Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 22, 2021, 7:57 a.m.	June 22, 2021, 8 a.m.

Size	19.6KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`fb2d85e3503b99fffcb9d2892a5af896`
SHA256	`7b0f5844126697187ba59c3aeb4efad204019519366d60eec8ab3c7ab64147ce`
CRC32	`7315F74B`
ssdeep	`384:LZH8Idf3Zoza8ilJLcJvaMFRA8RK5RbB8+yZbwnic9ojYEXbXaC9hoKwqhq0WAV:LZHPPlzmacR0BfTErVQQhqM`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

oki.exe "C:\Users\test22\AppData\Local\Temp\oki.exe"
656
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\oki.exe" -Force
  6928
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7324971p7b2Sfi.exe" -Force
  8992
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7324971p7b2Sfi.exe" -Force
  3800
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\oki.exe" -Force
  2776
- 7324971p7b2Sfi.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7324971p7b2Sfi.exe"
  4408
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7324971p7b2Sfi.exe" -Force
    8700
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\595354a157307x11cwdO5b8e72e4hQ1c8cd50a426gU\svchost.exe" -Force
    9060
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7324971p7b2Sfi.exe" -Force
    7096
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\595354a157307x11cwdO5b8e72e4hQ1c8cd50a426gU\svchost.exe" -Force
    5988
  - 7324971p7b2Sfi.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7324971p7b2Sfi.exe"
    1568
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\595354a157307x11cwdO5b8e72e4hQ1c8cd50a426gU\svchost.exe" -Force
  4368
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\oki.exe" -Force
  5272
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\595354a157307x11cwdO5b8e72e4hQ1c8cd50a426gU\svchost.exe" -Force
  8628
- oki.exe "C:\Users\test22\AppData\Local\Temp\oki.exe"
  500

Name	Response	Post-Analysis Lookup
apdocroto.gq	A 172.67.158.27 A 104.21.14.60	172.67.158.27

IP Address	Status	Action
104.21.14.60	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
172.67.158.27	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:57660 -> 164.124.101.2:53	2025104	ET INFO DNS Query for Suspicious .gq Domain	Potentially Bad Traffic
TCP 192.168.56.102:49805 -> 172.67.158.27:80	2221034	SURICATA HTTP Request unrecognized authorization method	Generic Protocol Command Decode
TCP 192.168.56.102:49805 -> 172.67.158.27:80	2032989	ET INFO HTTP Request to a *.gq domain	Potentially Bad Traffic
TCP 192.168.56.102:49819 -> 104.21.14.60:80	2221034	SURICATA HTTP Request unrecognized authorization method	Generic Protocol Command Decode
TCP 192.168.56.102:49819 -> 104.21.14.60:80	2032989	ET INFO HTTP Request to a *.gq domain	Potentially Bad Traffic
TCP 192.168.56.102:49805 -> 172.67.158.27:80	2221034	SURICATA HTTP Request unrecognized authorization method	Generic Protocol Command Decode
TCP 192.168.56.102:49805 -> 172.67.158.27:80	2032989	ET INFO HTTP Request to a *.gq domain	Potentially Bad Traffic
TCP 192.168.56.102:49819 -> 104.21.14.60:80	2221034	SURICATA HTTP Request unrecognized authorization method	Generic Protocol Command Decode
TCP 192.168.56.102:49819 -> 104.21.14.60:80	2032989	ET INFO HTTP Request to a *.gq domain	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 74 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 22, 2021, 7:58 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (19 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 22, 2021, 7:57 a.m.			0	0
IsDebuggerPresent June 22, 2021, 7:57 a.m.			0	0
IsDebuggerPresent June 22, 2021, 7:58 a.m.			0	0
IsDebuggerPresent June 22, 2021, 7:58 a.m.			0	0
IsDebuggerPresent June 22, 2021, 7:58 a.m.			0	0
IsDebuggerPresent June 22, 2021, 7:58 a.m.			0	0
IsDebuggerPresent June 22, 2021, 7:58 a.m.			0	0
IsDebuggerPresent June 22, 2021, 7:58 a.m.			0	0
IsDebuggerPresent June 22, 2021, 7:58 a.m.			0	0
IsDebuggerPresent June 22, 2021, 7:58 a.m.			0	0
IsDebuggerPresent June 22, 2021, 7:58 a.m.			0	0
IsDebuggerPresent June 22, 2021, 7:58 a.m.			0	0
IsDebuggerPresent June 22, 2021, 7:58 a.m.			0	0
IsDebuggerPresent June 22, 2021, 7:58 a.m.			0	0
IsDebuggerPresent June 22, 2021, 7:58 a.m.			0	0
IsDebuggerPresent June 22, 2021, 7:58 a.m.			0	0
IsDebuggerPresent June 22, 2021, 7:58 a.m.			0	0
IsDebuggerPresent June 22, 2021, 7:58 a.m.			0	0
IsDebuggerPresent June 22, 2021, 7:58 a.m.			0	0

