Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 19, 2021, 4:57 p.m.	Nov. 19, 2021, 5:14 p.m.

Size	266.6KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`6b9b7cbe70891c32b9fa7ec3d4737d09`
SHA256	`fe0f1fd4a510707f64b904fc422649f8ce38cefa77e13d9607abf19b7d6be83d`
CRC32	`48D0B2EB`
ssdeep	`3072:LKqrPAYZw0nwXekXVMnl69Ns/cw1hIPN7i59JpOo:LKqLAYZw0nwXekXml6920w1E85HIo`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

8364_1637262017_3569.exe "C:\Users\test22\AppData\Local\Temp\8364_1637262017_3569.exe"
2768
- 8364_1637262017_3569.exe C:\Users\test22\AppData\Local\Temp\8364_1637262017_3569.exe
  1948

Name	Response	Post-Analysis Lookup
bitbucket.org	A 104.192.141.1	104.192.141.1
bbuseruploads.s3.amazonaws.com	CNAME s3-1-w.amazonaws.com CNAME s3-w.us-east-1.amazonaws.com A 52.216.249.60	52.217.163.217

IP Address	Status	Action
104.192.141.1	Active	Moloch
164.124.101.2	Active	Moloch
52.216.249.60	Active	Moloch
65.108.21.21	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 104.192.141.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49163 -> 52.216.249.60:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49161 104.192.141.1:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=Private Organization, unknown=US, unknown=Delaware, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian, Inc., OU=Bitbucket, CN=bitbucket.org	4e:6a:4c:3b:82:15:ef:df:97:38:5e:50:ef:b9:86:42:84:3b:89:f0
TLS 1.2 192.168.56.101:49163 52.216.249.60:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Baltimore CA-2 G2	C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=*.s3.amazonaws.com	90:e0:af:dc:fa:f7:0b:ac:50:bb:fa:43:e1:ec:e2:3d:ce:91:90:47

Queries for the computername (11 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 19, 2021, 4:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 19, 2021, 4:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 19, 2021, 4:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 19, 2021, 4:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 19, 2021, 4:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 19, 2021, 4:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 19, 2021, 4:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 19, 2021, 4:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 19, 2021, 4:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 19, 2021, 4:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 19, 2021, 4:58 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 83 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0
IsDebuggerPresent Nov. 19, 2021, 4:57 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (12 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 19, 2021, 4:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f5e90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2021, 4:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f5e90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2021, 4:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f5ed0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2021, 4:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e76c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2021, 4:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e76c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2021, 4:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e7888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2021, 4:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00758a38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2021, 4:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00758a78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2021, 4:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00758a78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2021, 4:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0078e038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2021, 4:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0078e038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2021, 4:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0078def8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 19, 2021, 4:57 p.m.		1	1	0

One or more processes crashed (17 events)

