Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 24, 2024, 10:48 a.m.	Sept. 24, 2024, 11:10 a.m.

Size	9.4MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`221942540e2630630887a7b59a855ec2`
SHA256	`45f875dde426c2a7bd4cc1debccc69f49554b06d6682b11e1d653a764881d1ad`
CRC32	`D6591FA4`
ssdeep	`196608:muD3qUwPM2yoVEHGoGeFdJJMGHPP/CPZ5za/+qKcDxNY5fv7RFHnTKm:HD2ymXbeFV/m5zQAfHHTF`
PDB Path	softevo.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult IsPE32 - (no description) UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

66f18a5501651_ww_a.exe "C:\Users\test22\AppData\Local\Temp\66f18a5501651_ww_a.exe"
800
- RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2552
  - VKiUj1bswl1U4GpzdLupgrRl.exe C:\Users\test22\Documents\iofolko5\VKiUj1bswl1U4GpzdLupgrRl.exe
    2760
    - VKiUj1bswl1U4GpzdLupgrRl.exe C:\Users\test22\Documents\iofolko5\VKiUj1bswl1U4GpzdLupgrRl.exe
      2976
  - t5zjygAQWmij_0YBlvBaECOC.exe C:\Users\test22\Documents\iofolko5\t5zjygAQWmij_0YBlvBaECOC.exe
    2796

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.59.81	34.117.59.81
58yongzhe.com
api.myip.com	A 172.67.75.163 A 104.26.9.59 A 104.26.8.59	104.26.9.59
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15
iplog.co	A 104.21.62.25 A 172.67.219.22	172.67.219.22
api64.ipify.org	A 173.231.16.77 A 104.237.62.213	173.231.16.77

IP Address	Status	Action
103.130.147.211	Active	Moloch
104.237.62.213	Active	Moloch
104.26.4.15	Active	Moloch
164.124.101.2	Active	Moloch
172.67.219.22	Active	Moloch
172.67.75.163	Active	Moloch
34.117.59.81	Active	Moloch
45.91.200.135	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2054168	ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49171 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.237.62.213:443 -> 192.168.56.103:49168	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
TCP 192.168.56.103:49167 -> 104.237.62.213:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 192.168.56.103:49167 -> 104.237.62.213:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 104.237.62.213:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 192.168.56.103:49169 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49169 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49172 -> 172.67.75.163:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49172 -> 172.67.75.163:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 103.130.147.211:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 103.130.147.211:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 103.130.147.211:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 103.130.147.211:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 103.130.147.211:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 103.130.147.211:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 103.130.147.211:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 103.130.147.211:80 -> 192.168.56.103:49175	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 103.130.147.211:80 -> 192.168.56.103:49174	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 103.130.147.211:80 -> 192.168.56.103:49175	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 103.130.147.211:80 -> 192.168.56.103:49174	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 164.124.101.2:53	2054101	ET INFO URL Shortener Service Domain in DNS Lookup (iplog .co)	Misc activity
TCP 192.168.56.103:49174 -> 103.130.147.211:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 172.67.219.22:443	2054102	ET INFO Observed URL Shortener Service Domain (iplog .co in TLS SNI)	Misc activity
TCP 192.168.56.103:49179 -> 172.67.219.22:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 104.237.62.213:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49171 104.26.4.15:443	C=US, O=Google Trust Services, CN=WR1	CN=db-ip.com	e0:87:2e:81:a3:0e:fe:55:82:41:57:b8:ff:b2:84:42:af:47:01:7c
TLSv1 192.168.56.103:49172 172.67.75.163:443	C=US, O=Google Trust Services, CN=WR1	CN=myip.com	b3:80:cf:15:df:f5:53:6f:d4:e4:88:68:de:87:c0:e1:f8:3b:2c:02
TLSv1 192.168.56.103:49179 172.67.219.22:443	C=US, O=Google Trust Services, CN=WE1	CN=iplog.co	41:e9:ee:71:f9:ab:52:5b:92:34:76:d8:19:e9:da:99:7a:44:b4:0a

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 24, 2024, 10:49 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 24, 2024, 10:48 a.m.			0	0
IsDebuggerPresent Sept. 24, 2024, 10:48 a.m.			0	0
IsDebuggerPresent Sept. 24, 2024, 10:50 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

softevo.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 24, 2024, 10:48 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sdata