Command line console output was observed (50 out of 99 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\oki. console_handle: 0x00000053	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\Microso console_handle: 0x00000053	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: ft\Windows\Start Menu\Programs\Startup\7324971p7b2Sfi.exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\Microso console_handle: 0x00000053	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: ft\Windows\Start Menu\Programs\Startup\7324971p7b2Sfi.exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\oki. console_handle: 0x00000053	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\Public\Documents\595354a157307 console_handle: 0x00000053	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: x11cwdO5b8e72e4hQ1c8cd50a426gU\svchost.exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW June 22, 2021, 7:58 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\oki. console_handle: 0x00000053	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 518 events)

Time & API	Arguments	Status	Return
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0088ac58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0088ac98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0088ac98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054aad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054aad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054aad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054ae10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054ae10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054ae10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054ae10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054ae10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054ae10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a990 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a990 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a990 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054aad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054aad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054aad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a5d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054aad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054aad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054aad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054aad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054aad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054aad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054aad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0054a690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 7:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea1b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 22, 2021, 7:57 a.m.		1	1	0

One or more processes crashed (20 events)

Time & API	Arguments	Status
__exception__ June 22, 2021, 7:58 a.m.	stacktrace: 0x7b1506 0x7b0bb9 0x7b0749 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0x7b0254 0x7b00b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 6a 9b 6a 6e c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7b1573 registers.esp: 3924132 registers.edi: 3924152 registers.eax: 0 registers.ebp: 3924164 registers.edx: 34345512 registers.ebx: 3924464 registers.esi: 34345512 registers.ecx: 0	1
__exception__ June 22, 2021, 7:58 a.m.	stacktrace: 0x7b1518 0x7b0bb9 0x7b0749 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0x7b0254 0x7b00b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 6a 9b 6a 6e c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7b1573 registers.esp: 3924132 registers.edi: 3924152 registers.eax: 0 registers.ebp: 3924164 registers.edx: 45104588 registers.ebx: 3924464 registers.esi: 45104588 registers.ecx: 0	1
__exception__ June 22, 2021, 7:58 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1 mscorlib+0x2f45b0 @ 0x6eed45b0 mscorlib+0x2f73b5 @ 0x6eed73b5 mscorlib+0x2eeaf8 @ 0x6eeceaf8 mscorlib+0x2eea8f @ 0x6eecea8f 0xb704c0 0xb700f4 0xb700b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3010676 registers.edi: 0 registers.eax: 3010676 registers.ebp: 3010756 registers.edx: 