Time & API	Arguments	Status
__exception__ Nov. 19, 2021, 4:57 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x83fe780 0x83fe6c2 0x83fb73b 0x83f638b 0x83f84c7 0x493c06b 0x493d438 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d mscorlib+0x3133fd @ 0x721833fd 0xbb0b1a 0x4931a89 0x493198c 0x49316f9 0x4931479 0xbfc0bb 0xbfb90d 0xbf77a7 0xbf70b7 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x72fca887 DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 3401140 registers.edi: 1980555208 registers.eax: 16777216 registers.ebp: 3401344 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Nov. 19, 2021, 4:57 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x83fe780 0x83fe6c2 0x83fb73b 0x83f638b 0x83f84c7 0x493c06b 0x493d438 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d mscorlib+0x3133fd @ 0x721833fd 0xbb0b1a 0x4931a89 0x493198c 0x49316f9 0x4931479 0xbfc0bb 0xbfb90d 0xbf77a7 0xbf70b7 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x72fca887 DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 3401140 registers.edi: 1980555208 registers.eax: 4194304 registers.ebp: 3401344 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Nov. 19, 2021, 4:57 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x83fe780 0x83fe6c2 0x83fb73b 0x83f638b 0x83f84c7 0x493c06b 0x493d438 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d mscorlib+0x3133fd @ 0x721833fd 0xbb0b1a 0x4931a89 0x493198c 0x49316f9 0x4931479 0xbfc0bb 0xbfb90d 0xbf77a7 0xbf70b7 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x72fca887 DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 3401140 registers.edi: 1980555208 registers.eax: 12648448 registers.ebp: 3401344 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Nov. 19, 2021, 4:58 p.m.	stacktrace: 0x5cc6da 0x5cc61d 0x5c7dc1 0x5c7a10 0x5c01c6 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 85 c0 74 07 ba 01 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5cc78e registers.esp: 4059448 registers.edi: 38919948 registers.eax: 0 registers.ebp: 4059472 registers.edx: 7102968 registers.ebx: 38919884 registers.esi: 38920112 registers.ecx: 0	1
__exception__ Nov. 19, 2021, 4:58 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x72fe1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72eb2ba1 mscorlib+0x36dd51 @ 0x721ddd51 mscorlib+0x32fea6 @ 0x7219fea6 mscorlib+0x30ab40 @ 0x7217ab40 0x5ce500 0x5ce409 0x5cdb3d 0x5cd010 0x5ccf52 0x5c7e50 0x5c7a10 0x5c01c6 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 4058720 registers.edi: 0 registers.eax: 4058720 registers.ebp: 4058800 registers.edx: 0 registers.ebx: 7411704 registers.esi: 7102968 registers.ecx: 392440293	1
__exception__ Nov. 19, 2021, 4:58 p.m.	stacktrace: 0x53818d6 0x53817f9 0x5380738 0x5cf91c 0x5ccf52 0x5c7e50 0x5c7a10 0x5c01c6 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 38 00 8b 40 04 89 45 c8 eb 11 e8 f4 06 ab 6d eb exception.instruction: cmp byte ptr [eax], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5382042 registers.esp: 4058980 registers.edi: 0 registers.eax: 0 registers.ebp: 4059040 registers.edx: 80885520 registers.ebx: 43879748 registers.esi: 44012572 registers.ecx: 80890872	1
__exception__ Nov. 19, 2021, 4:58 p.m.	stacktrace: 0x53818d6 0x53817f9 0x5380738 0x5cf91c 0x5ccf52 0x5c7e50 0x5c7a10 0x5c01c6 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 38 00 8b 40 04 89 45 c8 eb 11 e8 f4 06 ab 6d eb exception.instruction: cmp byte ptr [eax], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5382042 registers.esp: 4058980 registers.edi: 0 registers.eax: 0 registers.ebp: 4059040 registers.edx: 80885520 registers.ebx: 42987328 registers.esi: 43120152 registers.ecx: 80890872	1
__exception__ Nov. 19, 2021, 4:58 p.m.	stacktrace: 0x53818d6 0x53817f9 0x5380738 0x5cf91c 0x5ccf52 0x5c7e50 0x5c7a10 0x5c01c6 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 38 00 8b 40 04 89 45 c8 eb 11 e8 f4 06 ab 6d eb exception.instruction: cmp byte ptr [eax], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5382042 registers.esp: 4058980 registers.edi: 0 registers.eax: 0 registers.ebp: 4059040 registers.edx: 80885520 registers.ebx: 42143224 registers.esi: 42276048 registers.ecx: 80890872	1
__exception__ Nov. 19, 2021, 4:58 p.m.	stacktrace: 0x5385259 0x5385179 0x53807e7 0x5cf91c 0x5ccf52 0x5c7e50 0x5c7a10 0x5c01c6 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 38 00 8b 40 04 89 45 c8 eb 11 e8 f4 06 ab 6d eb exception.instruction: cmp byte ptr [eax], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5382042 registers.esp: 4058912 registers.edi: 0 registers.eax: 0 registers.ebp: 4058972 registers.edx: 80885520 registers.ebx: 41090904 registers.esi: 41223728 