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

DATAFILE

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 24, 2024, 10:48 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x740e1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x73fb2ba1 mscorlib+0xb3c869 @ 0x730fc869 mscorlib+0xb3ae13 @ 0x730fae13 0x55b6154 0x55b5e32 0x98ed71 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73ff74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73ff7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74081dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74081e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74081f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7408416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1763952 registers.edi: 0 registers.eax: 1763952 registers.ebp: 1764032 registers.edx: 0 registers.ebx: 5914640 registers.esi: 5529120 registers.ecx: 2678566815	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 24, 2024, 10:48 a.m.

stacktrace:

CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x740e1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x73fb2ba1
mscorlib+0xb3c869 @ 0x730fc869
mscorlib+0xb3ae13 @ 0x730fae13
0x55b6154
0x55b5e32
0x98ed71
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73ff74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73ff7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74081dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74081e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74081f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7408416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745df5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 1763952
registers.edi: 0
registers.eax: 1763952
registers.ebp: 1764032
registers.edx: 0
registers.ebx: 5914640
registers.esi: 5529120
registers.ecx: 2678566815

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://45.91.200.135/api/wp-ping.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://45.91.200.135/api/wp-admin.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://103.130.147.211/Files/CheckTool.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://103.130.147.211/Files/tac.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://103.130.147.211/Files/Channel2.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://103.130.147.211/Files/CheckTool.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://103.130.147.211/Files/tac.exe

Performs some HTTP requests (10 events)

request	GET http://45.91.200.135/api/wp-ping.php
request	POST http://45.91.200.135/api/wp-admin.php
request	HEAD http://103.130.147.211/Files/CheckTool.exe
request	HEAD http://103.130.147.211/Files/tac.exe
request	HEAD http://103.130.147.211/Files/Channel2.exe
request	GET http://103.130.147.211/Files/CheckTool.exe
request	GET http://103.130.147.211/Files/tac.exe
request	GET https://db-ip.com/demo/home.php?s=
request	GET https://api.myip.com/
request	GET https://iplog.co/1S3fd7

Sends data using the HTTP POST Method (1 event)

request

POST http://45.91.200.135/api/wp-admin.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 51 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00981000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00436000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0098d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0098e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db4000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0098f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05851000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05856000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05857000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05858000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05859000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74801000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x747b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74791000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74781000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74381000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74661000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74341000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742e1000 process_handle: 0xffffffff	1

Steals private information from local Internet browsers (21 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghpilmjholiicaobfjdkefcogmgaabif
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\agoakfejjabomempkjlepdflaleeobhb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mfgccjchihfkkindfppnaooecgfneiii
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmblappgoiilbgafhjklehhfifbdocee
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ebfidpplhabeedpnhjnobghokpiioolj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (15 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI27602\VCRUNTIME140.dll
file	C:\Users\test22\Documents\iofolko5\VKiUj1bswl1U4GpzdLupgrRl.exe
file	C:\Users\test22\Documents\iofolko5\t5zjygAQWmij_0YBlvBaECOC.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\python312.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\tk86t.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\tcl86t.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\numpy.libs\msvcp140-23ebcc0b37c8e3d074511f362feac48b.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\libssl-3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\zlib1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\VCRUNTIME140_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\pywin32_system32\pywintypes312.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\libcrypto-3.dll
file	C:\Users\test22\Documents\iofolko5\YejNVAIvCzXJTGcowdi8At0t.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\numpy.libs\libscipy_openblas64_-c16e4918366c6bc1f1cd71e28ca36fc0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\libffi-8.dll

Drops a binary and executes it (1 event)

