process_identifier: 2868 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\UzT3o_eh7ilHUsbNqgRDNpMT.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\UzT3o_eh7ilHUsbNqgRDNpMT.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\UzT3o_eh7ilHUsbNqgRDNpMT.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000e24	1	1
CreateProcessInternalW Oct. 16, 2023, 12:36 p.m.	thread_identifier: 1796 thread_handle: 0x0000000000000d48 process_identifier: 1536 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\9Zkfu0WpUyVvK8x53KqrbNVW.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\9Zkfu0WpUyVvK8x53KqrbNVW.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\9Zkfu0WpUyVvK8x53KqrbNVW.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000d60	1	1
CreateProcessInternalW Oct. 16, 2023, 12:36 p.m.	thread_identifier: 1096 thread_handle: 0x0000000000000d8c process_identifier: 1064 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\po63wWbfrnNk9KmTiSB5uUws.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\po63wWbfrnNk9KmTiSB5uUws.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\po63wWbfrnNk9KmTiSB5uUws.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000d94	1	1
CreateProcessInternalW Oct. 16, 2023, 12:36 p.m.	thread_identifier: 536 thread_handle: 0x0000000000000cec process_identifier: 1528 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\XsoKeqrHlRgEydtPbMRBlV7C.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\XsoKeqrHlRgEydtPbMRBlV7C.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\XsoKeqrHlRgEydtPbMRBlV7C.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000d24	1	1
CreateProcessInternalW Oct. 16, 2023, 12:36 p.m.	thread_identifier: 1892 thread_handle: 0x0000000000000de4 process_identifier: 1852 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\XSZhrhE_Sfn_MkbKHwdmoqte.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\XSZhrhE_Sfn_MkbKHwdmoqte.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\XSZhrhE_Sfn_MkbKHwdmoqte.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000dd0	1	1
CreateProcessInternalW Oct. 16, 2023, 12:36 p.m.	thread_identifier: 1256 thread_handle: 0x0000000000000de0 process_identifier: 1780 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\Bl6sYsQfyg42QbS0gcJUBZ4E.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\Bl6sYsQfyg42QbS0gcJUBZ4E.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\Bl6sYsQfyg42QbS0gcJUBZ4E.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000df8	1	1
CreateProcessInternalW Oct. 16, 2023, 12:36 p.m.	thread_identifier: 1864 thread_handle: 0x0000000000000e10 process_identifier: 1808 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\qnsEAxgbAJ6_unx_zSEOUHz2.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\qnsEAxgbAJ6_unx_zSEOUHz2.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\qnsEAxgbAJ6_unx_zSEOUHz2.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000e18	1	1
CreateProcessInternalW Oct. 16, 2023, 12:36 p.m.	thread_identifier: 2872 thread_handle: 0x0000000000000e38 process_identifier: 2860 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\L7QWnBrun6KRKkmF94SkLylb.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\L7QWnBrun6KRKkmF94SkLylb.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\L7QWnBrun6KRKkmF94SkLylb.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000df0	1	1
CreateProcessInternalW Oct. 16, 2023, 12:43 p.m.	thread_identifier: 2772 thread_handle: 0x0000001c process_identifier: 2784 current_directory: filepath: track: 1 command_line: .\dxOP.cmd filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000ec	1	1
CreateProcessInternalW Oct. 16, 2023, 12:43 p.m.	thread_identifier: 1040 thread_handle: 0x00000020 process_identifier: 1592 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000002c	1	1
NtGetContextThread Oct. 16, 2023, 12:43 p.m.	thread_handle: 0x00000020	1	0
NtAllocateVirtualMemory Oct. 16, 2023, 12:43 p.m.	process_identifier: 1592 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0
WriteProcessMemory Oct. 16, 2023, 12:43 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL?Vcà0È¬ç @ à@ÈæSV©À H.text$Ç È `.rsrcV©ªÊ@@.relocÀt@B base_address: 0x00400000 process_identifier: 1592 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 12:43 p.m.	buffer: base_address: 0x00402000 process_identifier: 1592 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 12:43 p.m.	buffer: base_address: 0x00430000 process_identifier: 1592 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 12:43 p.m.	buffer: à 7 base_address: 0x0043c000 process_identifier: 1592 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 16, 2023, 12:43 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 1592 process_handle: 0x0000002c	1	1
NtSetContextThread Oct. 16, 2023, 12:43 p.m.	registers.eip: 1995571652 registers.esp: 4127840 registers.edi: 0 registers.eax: 4384542 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 1592	1	0
NtResumeThread Oct. 16, 2023, 12:44 p.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 1592	1	0
NtResumeThread Oct. 16, 2023, 12:43 p.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2224	1	0
CreateProcessInternalW Oct. 16, 2023, 12:44 p.m.	thread_identifier: 3300 thread_handle: 0x000005f0 process_identifier: 3296 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Documents\E4520MDs1ERkljMZ6fnSAHxW.exe track: 1 command_line: "C:\Users\test22\Documents\E4520MDs1ERkljMZ6fnSAHxW.exe" filepath_r: C:\Users\test22\Documents\E4520MDs1ERkljMZ6fnSAHxW.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000005ec	1	1