registers.ecx: 80890872	1
__exception__ Nov. 19, 2021, 4:58 p.m.	stacktrace: 0x5385259 0x5385179 0x53807e7 0x5cf91c 0x5ccf52 0x5c7e50 0x5c7a10 0x5c01c6 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 38 00 8b 40 04 89 45 c8 eb 11 e8 f4 06 ab 6d eb exception.instruction: cmp byte ptr [eax], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5382042 registers.esp: 4058912 registers.edi: 0 registers.eax: 0 registers.ebp: 4058972 registers.edx: 80885520 registers.ebx: 44346672 registers.esi: 44479496 registers.ecx: 80890872	1
__exception__ Nov. 19, 2021, 4:58 p.m.	stacktrace: 0x5385259 0x5385179 0x53807e7 0x5cf91c 0x5ccf52 0x5c7e50 0x5c7a10 0x5c01c6 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 38 00 8b 40 04 89 45 c8 eb 11 e8 f4 06 ab 6d eb exception.instruction: cmp byte ptr [eax], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5382042 registers.esp: 4058912 registers.edi: 0 registers.eax: 0 registers.ebp: 4058972 registers.edx: 80885520 registers.ebx: 42783192 registers.esi: 42916016 registers.ecx: 80890872	1
__exception__ Nov. 19, 2021, 4:58 p.m.	stacktrace: 0x5385a3f 0x5385969 0x53808c1 0x5cf91c 0x5ccf52 0x5c7e50 0x5c7a10 0x5c01c6 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 38 00 8b 40 04 89 45 c8 eb 11 e8 f4 06 ab 6d eb exception.instruction: cmp byte ptr [eax], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5382042 registers.esp: 4058960 registers.edi: 0 registers.eax: 0 registers.ebp: 4059020 registers.edx: 80885520 registers.ebx: 41368568 registers.esi: 41501392 registers.ecx: 80890872	1
__exception__ Nov. 19, 2021, 4:58 p.m.	stacktrace: 0x5385a3f 0x5385969 0x53808c1 0x5cf91c 0x5ccf52 0x5c7e50 0x5c7a10 0x5c01c6 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 38 00 8b 40 04 89 45 c8 eb 11 e8 f4 06 ab 6d eb exception.instruction: cmp byte ptr [eax], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5382042 registers.esp: 4058960 registers.edi: 0 registers.eax: 0 registers.ebp: 4059020 registers.edx: 80885520 registers.ebx: 41551888 registers.esi: 41684712 registers.ecx: 80890872	1
__exception__ Nov. 19, 2021, 4:58 p.m.	stacktrace: 0x5385a3f 0x5385969 0x53808c1 0x5cf91c 0x5ccf52 0x5c7e50 0x5c7a10 0x5c01c6 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 38 00 8b 40 04 89 45 c8 eb 11 e8 f4 06 ab 6d eb exception.instruction: cmp byte ptr [eax], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5382042 registers.esp: 4058960 registers.edi: 0 registers.eax: 0 registers.ebp: 4059020 registers.edx: 80885520 registers.ebx: 41814736 registers.esi: 41947560 registers.ecx: 80890872	1
__exception__ Nov. 19, 2021, 4:58 p.m.	stacktrace: 0x53860ad 0x5385fd9 0x5380990 0x5cf91c 0x5ccf52 0x5c7e50 0x5c7a10 0x5c01c6 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 38 00 8b 40 04 89 45 c8 eb 11 e8 f4 06 ab 6d eb exception.instruction: cmp byte ptr [eax], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5382042 registers.esp: 4058984 registers.edi: 0 registers.eax: 0 registers.ebp: 4059044 registers.edx: 80885520 registers.ebx: 41951596 registers.esi: 42084420 registers.ecx: 80890872	1
__exception__ Nov. 19, 2021, 4:58 p.m.	stacktrace: 0x53860ad 0x5385fd9 0x5380990 0x5cf91c 0x5ccf52 0x5c7e50 0x5c7a10 0x5c01c6 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 38 00 8b 40 04 89 45 c8 eb 11 e8 f4 06 ab 6d eb exception.instruction: cmp byte ptr [eax], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5382042 registers.esp: 4058984 registers.edi: 0 registers.eax: 0 registers.ebp: 4059044 registers.edx: 80885520 registers.ebx: 42084500 registers.esi: 42217324 registers.ecx: 80890872	1
__exception__ Nov. 19, 2021, 4:58 p.m.	stacktrace: 0x53860ad 0x5385fd9 0x5380990 0x5cf91c 0x5ccf52 0x5c7e50 0x5c7a10 0x5c01c6 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 38 00 8b 40 04 89 45 c8 eb 11 e8 f4 06 ab 6d eb exception.instruction: cmp byte ptr [eax], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5382042 registers.esp: 4058984 registers.edi: 0 registers.eax: 0 registers.ebp: 4059044 registers.edx: 80885520 registers.ebx: 42206736 registers.esi: 42339560 registers.ecx: 80890872	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET https://bitbucket.org/malifesta/repository/downloads/CVE_Update_2021.jpeg
suspicious_features	GET method with no useragent header				suspicious_request	GET https://bbuseruploads.s3.amazonaws.com/9a2c9a88-9c7d-4fbf-ad47-61608bd722a7/downloads/e4951140-889c-4816-ab10-8b242e25f9dd/CVE_Update_2021.jpeg?Signature=MhsFl0n3i3U35sNewiWsqeAAvNA%3D&Expires=1637311253&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=QaQwwVgIdByirGNQDzHZ2X8Qea__Sdfp&response-content-disposition=attachment%3B%20filename%3D%22CVE_Update_2021.jpeg%22