file	C:\Users\test22\Documents\iofolko5\VKiUj1bswl1U4GpzdLupgrRl.exe

An executable file was downloaded by the process regasm.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Sept. 24, 2024, 10:49 a.m.	buffer: MZÿÿ@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÔ÷àÆ`uÀÓ@@ÿËÁû@°îLü6$Àî; ðÓ´.text¨ÆÆ `.rdata\ Æ Æ@@.dataLçÀÓèªÓ@À.idataL°îê@À.reloc; Àî< ê@B.symtabüÔ÷B.rsrc6$ü&Ö÷@@$ÃÌÌÌÌÌÌÌÌÌÌÌÌ$ÃÌÌÌÌÌÌÌÌÌÌÌÌ$ÃÌÌÌÌÌÌÌÌÌÌÌÌ$ÃÌÌÌÌÌÌÌÌÌÌÌÌ,$ÃÌÌÌÌÌÌÌÌÌÌÌÌ4$ÃÌÌÌÌÌÌÌÌÌÌÌÌ<$ÃÌÌÌÌÌÌÌÌÌÌÌÌÿ Go build ID: "pq5QRNjOsRk7j4oYV3qX/wEOWHkDsXyyGe7Ns5mSi/D-AbyzhzjmrKqtAyFskc/ujk_X_Tf-Vle7RDOyePy" ÿÌÌÌÌÌÌÌÌÌ æ,d ;aìèÄ±O]C$ÇD$èºè ²D$è±è³èô±è±OC$ÇD$èÙ¹èÔ±èo±èj³èÅ±è`±T]C$ÇD$èª¹è¥±è@±è;³è±ÄÃèÍCéHÿÿÿÌÌÌÌÌÌÌÌ æ,d ;avAìT$úv¿$êzD$èèÒtäZÿÚuÝT$D$1ÉèðWèjCë¨ÌÌÌÌÌÌÌÌ æ,d ;avìT$1ÀÁè¾Wè8CëÖÌÌÌÌÌÌìT$1ÀÁèWÌÌÌÌÌÌÌÌÌÌÌÌÌ æ,d ;avPì¶T$¶ÒÜö'-Øö'9ÓÛv'EMD$L$ÄÃDÕ@L$D$ÄÃ1ÀÁè1Wè«BëÌÌÌÌÌÌÌÌÌ æ,d ;avD$¶@àD$Ãè{BëÙÌÌÌÌÌÌÌÌÌ æ,d ;avD$¶@öÀÀD$ÃèHBëÖÌÌÌÌÌÌ æ,d ;avD$@ÀÀD$ÃèBëØÌÌÌÌÌÌÌÌ æ,d ;avD$¶@öÀ ÀD$ÃèèAëÖÌÌÌÌÌÌ æ,d ;avD$¶@öÀ ÀD$Ãè¸AëÖÌÌÌÌÌÌ æ,d ;avXìL$É\|GT$RÓ÷Ú9Ñw*D$9Ár)ÁÊ÷ÙÁù!ÈØD$T$T$ ÄÃè request_handle: 0x00cc0030	1	1	0
InternetReadFile Sept. 24, 2024, 10:49 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $ §ZpcôZpcôZpcô`õ]pcôfõîpcôgõPpcôóôYpcôó`õSpcôógõKpcôófõrpcôbõQpcôZpbôÁpcôOôgõCpcôOôaõ[pcôRichZpcôPEdÿqìfð"( °Í@°¢`Á\Êxpá'@P" d @@° .text `.rdataP°,¤@@.dataøSàÐ@À.pdataP"@$Þ@@.rsrcá'p(@@.relocd @BHì(èîHîÏèîHHÝÏHHH ÒÏHÄ(é'ÌÌÌÌÌÌÌÌÌH#ÃÌÌÌÌÌÌÌÌH\$Ht$ LD$WATAUAVAWHì0Lò3öHL¨DþIøHÙA½ÿÿÿÿè45LàHÀuIVH )¨èlé!AVE3ÀHIÌèöÀy#è@>MNL-¨H b¨è/éÆANèU>LøHÀu+A^è>MN\$ LA¨H N¦èóéA~uMÏE3ÀIÖIÌèÖëaA^Hl$`IïHÛtD¸ @ffH;ØHûMÌA¸HGøHÍH×èòHøriHï¸ H+ßuÏÆH\|$pHl$`ÀtIÏè=LþIÌèîI÷MÿtH×IÏè)5DèHÎè^=H\$hAÅHt$xHÄ0A_A^A]A\_Ãè=MNLK¦H x¦èAÅëHT$HL$SUVWAVAWHì3ÀMðHÚHD$PHùHD$XA¸XHD$`Hp¤D$(HL$ HD$ èIñè«DøÀt(HSDÀH S¤è¸ÿÿÿÿHÄA_A^_^][Ã¹ L¬$è<LèHÀu#èR<LKL_¤H ¤èAée¹ èf<HèHÀu#è<LKLz¤H g¤èé0L¤$ÐA¿ÿÿÿÿDcD¸ IÜL;àLÏºIÍHGØLÃèZðH;ÃæHÏè½íÀÖL+ã\$(Ll$ f» Hl$03Ò\$8HL$ è6øA¿ÿÿÿÿHùv\|øtrL$8H+ÙMöt)MÎLÃºHÍè÷H;ÃuIÎèEíÀtAÿëBHötLÃHÕHÎèIHó\|$8{ÿÿÿÿtMätH request_handle: 0x00cc0028	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0040dc00', u'virtual_address': u'0x00002000', u'entropy': 7.8394337067468225, u'name': u'.text', u'virtual_size': u'0x0040db24'}

