Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 13, 2021, 9:41 a.m.	Dec. 13, 2021, 10:18 a.m.

Size	261.1KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`62201c2f4c90866e9048ab60e3573591`
SHA256	`1c71b83cbb3da5825be602ea9be89c322e571b53a6501f781464421c9a397961`
CRC32	`F065A32C`
ssdeep	`3072:/jdiCgEzLbF0azX86nbOmxrKKHbBTQXUPdywGyTzBpOo:/j8ClbFLxrl7BBT9Io`
PDB Path	C:\Users\Administrator\Desktop\razgon.pdb
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Malicious_Library_Zero - Malicious_Library Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

Alpha.exe "C:\Users\test22\AppData\Local\Temp\Alpha.exe"
2840
- cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\Alpha.exe" debug
  2944
  - Alpha.exe C:\Users\test22\AppData\Local\Temp\Alpha.exe debug
    3064
    - Alpha.exe C:\Users\test22\AppData\Local\Temp\Alpha.exe
      2232

Name	Response	Post-Analysis Lookup
bitbucket.org	A 104.192.141.1	104.192.141.1
bbuseruploads.s3.amazonaws.com	CNAME s3-1-w.amazonaws.com A 52.217.75.116 CNAME s3-w.us-east-1.amazonaws.com	54.231.197.137

IP Address	Status	Action
104.192.141.1	Active	Moloch
164.124.101.2	Active	Moloch
185.181.8.77	Active	Moloch
52.217.75.116	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49166 -> 52.217.75.116:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 104.192.141.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49166 52.217.75.116:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Baltimore CA-2 G2	C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=*.s3.amazonaws.com	90:e0:af:dc:fa:f7:0b:ac:50:bb:fa:43:e1:ec:e2:3d:ce:91:90:47
TLS 1.2 192.168.56.101:49165 104.192.141.1:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=Private Organization, unknown=US, unknown=Delaware, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian, Inc., OU=Bitbucket, CN=bitbucket.org	4e:6a:4c:3b:82:15:ef:df:97:38:5e:50:ef:b9:86:42:84:3b:89:f0

Queries for the computername (11 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 13, 2021, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 13, 2021, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 13, 2021, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 13, 2021, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 13, 2021, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 13, 2021, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 13, 2021, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 13, 2021, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 13, 2021, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 13, 2021, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 13, 2021, 10:17 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 13, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Dec. 13, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Dec. 13, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Dec. 13, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Dec. 13, 2021, 10:17 a.m.			0	0
IsDebuggerPresent Dec. 13, 2021, 10:17 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (20 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 13, 2021, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007cde40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2021, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007cde40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2021, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007cde80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2021, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007cde80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2021, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007cdec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2021, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007cdec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2021, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007cdd00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2021, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007cdd00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2021, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007cdfc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2021, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007cdd40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2021, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007cdd40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2021, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007ce400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2021, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007ceb80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2021, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007ce380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2021, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007cea40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2021, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007ce900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2021, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007ce900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2021, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007ce0c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2021, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007ce0c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2021, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007cea80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\Administrator\Desktop\razgon.pdb

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 13, 2021, 9:41 a.m.		1	1	0

One or more processes crashed (18 events)