Performs some HTTP requests (2 events)

request	GET https://bitbucket.org/malifesta/repository/downloads/CVE_Update_2021.jpeg
request	GET https://bbuseruploads.s3.amazonaws.com/9a2c9a88-9c7d-4fbf-ad47-61608bd722a7/downloads/e4951140-889c-4816-ab10-8b242e25f9dd/CVE_Update_2021.jpeg?Signature=MhsFl0n3i3U35sNewiWsqeAAvNA%3D&Expires=1637311253&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=QaQwwVgIdByirGNQDzHZ2X8Qea__Sdfp&response-content-disposition=attachment%3B%20filename%3D%22CVE_Update_2021.jpeg%22

Allocates read-write-execute memory (usually to unpack itself) (50 out of 150 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02060000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02240000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b33000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b35000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b36000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b37000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b39000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b3a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bbf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b3c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b3d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b3e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b3f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 19, 2021, 4:57 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 19, 2021, 4:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Nov. 19, 2021, 4:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000238 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: AddressBook base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: Connection Manager base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: DirectDrawEx base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: EditPlus base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: ENTERPRISE base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: Fontcore base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: Google Chrome base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: IE40 base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: IE4Data base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: IE5BAKEX base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: IEData base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: MobileOptionPack base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: SchedulingAgent base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: WIC base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Nov. 19, 2021, 4:58 p.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x00000238 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Communicates with host for which no DNS query was performed (1 event)

host

65.108.21.21

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 1948 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000698	1	0	0

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 19, 2021, 4:57 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#aà0P no @ À&@oW\ H.texttO P `.rsrcR@@.reloc Z@B base_address: 0x00400000 process_identifier: 1948 process_handle: 0x00000698	1	1
WriteProcessMemory Nov. 19, 2021, 4:57 p.m.	buffer: P8hÜLL4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¬StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0: InternalNameSquawman.exe(LegalCopyright B OriginalFilenameSquawman.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ìêï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 1948 process_handle: 0x00000698	1	1
WriteProcessMemory Nov. 19, 2021, 4:57 p.m.	buffer: `p? base_address: 0x0043a000 process_identifier: 1948 process_handle: 0x00000698	1	1
WriteProcessMemory Nov. 19, 2021, 4:57 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1948 process_handle: 0x00000698	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 19, 2021, 4:57 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#aà0P no @ À&@oW\ H.texttO P `.rsrcR@@.reloc Z@B base_address: 0x00400000 process_identifier: 1948 process_handle: 0x00000698	1	1	0

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Nov. 19, 2021, 4:58 p.m.	key_handle: 0x00000244 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2768 called NtSetContextThread to modify thread in remote process 1948
NtSetContextThread Nov. 19, 2021, 4:57 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4419438 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000704 process_identifier: 1948	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2768 resumed a thread in remote process 1948
NtResumeThread Nov. 19, 2021, 4:57 p.m.	thread_handle: 0x00000704 suspend_count: 1 process_identifier: 1948	1	0	0

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Lionic	Trojan.MSIL.Stealer.l!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Bulz.932320
FireEye	Generic.mg.6b9b7cbe70891c32
ALYac	Gen:Variant.Bulz.932320
Cybereason	malicious.bc3710
Arcabit	Trojan.Bulz.DE39E0
BitDefenderTheta	Gen:NN.ZemsilF.34266.qm1@aaaJy0m
Cyren	W32/Crysan.A.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
TrendMicro-HouseCall	TROJ_GEN.R002H07KI21
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Bulz.932320
Avast	FileRepMetagen [Malware]
Ad-Aware	Gen:Variant.Bulz.932320
Emsisoft	Gen:Variant.Bulz.932320 (B)
McAfee-GW-Edition	Artemis!Trojan
SentinelOne	Static AI - Malicious PE
Sophos	Mal/Generic-R
eGambit	PE.Heur.InvalidSig
Microsoft	Trojan:Script/Phonzy.C!ml
GData	Gen:Variant.Bulz.932320
APEX	Malicious
MAX	malware (ai score=80)
Fortinet	PossibleThreat
Webroot	W32.Trojan.Gen
AVG	FileRepMetagen [Malware]
CrowdStrike	win/malicious_confidence_70% (W)