CreateProcessInternalW Oct. 16, 2023, 12:44 p.m.	thread_identifier: 3376 thread_handle: 0x00000534 process_identifier: 3372 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000053c	1	1
CreateProcessInternalW Oct. 16, 2023, 12:44 p.m.	thread_identifier: 3520 thread_handle: 0x000005dc process_identifier: 3516 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000005d8	1	1
CreateProcessInternalW Oct. 16, 2023, 12:43 p.m.	thread_identifier: 2952 thread_handle: 0x0000001c process_identifier: 2940 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Xc0Lm00.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000124	1	1
CreateProcessInternalW Oct. 16, 2023, 12:43 p.m.	thread_identifier: 2980 thread_handle: 0x00000088 process_identifier: 2992 current_directory: C:\Users\test22\AppData\Local\Temp\7zS4D82C877 filepath: C:\Windows\System32\control.exe track: 1 command_line: cOnTROL.ExE "C:\Users\test22\AppData\Local\Temp\7zS4D82C877\GJ5.A" filepath_r: C:\Windows\system32\control.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW Oct. 16, 2023, 12:37 p.m.	thread_identifier: 2832 thread_handle: 0x00000000000006d8 process_identifier: 2960 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\38fcARWiRHfIEOuzqwSxrDuR.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\38fcARWiRHfIEOuzqwSxrDuR.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\38fcARWiRHfIEOuzqwSxrDuR.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000006d0	1	1
CreateProcessInternalW Oct. 16, 2023, 12:37 p.m.	thread_identifier: 2756 thread_handle: 0x00000000000007ec process_identifier: 2768 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\MvBzp13Zk04S9ZPWbmj9MV9f.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\MvBzp13Zk04S9ZPWbmj9MV9f.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\MvBzp13Zk04S9ZPWbmj9MV9f.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000007f8	1	1
CreateProcessInternalW Oct. 16, 2023, 12:44 p.m.	thread_identifier: 2632 thread_handle: 0x0000001c process_identifier: 2620 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\lU6mc31.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000124	1	1
CreateProcessInternalW Oct. 16, 2023, 12:44 p.m.	thread_identifier: 2084 thread_handle: 0x00000208 process_identifier: 1152 current_directory: C:\Users\test22\AppData\Local\Temp\7zS4D82C877 filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\test22\AppData\Local\Temp\7zS4D82C877\GJ5.A" filepath_r: C:\Windows\system32\rundll32.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000020c	1	1
NtResumeThread Oct. 16, 2023, 12:44 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1528	1	0
NtResumeThread Oct. 16, 2023, 12:44 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1528	1	0
NtResumeThread Oct. 16, 2023, 12:44 p.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 1528	1	0
NtResumeThread Oct. 16, 2023, 12:44 p.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 1528	1	0
NtResumeThread Oct. 16, 2023, 12:44 p.m.	thread_handle: 0x00000144 suspend_count: 1 process_identifier: 1592	1	0
NtResumeThread Oct. 16, 2023, 12:44 p.m.	thread_handle: 0x000001b4 suspend_count: 1 process_identifier: 1592	1	0
NtResumeThread Oct. 16, 2023, 12:44 p.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 1592	1	0
NtResumeThread Oct. 16, 2023, 12:44 p.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 1592	1	0
NtResumeThread Oct. 16, 2023, 12:44 p.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 1592	1	0
NtResumeThread Oct. 16, 2023, 12:44 p.m.	thread_handle: 0x00000374 suspend_count: 1 process_identifier: 1592	1	0
NtResumeThread Oct. 16, 2023, 12:44 p.m.	thread_handle: 0x000003e0 suspend_count: 1 process_identifier: 1592	1	0
NtResumeThread Oct. 16, 2023, 12:44 p.m.	thread_handle: 0x00000468 suspend_count: 1 process_identifier: 1592	1	0
CreateProcessInternalW Oct. 16, 2023, 12:44 p.m.	thread_identifier: 2908 thread_handle: 0x0000002c process_identifier: 2804 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000040	1	1
NtGetContextThread Oct. 16, 2023, 12:44 p.m.	thread_handle: 0x0000002c	1	0
NtAllocateVirtualMemory Oct. 16, 2023, 12:44 p.m.	process_identifier: 2804 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000040	1	0
WriteProcessMemory Oct. 16, 2023, 12:44 p.m.	buffer: base_address: 0x00400000 process_identifier: 2804 process_handle: 0x00000040	1	1

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Scar.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.69792542
FireEye	Trojan.GenericKD.69792542
Skyhigh	Artemis!Trojan
McAfee	Artemis!5C6B1CA03363
Cylance	unsafe
Arcabit	Trojan.Generic.D428F31E
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/GenKryptik.GOWP
Cynet	Malicious (score: 99)
Kaspersky	Trojan.Win32.Scar.tttw
BitDefender	Trojan.GenericKD.69792542
Avast	Win64:RansomX-gen [Ransom]
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/AD.Nekark.ycxzt
Emsisoft	Trojan.GenericKD.69792542 (B)
Webroot	W32.Malware.Gen
Avira	TR/AD.Nekark.ycxzt
Antiy-AVL	Trojan/Win64.GenKryptik
Microsoft	Trojan:Win32/Sabsik.TE.B!ml
ZoneAlarm	Trojan.Win32.Scar.tttw
GData	Trojan.GenericKD.69792542
MAX	malware (ai score=82)
TrendMicro-HouseCall	TROJ_GEN.R002H0DJF23
Rising	Trojan.Scar!8.33F (TFE:5:lvYFnyV57AB)
Ikarus	Trojan.Win64.Krypt
Fortinet	PossibleThreat.MU
AVG	Win64:RansomX-gen [Ransom]
DeepInstinct	MALICIOUS

gate4.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All