entropy

7.83943370675

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0055ea00', u'virtual_address': u'0x00412000', u'entropy': 7.99188854742362, u'name': u'.rsrc', u'virtual_size': u'0x0055e916'}

entropy

7.99188854742

description

A section with a high entropy has been found

entropy

0.999689199689

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 24, 2024, 10:48 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://www.winimage.com/zLibDll

Yara rule detected in process memory (9 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Sept. 24, 2024, 10:48 a.m.	status_code: 0xffffffff process_identifier: 2512 process_handle: 0x00000250		0	0
NtTerminateProcess Sept. 24, 2024, 10:48 a.m.	status_code: 0xffffffff process_identifier: 2512 process_handle: 0x00000250	1	0	0

Communicates with host for which no DNS query was performed (2 events)

host	103.130.147.211
host	45.91.200.135

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2512 region_size: 1970176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000244		3221225496	0
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2552 region_size: 1970176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000024c	1	0	0

Executes one or more WMI queries (1 event)

wmi	Select * From AntiVirusProduct

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 800 manipulating memory of non-child process 2512
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2512 region_size: 1970176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000244		3221225496	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 24, 2024, 10:48 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ù©} ½Èó½Èó½Èóö°ò¬Èóö°òvÈóö°ò¥ÈóIîó¹ÈóIòÜÈóIò¨ÈóIò¤Èóö°ò°Èó½Èó\|ÈóNJòýÈóNJìó¼Èó½Èó¼ÈóNJò¼ÈóRich½ÈóPEL@ñfà'¨2oõÀ@@d£0VTyP&8À&%@À.textì§¨ `.rdata0ïÀð¬@@.datahp°J@À.rsrcV0Væ@@.relocTyz<@B base_address: 0x00400000 process_identifier: 2552 process_handle: 0x0000024c	1	1	0
WriteProcessMemory Sept. 24, 2024, 10:48 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2552 process_handle: 0x0000024c	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 24, 2024, 10:48 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ù©} ½Èó½Èó½Èóö°ò¬Èóö°òvÈóö°ò¥ÈóIîó¹ÈóIòÜÈóIò¨ÈóIò¤Èóö°ò°Èó½Èó\|ÈóNJòýÈóNJìó¼Èó½Èó¼ÈóNJò¼ÈóRich½ÈóPEL@ñfà'¨2oõÀ@@d£0VTyP&8À&%@À.textì§¨ `.rdata0ïÀð¬@@.datahp°J@À.rsrcV0Væ@@.relocTyz<@B base_address: 0x00400000 process_identifier: 2552 process_handle: 0x0000024c	1	1	0

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Bkav	W32.AIDetectMalware.CS
CrowdStrike	win/malicious_confidence_60% (D)
K7GW	Trojan ( 005ba32d1 )
K7AntiVirus	Trojan ( 005ba32d1 )
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AMGY
APEX	Malicious
ClamAV	Win.Packed.Malwarex-10033462-0
McAfeeD	ti!45F875DDE426
Trapmine	suspicious.low.ml.score
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.221942540e263063
Google	Detected
Microsoft	Trojan:Win32/Wacatac.B!ml
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Crypt.MSIL.Generic
Ikarus	Trojan.MSIL.Injector
Fortinet	MSIL/Kryptik.AMGY!tr

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 800 called NtSetContextThread to modify thread in remote process 2552
NtSetContextThread Sept. 24, 2024, 10:48 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 5502319 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000250 process_identifier: 2552	1	0	0