0 registers.ebx: 4064856 registers.esi: 3368648 registers.ecx: 3834124259	1
__exception__ June 22, 2021, 7:58 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1 system+0x2e1f0 @ 0x70b3e1f0 system+0xb88e5 @ 0x70bc88e5 system+0xaaad2 @ 0x70bbaad2 system+0xa962e @ 0x70bb962e system+0xa976c @ 0x70bb976c system+0xa9449 @ 0x70bb9449 system+0xa8ec9 @ 0x70bb8ec9 system+0xabc51 @ 0x70bbbc51 system+0xa1e00 @ 0x70bb1e00 system+0x6f4ce3 @ 0x658e4ce3 system+0x6f6fb8 @ 0x658e6fb8 system+0x6f3892 @ 0x658e3892 system+0x6f3514 @ 0x658e3514 system+0x6f42ec @ 0x658e42ec 0xb70534 0xb700f4 0xb700b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3009924 registers.edi: 0 registers.eax: 3009924 registers.ebp: 3010004 registers.edx: 0 registers.ebx: 4064856 registers.esi: 3368648 registers.ecx: 3834120947	1
__exception__ June 22, 2021, 7:58 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1 mscorlib+0x2f45b0 @ 0x6eed45b0 mscorlib+0x2f73b5 @ 0x6eed73b5 mscorlib+0x2eeaf8 @ 0x6eeceaf8 mscorlib+0x2eea8f @ 0x6eecea8f mscorlib+0x30c43f @ 0x6eeec43f system+0xe8021 @ 0x644e8021 system+0xe7f77 @ 0x644e7f77 system+0xd01da @ 0x644d01da system+0xcec0d @ 0x644cec0d system+0xea387 @ 0x644ea387 system+0xcec2d @ 0x644cec2d system+0x6f7869 @ 0x658e7869 system+0x6f6e71 @ 0x658e6e71 system+0x6f3892 @ 0x658e3892 system+0x6f3514 @ 0x658e3514 system+0x6f42ec @ 0x658e42ec 0xb70534 0xb700f4 0xb700b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3010208 registers.edi: 0 registers.eax: 3010208 registers.ebp: 3010288 registers.edx: 0 registers.ebx: 4064856 registers.esi: 3368648 registers.ecx: 3834120667	1
__exception__ June 22, 2021, 7:58 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1 mscorlib+0x2f45a5 @ 0x6eed45a5 mscorlib+0x2f73b5 @ 0x6eed73b5 mscorlib+0x2eeaf8 @ 0x6eeceaf8 mscorlib+0x2ec3f4 @ 0x6eecc3f4 system+0xd0c96 @ 0x644d0c96 system+0xd33b7 @ 0x644d33b7 system+0xd2428 @ 0x644d2428 system+0xff01f @ 0x644ff01f system+0xea215 @ 0x644ea215 system+0x6f7878 @ 0x658e7878 system+0x6f6e71 @ 0x658e6e71 system+0x6f3892 @ 0x658e3892 system+0x6f3514 @ 0x658e3514 system+0x6f42ec @ 0x658e42ec 0xb70534 0xb700f4 0xb700b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3010228 registers.edi: 0 registers.eax: 3010228 registers.ebp: 3010308 registers.edx: 0 registers.ebx: 4064856 registers.esi: 3368648 registers.ecx: 3834120611	1
__exception__ June 22, 2021, 7:58 a.m.	stacktrace: 0xb71506 0xb70bb9 0xb70749 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0xb70254 0xb700b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 6a 9b 2e 6e c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb71573 registers.esp: 3006148 registers.edi: 3006168 registers.eax: 0 registers.ebp: 3006180 registers.edx: 40964648 registers.ebx: 3006480 registers.esi: 40964648 registers.ecx: 0	1
__exception__ June 22, 2021, 7:58 a.m.	stacktrace: 0xb71518 0xb70bb9 0xb70749 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f33f @ 0x7203f33f microsoft+0x3edf8 @ 0x7203edf8 microsoft+0x3e3b9 @ 0x7203e3b9 0xb70254 0xb700b2 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 6a 9b 2e 6e c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb71573 registers.esp: 3006148 registers.edi: 3006168 registers.eax: 0 registers.ebp: 3006180 registers.edx: 51714428 registers.ebx: 3006480 registers.esi: 51714428 registers.ecx: 0	1
__exception__ June 22, 2021, 7:58 a.m.	stacktrace: 0x5717a0 0x570fc3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 83 d7 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x571c13 registers.esp: 1372208 registers.edi: 1372232 registers.eax: 0 registers.ebp: 1372244 registers.edx: 195 registers.ebx: 1372492 registers.esi: 38707456 registers.ecx: 0	1
__exception__ June 22, 2021, 7:59 a.m.	stacktrace: 0x576de5 0x571531 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 c6 33 8d 6e 83 78 04 00 0f 84 3c 02 00 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x57d71f registers.esp: 1370916 registers.edi: 1370980 registers.eax: 0 registers.ebp: 1370996 registers.edx: 1370884 registers.ebx: 38856472 registers.esi: 38858620 registers.ecx: 0	1
__exception__ June 22, 2021, 7:59 a.m.	stacktrace: 0x5771fd 0x571531 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 38 07 68 ff ff ff 7f 6a 00 