Executed a process and injected code into it, probably while unpacking (37 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 19, 2021, 4:57 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Nov. 19, 2021, 4:57 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Nov. 19, 2021, 4:57 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Nov. 19, 2021, 4:57 p.m.	thread_handle: 0x0000021c suspend_count: 1 process_identifier: 2768	1	0
NtGetContextThread Nov. 19, 2021, 4:57 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Nov. 19, 2021, 4:57 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Nov. 19, 2021, 4:57 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2768	1	0
NtGetContextThread Nov. 19, 2021, 4:57 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Nov. 19, 2021, 4:57 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Nov. 19, 2021, 4:57 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Nov. 19, 2021, 4:57 p.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Nov. 19, 2021, 4:57 p.m.	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Nov. 19, 2021, 4:57 p.m.	thread_handle: 0x00000268 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Nov. 19, 2021, 4:57 p.m.	thread_handle: 0x000003fc suspend_count: 1 process_identifier: 2768	1	0
CreateProcessInternalW Nov. 19, 2021, 4:57 p.m.	thread_identifier: 1668 thread_handle: 0x00000704 process_identifier: 1948 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\8364_1637262017_3569.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000698	1	1
NtGetContextThread Nov. 19, 2021, 4:57 p.m.	thread_handle: 0x00000704	1	0
NtAllocateVirtualMemory Nov. 19, 2021, 4:57 p.m.	process_identifier: 1948 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000698	1	0
WriteProcessMemory Nov. 19, 2021, 4:57 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#aà0P no @ À&@oW\ H.texttO P `.rsrcR@@.reloc Z@B base_address: 0x00400000 process_identifier: 1948 process_handle: 0x00000698	1	1
WriteProcessMemory Nov. 19, 2021, 4:57 p.m.	buffer: base_address: 0x00402000 process_identifier: 1948 process_handle: 0x00000698	1	1
WriteProcessMemory Nov. 19, 2021, 4:57 p.m.	buffer: P8hÜLL4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¬StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0: InternalNameSquawman.exe(LegalCopyright B OriginalFilenameSquawman.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ìêï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 1948 process_handle: 0x00000698	1	1
WriteProcessMemory Nov. 19, 2021, 4:57 p.m.	buffer: `p? base_address: 0x0043a000 process_identifier: 1948 process_handle: 0x00000698	1	1
WriteProcessMemory Nov. 19, 2021, 4:57 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1948 process_handle: 0x00000698	1	1
NtSetContextThread Nov. 19, 2021, 4:57 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4419438 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000704 process_identifier: 1948	1	0
NtResumeThread Nov. 19, 2021, 4:57 p.m.	thread_handle: 0x00000704 suspend_count: 1 process_identifier: 1948	1	0
NtResumeThread Nov. 19, 2021, 4:57 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1948	1	0
NtResumeThread Nov. 19, 2021, 4:57 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1948	1	0
NtResumeThread Nov. 19, 2021, 4:57 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 1948	1	0
NtResumeThread Nov. 19, 2021, 4:58 p.m.	thread_handle: 0x0000037c suspend_count: 1 process_identifier: 1948	1	0
NtResumeThread Nov. 19, 2021, 4:58 p.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 1948	1	0
NtGetContextThread Nov. 19, 2021, 4:58 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Nov. 19, 2021, 4:58 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Nov. 19, 2021, 4:58 p.m.	thread_handle: 0x000000e4	1	0
NtSetContextThread Nov. 19, 2021, 4:58 p.m.	registers.eip: 1928014724 registers.esp: 4058928 registers.edi: 62562304 registers.eax: 81265152 registers.ebp: 4058968 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 39443728 thread_handle: 0x000000e4 process_identifier: 1948	1	0
NtResumeThread Nov. 19, 2021, 4:58 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 1948	1	0
NtGetContextThread Nov. 19, 2021, 4:58 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Nov. 19, 2021, 4:58 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread Nov. 19, 2021, 4:58 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 1948	1	0

8364_1637262017_3569.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All