Appends a known multi-family ransomware file extension to files that have been encrypted (50 out of 80 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\macCroatian.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\iso2022-jp.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\iso8859-4.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cp860.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\iso8859-9.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\iso8859-16.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\gb2312-raw.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cp437.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\iso8859-8.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cp864.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\shiftjis.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\ksc5601.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\big5.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cp869.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\iso8859-14.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cp1250.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\jis0201.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\iso2022-kr.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cp1255.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\koi8-u.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cp949.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\iso8859-3.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\macCentEuro.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cp950.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\iso8859-6.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\iso8859-5.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\macGreek.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cp874.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\koi8-r.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\macRomania.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cp1254.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cp737.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cp850.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\iso8859-11.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\gb12345.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\macJapan.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\macCyrillic.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\dingbats.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cp1251.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cp1257.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cp932.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cp775.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\iso8859-10.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cp855.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\iso8859-15.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cp1256.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\iso2022.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\iso8859-13.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cns11643.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\macIceland.enc

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 682 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI27602\numpy\_core\_multiarray_tests.cp312-win_amd64.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\macCroatian.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\setuptools\_vendor\platformdirs-4.2.2.dist-info\licenses\LICENSE
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\msgs\ru.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\msgs\fr_ch.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cp852.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\msgs\sw.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\typeguard-4.3.0.dist-info\RECORD
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\jis0201.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\setuptools\_vendor\more_itertools-10.3.0.dist-info\METADATA
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\tzdata\America\Cayman
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cp950.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\tzdata\Africa\Blantyre
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\tzdata\America\Whitehorse
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\tzdata\America\Nome
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\msgs\es_uy.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\iso8859-11.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\setuptools\_vendor\importlib_resources-6.4.0.dist-info\LICENSE
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\tzdata\Asia\Dili
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\cp1257.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\numpy.libs\libscipy_openblas64_-c16e4918366c6bc1f1cd71e28ca36fc0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\PIL\_imaging.cp312-win_amd64.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\iso8859-15.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\msgs\mr.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\msgs\kl_gl.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\msgs\hi.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\tzdata\Asia\Irkutsk
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\msgs\zh_cn.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\setuptools\_vendor\importlib_resources-6.4.0.dist-info\REQUESTED
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\setuptools\_vendor\jaraco.functools-4.0.1.dist-info\INSTALLER
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\VCRUNTIME140_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\msgs\da.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\setuptools\_vendor\jaraco.collections-5.1.0.dist-info\top_level.txt
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\encoding\big5.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\tzdata\Africa\Accra
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\msgs\pl.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\tzdata\Africa\Lagos
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\tzdata\America\Kralendijk
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\tzdata\Africa\Sao_Tome
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\setuptools\_vendor\more_itertools-10.3.0.dist-info\RECORD
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\tzdata\America\Indiana\Marengo
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\tzdata\America\Lower_Princes
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\tzdata\Asia\Anadyr
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\tzdata\America\Argentina\Jujuy
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\tzdata\America\Marigot
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\msgs\ms_my.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_socket.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\tzdata\America\Montserrat
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\msgs\nn.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI27602\_tcl_data\tzdata\Africa\Juba

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 800 resumed a thread in remote process 2552
NtResumeThread Sept. 24, 2024, 10:48 a.m.	thread_handle: 0x00000250 suspend_count: 1 process_identifier: 2552	1	0	0