8b cf e8 72 d0 64 6a exception.instruction: cmp byte ptr [edi], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4881c4e registers.esp: 1370948 registers.edi: 0 registers.eax: 39085836 registers.ebp: 1370996 registers.edx: 39085836 registers.ebx: 39085280 registers.esi: 39085256 registers.ecx: 1857964434	1
__exception__ June 22, 2021, 7:59 a.m.	stacktrace: 0x5772d9 0x571531 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 2c ff 50 14 38 00 89 45 cc e9 85 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4882029 registers.esp: 1370944 registers.edi: 1370984 registers.eax: 3 registers.ebp: 1370996 registers.edx: 0 registers.ebx: 38856472 registers.esi: 39098392 registers.ecx: 0	1
__exception__ June 22, 2021, 7:59 a.m.	stacktrace: 0x571531 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 83 78 04 01 0f 9f c0 0f b6 c0 83 7f 04 01 0f 9f exception.instruction: cmp dword ptr [eax + 4], 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5773cc registers.esp: 1371004 registers.edi: 39109388 registers.eax: 0 registers.ebp: 1372280 registers.edx: 39109388 registers.ebx: 38856472 registers.esi: 0 registers.ecx: 38150800	1
__exception__ June 22, 2021, 7:59 a.m.	stacktrace: 0x577803 0x571531 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 e1 db 5c 6a 89 45 c8 33 d2 89 55 dc 83 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4882f04 registers.esp: 1370932 registers.edi: 1370980 registers.eax: 0 registers.ebp: 1370996 registers.edx: 1370900 registers.ebx: 38856472 registers.esi: 0 registers.ecx: 0	1
__exception__ June 22, 2021, 7:58 a.m.	stacktrace: 0xad17a0 0xad0fc3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 83 d7 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad1c13 registers.esp: 1962032 registers.edi: 1962056 registers.eax: 0 registers.ebp: 1962068 registers.edx: 195 registers.ebx: 1962324 registers.esi: 41499656 registers.ecx: 0	1
__exception__ June 22, 2021, 7:59 a.m.	stacktrace: 0xad6ddf 0xad1531 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 ce 33 37 6e 83 78 04 00 0f 84 3c 02 00 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xadd717 registers.esp: 1960740 registers.edi: 1960804 registers.eax: 0 registers.ebp: 1960820 registers.edx: 1960708 registers.ebx: 41782612 registers.esi: 41784776 registers.ecx: 0	1
__exception__ June 22, 2021, 7:59 a.m.	stacktrace: 0xad71f7 0xad1531 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 38 07 68 ff ff ff 7f 6a 00 8b cf e8 72 d0 fb 69 exception.instruction: cmp byte ptr [edi], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4f11c4e registers.esp: 1960772 registers.edi: 0 registers.eax: 42012004 registers.ebp: 1960820 registers.edx: 42012004 registers.ebx: 42011448 registers.esi: 42011424 registers.ecx: 1857964434	1
__exception__ June 22, 2021, 7:59 a.m.	stacktrace: 0xad72d3 0xad1531 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 2c ff 50 14 38 00 89 45 cc e9 85 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4f12029 registers.esp: 1960768 registers.edi: 1960808 registers.eax: 3 registers.ebp: 1960820 registers.edx: 0 registers.ebx: 41782612 registers.esi: 42024560 registers.ecx: 0	1
__exception__ June 22, 2021, 7:59 a.m.	stacktrace: 0xad1531 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 83 78 04 01 0f 9f c0 0f b6 c0 83 7f 04 01 0f 9f exception.instruction: cmp dword ptr [eax + 4], 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xad73c6 registers.esp: 1960828 registers.edi: 42035556 registers.eax: 0 registers.ebp: 1962104 registers.edx: 42035556 registers.ebx: 41782612 registers.esi: 0 registers.ecx: 40969284	1
__exception__ June 22, 2021, 7:59 a.m.	stacktrace: 0xad77fd 0xad1531 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 e1 db f3 69 89 45 c8 33 d2 89 55 dc 83 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4f12f04 registers.esp: 1960756 registers.edi: 1960804 registers.eax: 0 registers.ebp: 1960820 registers.edx: 1960724 registers.ebx: 41782612 registers.esi: 0 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C6FEFDB4D5C1D411D177D75771792D61.html
suspicious_features	GET method with no useragent header				suspicious_request	GET http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-AF112CDD77AAF014CB96EAE02F666573.html

Performs some HTTP requests (2 events)

request	GET http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C6FEFDB4D5C1D411D177D75771792D61.html
request	GET http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-AF112CDD77AAF014CB96EAE02F666573.html

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1681 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 22, 2021, 7:57 a.m.	process_identifier: 656 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:57 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 22, 2021, 7:57 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 22, 2021, 7:57 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:57 a.m.	process_identifier: 656 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:57 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:57 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:57 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:57 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:57 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:57 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:57 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:57 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:57 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:57 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:57 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:57 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:57 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 656 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 656 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff20000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 6928 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 6928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 6928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x63231000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 6928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f6a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 6928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x63232000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 6928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 6928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 6928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 6928 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 6928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01faa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 6928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 6928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 6928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fbb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 6928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 6928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f6b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 6928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 6928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 6928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f75000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 6928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 6928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (6 events)

cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\oki.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7324971p7b2Sfi.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\oki.exe" -Force
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\595354a157307x11cwdO5b8e72e4hQ1c8cd50a426gU\svchost.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\595354a157307x11cwdO5b8e72e4hQ1c8cd50a426gU\svchost.exe" -Force
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7324971p7b2Sfi.exe" -Force

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe

A process created a hidden window (11 events)

Time & API	Arguments	Status	Return
ShellExecuteExW June 22, 2021, 7:58 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\oki.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 22, 2021, 7:58 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7324971p7b2Sfi.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 22, 2021, 7:58 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7324971p7b2Sfi.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 22, 2021, 7:58 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\oki.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 22, 2021, 7:58 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\595354a157307x11cwdO5b8e72e4hQ1c8cd50a426gU\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 22, 2021, 7:58 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\oki.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 22, 2021, 7:58 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\595354a157307x11cwdO5b8e72e4hQ1c8cd50a426gU\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 22, 2021, 7:58 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7324971p7b2Sfi.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 22, 2021, 7:58 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\595354a157307x11cwdO5b8e72e4hQ1c8cd50a426gU\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 22, 2021, 7:58 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7324971p7b2Sfi.exe" -Force filepath: powershell	1	1
ShellExecuteExW June 22, 2021, 7:58 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\595354a157307x11cwdO5b8e72e4hQ1c8cd50a426gU\svchost.exe" -Force filepath: powershell	1	1