Executed a process and injected code into it, probably while unpacking (33 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 24, 2024, 10:48 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 800	1	0
NtResumeThread Sept. 24, 2024, 10:48 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 800	1	0
NtResumeThread Sept. 24, 2024, 10:48 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 800	1	0
NtResumeThread Sept. 24, 2024, 10:48 a.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 800	1	0
NtGetContextThread Sept. 24, 2024, 10:48 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Sept. 24, 2024, 10:48 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Sept. 24, 2024, 10:48 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 800	1	0
NtGetContextThread Sept. 24, 2024, 10:48 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Sept. 24, 2024, 10:48 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Sept. 24, 2024, 10:48 a.m.	thread_handle: 0x000000e0	1	0
NtSetContextThread Sept. 24, 2024, 10:48 a.m.	registers.eip: 1945840516 registers.esp: 1764160 registers.edi: 77843 registers.eax: 1764160 registers.ebp: 1764620 registers.edx: 69102656 registers.ebx: 49695784 registers.esi: 0 registers.ecx: 19 thread_handle: 0x000000e0 process_identifier: 800	1	0
NtResumeThread Sept. 24, 2024, 10:48 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 800	1	0
CreateProcessInternalW Sept. 24, 2024, 10:48 a.m.	thread_identifier: 2516 thread_handle: 0x00000248 process_identifier: 2512 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000244	1	1
NtGetContextThread Sept. 24, 2024, 10:48 a.m.	thread_handle: 0x00000248	1	0
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2512 region_size: 1970176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000244		3221225496
CreateProcessInternalW Sept. 24, 2024, 10:48 a.m.	thread_identifier: 2556 thread_handle: 0x00000250 process_identifier: 2552 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000024c	1	1
NtGetContextThread Sept. 24, 2024, 10:48 a.m.	thread_handle: 0x00000250	1	0
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2552 region_size: 1970176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000024c	1	0
WriteProcessMemory Sept. 24, 2024, 10:48 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ù©} ½Èó½Èó½Èóö°ò¬Èóö°òvÈóö°ò¥ÈóIîó¹ÈóIòÜÈóIò¨ÈóIò¤Èóö°ò°Èó½Èó\|ÈóNJòýÈóNJìó¼Èó½Èó¼ÈóNJò¼ÈóRich½ÈóPEL@ñfà'¨2oõÀ@@d£0VTyP&8À&%@À.textì§¨ `.rdata0ïÀð¬@@.datahp°J@À.rsrcV0Væ@@.relocTyz<@B base_address: 0x00400000 process_identifier: 2552 process_handle: 0x0000024c	1	1
WriteProcessMemory Sept. 24, 2024, 10:48 a.m.	buffer: base_address: 0x00401000 process_identifier: 2552 process_handle: 0x0000024c	1	1
WriteProcessMemory Sept. 24, 2024, 10:48 a.m.	buffer: base_address: 0x0056c000 process_identifier: 2552 process_handle: 0x0000024c	1	1
WriteProcessMemory Sept. 24, 2024, 10:48 a.m.	buffer: base_address: 0x0058b000 process_identifier: 2552 process_handle: 0x0000024c	1	1
WriteProcessMemory Sept. 24, 2024, 10:48 a.m.	buffer: base_address: 0x00593000 process_identifier: 2552 process_handle: 0x0000024c	1	1
WriteProcessMemory Sept. 24, 2024, 10:48 a.m.	buffer: base_address: 0x005d9000 process_identifier: 2552 process_handle: 0x0000024c	1	1
WriteProcessMemory Sept. 24, 2024, 10:48 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2552 process_handle: 0x0000024c	1	1
NtSetContextThread Sept. 24, 2024, 10:48 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 5502319 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000250 process_identifier: 2552	1	0
NtResumeThread Sept. 24, 2024, 10:48 a.m.	thread_handle: 0x00000250 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Sept. 24, 2024, 10:48 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2552	1	0
CreateProcessInternalW Sept. 24, 2024, 10:49 a.m.	thread_identifier: 2764 thread_handle: 0x00000438 process_identifier: 2760 current_directory: filepath: track: 1 command_line: C:\Users\test22\Documents\iofolko5\VKiUj1bswl1U4GpzdLupgrRl.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000544	1	1
CreateProcessInternalW Sept. 24, 2024, 10:49 a.m.	thread_identifier: 2800 thread_handle: 0x00000570 process_identifier: 2796 current_directory: filepath: track: 1 command_line: C:\Users\test22\Documents\iofolko5\t5zjygAQWmij_0YBlvBaECOC.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000005f8	1	1
NtResumeThread Sept. 24, 2024, 10:49 a.m.	thread_handle: 0x0000000000000090 suspend_count: 1 process_identifier: 2760	1	0
CreateProcessInternalW Sept. 24, 2024, 10:50 a.m.	thread_identifier: 2980 thread_handle: 0x000000000000009c process_identifier: 2976 current_directory: filepath: C:\Users\test22\Documents\iofolko5\VKiUj1bswl1U4GpzdLupgrRl.exe track: 1 command_line: C:\Users\test22\Documents\iofolko5\VKiUj1bswl1U4GpzdLupgrRl.exe filepath_r: C:\Users\test22\Documents\iofolko5\VKiUj1bswl1U4GpzdLupgrRl.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000000000000a0	1	1
NtResumeThread Sept. 24, 2024, 10:50 a.m.	thread_handle: 0x0000000000000118 suspend_count: 1 process_identifier: 2976	1	0

66f18a5501651_ww_a.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All