Moves the original executable to a new location (2 events)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW June 22, 2021, 7:57 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\։֊շեֆՖՕՔ՗՛պձ֛֋֊՚Օ՗։֊ֈֆ՛՜\oki.exe_Url_vg2von44gk01w4t3vrg25kvm1nrsfebz\1.845.828.489\user.config flags: 1 oldfilepath_r: C:\Users\test22\AppData\Local\։֊շեֆՖՕՔ՗՛պձ֛֋֊՚Օ՗։֊ֈֆ՛՜\oki.exe_Url_vg2von44gk01w4t3vrg25kvm1nrsfebz\1.845.828.489\drqgnjyp.newcfg newfilepath: C:\Users\test22\AppData\Local\։֊շեֆՖՕՔ՗՛պձ֛֋֊՚Օ՗։֊ֈֆ՛՜\oki.exe_Url_vg2von44gk01w4t3vrg25kvm1nrsfebz\1.845.828.489\user.config oldfilepath: C:\Users\test22\AppData\Local\։֊շեֆՖՕՔ՗՛պձ֛֋֊՚Օ՗։֊ֈֆ՛՜\oki.exe_Url_vg2von44gk01w4t3vrg25kvm1nrsfebz\1.845.828.489\drqgnjyp.newcfg	1	1	0
MoveFileWithProgressW June 22, 2021, 7:57 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\։֊շեֆՖՕՔ՗՛պձ֛֋֊՚Օ՗։֊ֈֆ՛՜\oki.exe_Url_vg2von44gk01w4t3vrg25kvm1nrsfebz\1.845.828.489\user.config flags: 1 oldfilepath_r: C:\Users\test22\AppData\Local\։֊շեֆՖՕՔ՗՛պձ֛֋֊՚Օ՗։֊ֈֆ՛՜\oki.exe_Url_vg2von44gk01w4t3vrg25kvm1nrsfebz\1.845.828.489\q1aeqvts.newcfg newfilepath: C:\Users\test22\AppData\Local\։֊շեֆՖՕՔ՗՛պձ֛֋֊՚Օ՗։֊ֈֆ՛՜\oki.exe_Url_vg2von44gk01w4t3vrg25kvm1nrsfebz\1.845.828.489\user.config oldfilepath: C:\Users\test22\AppData\Local\։֊շեֆՖՕՔ՗՛պձ֛֋֊՚Օ՗։֊ֈֆ՛՜\oki.exe_Url_vg2von44gk01w4t3vrg25kvm1nrsfebz\1.845.828.489\q1aeqvts.newcfg	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 22, 2021, 7:57 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (13 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 22, 2021, 7:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 22, 2021, 7:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 22, 2021, 7:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 22, 2021, 7:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 22, 2021, 7:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 22, 2021, 7:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 22, 2021, 7:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 22, 2021, 7:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 22, 2021, 7:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 22, 2021, 7:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 22, 2021, 7:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 22, 2021, 7:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 22, 2021, 7:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (20 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications smtp	rule	Network_SMTP_dotNet
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Terminates another process (4 events)

Time & API	Arguments	Status
NtTerminateProcess June 22, 2021, 7:58 a.m.	status_code: 0xffffffff process_identifier: 656 process_handle: 0x00000234
NtTerminateProcess June 22, 2021, 7:58 a.m.	status_code: 0xffffffff process_identifier: 656 process_handle: 0x00000234	1
NtTerminateProcess June 22, 2021, 7:58 a.m.	status_code: 0xffffffff process_identifier: 4408 process_handle: 0x00000234
NtTerminateProcess June 22, 2021, 7:58 a.m.	status_code: 0xffffffff process_identifier: 4408 process_handle: 0x00000234	1

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 500 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000078c	1	0	0
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 1568 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000006d4	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 22, 2021, 7:58 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (2 events)

description	oki.exe tried to sleep 13641050 seconds, actually delayed analysis time by 13641050 seconds
description	7324971p7b2Sfi.exe tried to sleep 13641050 seconds, actually delayed analysis time by 13641050 seconds

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\7324971p7b2Sfi	reg_value	C:\Users\Public\Documents\595354a157307x11cwdO5b8e72e4hQ1c8cd50a426gU\svchost.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\7324971p7b2Sfi	reg_value	C:\Users\Public\Documents\595354a157307x11cwdO5b8e72e4hQ1c8cd50a426gU\svchost.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\qweruiuyt	reg_value	C:\Users\test22\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\qweruiuyt	reg_value	C:\Users\test22\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites

Potential code injection by writing to the memory of another process (6 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 22, 2021, 7:58 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELæLÐ`àX.w @ À@ÜvO\ H.text4W X `.rsrc\Z@@.reloc r@B base_address: 0x00400000 process_identifier: 500 process_handle: 0x0000078c	1	1
WriteProcessMemory June 22, 2021, 7:58 a.m.	buffer: p07 base_address: 0x0043a000 process_identifier: 500 process_handle: 0x0000078c	1	1
WriteProcessMemory June 22, 2021, 7:58 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 500 process_handle: 0x0000078c	1	1
WriteProcessMemory June 22, 2021, 7:58 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELæLÐ`àX.w @ À@ÜvO\ H.text4W X `.rsrc\Z@@.reloc r@B base_address: 0x00400000 process_identifier: 1568 process_handle: 0x000006d4	1	1
WriteProcessMemory June 22, 2021, 7:58 a.m.	buffer: p07 base_address: 0x0043a000 process_identifier: 1568 process_handle: 0x000006d4	1	1
WriteProcessMemory June 22, 2021, 7:58 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 1568 process_handle: 0x000006d4	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 22, 2021, 7:58 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELæLÐ`àX.w @ À@ÜvO\ H.text4W X `.rsrc\Z@@.reloc r@B base_address: 0x00400000 process_identifier: 500 process_handle: 0x0000078c	1	1	0
WriteProcessMemory June 22, 2021, 7:58 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELæLÐ`àX.w @ À@ÜvO\ H.text4W X `.rsrc\Z@@.reloc r@B base_address: 0x00400000 process_identifier: 1568 process_handle: 0x000006d4	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW June 22, 2021, 7:59 a.m.	thread_identifier: 0 callback_function: 0x00e313ea hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	42991839	0

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Elastic	malicious (high confidence)
Alibaba	Trojan:MSIL/Generic.b7e4bd59
Cyren	W32/MSIL_Agent.BZW.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.IDC
Kaspersky	UDS:Trojan-Downloader.MSIL.Foold.gen
Avast	FileRepMetagen [Malware]
McAfee-GW-Edition	Artemis!Trojan
SentinelOne	Static AI - Malicious PE
APEX	Malicious
Microsoft	Trojan:MSIL/Tenga.AA!MTB
McAfee	RDN/Generic.dx
Malwarebytes	Spyware.AzorUlt
Ikarus	Trojan.Inject
Fortinet	MSIL/Kryptik.ABOO!tr
AVG	FileRepMetagen [Malware]

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 656 called NtSetContextThread to modify thread in remote process 500
Process injection	Process 4408 called NtSetContextThread to modify thread in remote process 1568
NtSetContextThread June 22, 2021, 7:58 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421422 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000788 process_identifier: 500	1	0	0
NtSetContextThread June 22, 2021, 7:58 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421422 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000006d0 process_identifier: 1568	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 656 resumed a thread in remote process 500
Process injection	Process 4408 resumed a thread in remote process 1568
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x00000788 suspend_count: 1 process_identifier: 500	1	0	0
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x000006d0 suspend_count: 1 process_identifier: 1568	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe

Disables Windows Security features (1 event)

description

attempts to disable user access control

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

Executed a process and injected code into it, probably while unpacking (50 out of 141 events)

Time & API	Arguments	Status	Return
NtResumeThread June 22, 2021, 7:57 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 656	1	0
NtResumeThread June 22, 2021, 7:57 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 656	1	0
NtResumeThread June 22, 2021, 7:57 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 656	1	0
NtResumeThread June 22, 2021, 7:57 a.m.	thread_handle: 0x0000058c suspend_count: 1 process_identifier: 656	1	0
NtResumeThread June 22, 2021, 7:57 a.m.	thread_handle: 0x000005dc suspend_count: 1 process_identifier: 656	1	0
NtGetContextThread June 22, 2021, 7:57 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread June 22, 2021, 7:57 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 656	1	0
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x0000043c suspend_count: 1 process_identifier: 656	1	0
CreateProcessInternalW June 22, 2021, 7:58 a.m.	thread_identifier: 7636 thread_handle: 0x00000664 process_identifier: 6928 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\oki.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000668	1	1
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x00000654 suspend_count: 1 process_identifier: 656	1	0
CreateProcessInternalW June 22, 2021, 7:58 a.m.	thread_identifier: 7960 thread_handle: 0x00000670 process_identifier: 8992 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7324971p7b2Sfi.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000688	1	1
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x00000678 suspend_count: 1 process_identifier: 656	1	0
CreateProcessInternalW June 22, 2021, 7:58 a.m.	thread_identifier: 6952 thread_handle: 0x00000670 process_identifier: 3800 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7324971p7b2Sfi.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006a4	1	1
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x00000698 suspend_count: 1 process_identifier: 656	1	0
CreateProcessInternalW June 22, 2021, 7:58 a.m.	thread_identifier: 4452 thread_handle: 0x000006a4 process_identifier: 2776 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\oki.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006bc	1	1
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x000006b0 suspend_count: 1 process_identifier: 656	1	0
CreateProcessInternalW June 22, 2021, 7:58 a.m.	thread_identifier: 2120 thread_handle: 0x00000708 process_identifier: 4408 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7324971p7b2Sfi.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7324971p7b2Sfi.exe" filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7324971p7b2Sfi.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000072c	1	1
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x00000714 suspend_count: 1 process_identifier: 656	1	0
CreateProcessInternalW June 22, 2021, 7:58 a.m.	thread_identifier: 4120 thread_handle: 0x00000708 process_identifier: 4368 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\595354a157307x11cwdO5b8e72e4hQ1c8cd50a426gU\svchost.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000748	1	1
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x00000738 suspend_count: 1 process_identifier: 656	1	0
CreateProcessInternalW June 22, 2021, 7:58 a.m.	thread_identifier: 4404 thread_handle: 0x00000744 process_identifier: 5272 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\oki.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000764	1	1
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x00000758 suspend_count: 1 process_identifier: 656	1	0
CreateProcessInternalW June 22, 2021, 7:58 a.m.	thread_identifier: 3180 thread_handle: 0x00000768 process_identifier: 8628 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\595354a157307x11cwdO5b8e72e4hQ1c8cd50a426gU\svchost.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000778	1	1
CreateProcessInternalW June 22, 2021, 7:58 a.m.	thread_identifier: 296 thread_handle: 0x00000788 process_identifier: 500 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\oki.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\oki.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000078c	1	1
NtGetContextThread June 22, 2021, 7:58 a.m.	thread_handle: 0x00000788	1	0
NtAllocateVirtualMemory June 22, 2021, 7:58 a.m.	process_identifier: 500 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000078c	1	0
WriteProcessMemory June 22, 2021, 7:58 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELæLÐ`àX.w @ À@ÜvO\ H.text4W X `.rsrc\Z@@.reloc r@B base_address: 0x00400000 process_identifier: 500 process_handle: 0x0000078c	1	1
WriteProcessMemory June 22, 2021, 7:58 a.m.	buffer: base_address: 0x00402000 process_identifier: 500 process_handle: 0x0000078c	1	1
WriteProcessMemory June 22, 2021, 7:58 a.m.	buffer: base_address: 0x00438000 process_identifier: 500 process_handle: 0x0000078c	1	1
WriteProcessMemory June 22, 2021, 7:58 a.m.	buffer: p07 base_address: 0x0043a000 process_identifier: 500 process_handle: 0x0000078c	1	1
WriteProcessMemory June 22, 2021, 7:58 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 500 process_handle: 0x0000078c	1	1
NtSetContextThread June 22, 2021, 7:58 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421422 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000788 process_identifier: 500	1	0
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x00000788 suspend_count: 1 process_identifier: 500	1	0
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 6928	1	0
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 6928	1	0
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 6928	1	0
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x000004a4 suspend_count: 1 process_identifier: 6928	1	0
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 8992	1	0
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 8992	1	0
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 8992	1	0
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x000004a8 suspend_count: 1 process_identifier: 8992	1	0
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 3800	1	0
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x000002e4 suspend_count: 1 process_identifier: 3800	1	0
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 3800	1	0
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x000004a4 suspend_count: 1 process_identifier: 3800	1	0
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x00000458 suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x000004b8 suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread June 22, 2021, 7:58 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 4408	1	0

oki.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All