Time & API	Arguments	Status
__exception__ Dec. 13, 2021, 9:41 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x63c41d 0x63c392 0x638cb9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d 0x8aafd81 0x8aaf2b7 0x739981 0x739081 0x7382da 0x7361af DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d 0x733327 0x730a03 0x7306a6 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x72fca887 DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 4181436 registers.edi: 1980555208 registers.eax: 16777216 registers.ebp: 4181640 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Dec. 13, 2021, 9:41 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x63c41d 0x63c392 0x638cb9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d 0x8aafd81 0x8aaf2b7 0x739981 0x739081 0x7382da 0x7361af DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d 0x733327 0x730a03 0x7306a6 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x72fca887 DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 4181436 registers.edi: 1980555208 registers.eax: 4194304 registers.ebp: 4181640 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Dec. 13, 2021, 9:41 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x63c41d 0x63c392 0x638cb9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d 0x8aafd81 0x8aaf2b7 0x739981 0x739081 0x7382da 0x7361af DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d 0x733327 0x730a03 0x7306a6 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x72fca887 DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 4181436 registers.edi: 1980555208 registers.eax: 1240006656 registers.ebp: 4181640 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Dec. 13, 2021, 9:41 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x63c41d 0x63c392 0x638cb9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d 0x8aafd81 0x8aaf2b7 0x739981 0x739081 0x7382da 0x7361af DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d 0x733327 0x730a03 0x7306a6 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x72fca887 DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 4181436 registers.edi: 1980555208 registers.eax: 16318464 registers.ebp: 4181640 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Dec. 13, 2021, 10:17 a.m.	stacktrace: 0x522182 0x5220fd 0x5214ec 0x521240 0x520056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72857610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x742ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x522211 registers.esp: 3535544 registers.edi: 40979616 registers.eax: 0 registers.ebp: 3535568 registers.edx: 8155320 registers.ebx: 39855240 registers.esi: 40979796 registers.ecx: 0	1
__exception__ Dec. 13, 2021, 10:17 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x72941194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72812ba1 mscorlib+0x36dd51 @ 0x71b3dd51 mscorlib+0x32fea6 @ 0x71affea6 mscorlib+0x30ab40 @ 0x71adab40 0x52a2d9 0x52a229 0x529db3 0x5297f0 0x525ef9 0x521556 0x521240 0x520056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72857610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x742ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 3535036 registers.edi: 0 registers.eax: 3535036 registers.ebp: 3535116 registers.edx: 0 registers.ebx: 8132832 registers.esi: 8155320 registers.ecx: 470750403	1
__exception__ Dec. 13, 2021, 10:17 a.m.	stacktrace: 0x52c0a7 0x52bfe9 0x52bd00 0x52b892 0x525ef9 0x521556 0x521240 0x520056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72857610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x742ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 29 62 26 72 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x52c50f registers.esp: 3535272 registers.edi: 41228138 registers.eax: 0 registers.ebp: 3535320 registers.edx: 93743240 registers.ebx: 41227988 registers.esi: 41228208 registers.ecx: 93748592	1
__exception__ Dec. 13, 2021, 10:17 a.m.	stacktrace: 0x52c0a7 0x52bfe9 0x52bd00 0x52b892 0x525ef9 0x521556 0x521240 0x520056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72857610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x742ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 29 62 26 72 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x52c50f registers.esp: 3535272 registers.edi: 42320206 registers.eax: 0 registers.ebp: 3535320 registers.edx: 93743240 registers.ebx: 42320056 registers.esi: 42320276 registers.ecx: 93748592	1
__exception__ Dec. 13, 2021, 10:17 a.m.	stacktrace: 0x52c0a7 0x52bfe9 0x52bd00 0x52b892 0x525ef9 0x521556 0x521240 0x520056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72857610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x742ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 29 62 26 72 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x52c50f registers.esp: 3535272 registers.edi: 41843330 registers.eax: 0 registers.ebp: 3535320 registers.edx: 93743240 registers.ebx: 41843180 registers.esi: 41843400 registers.ecx: 93748592	1
__exception__ Dec. 13, 2021, 10:17 a.m.	stacktrace: 0x52ddc6 0x52dd19 0x52bd8d 0x52b892 0x525ef9 0x521556 0x521240 0x520056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72857610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x742ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 29 62 26 72 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x52c50f registers.esp: 3535264 registers.edi: 43114742 registers.eax: 0 registers.ebp: 3535312 registers.edx: 93743240 registers.ebx: 43114592 registers.esi: 43114812 registers.ecx: 93748592	1
__exception__ Dec. 13, 2021, 10:17 a.m.	stacktrace: 0x52ddc6 0x52dd19 0x52bd8d 0x52b892 0x525ef9 0x521556 0x521240 0x520056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72857610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x742ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 29 62 26 72 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x52c50f registers.esp: 3535264 registers.edi: 44234306 registers.eax: 0 registers.ebp: 3535312 registers.edx: 93743240 registers.ebx: 44234156 registers.esi: 44234376 registers.ecx: 93748592	1
__exception__ Dec. 13, 2021, 10:17 a.m.	stacktrace: 0x52ddc6 0x52dd19 0x52bd8d 0x52b892 0x525ef9 0x521556 0x521240 0x520056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72857610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x742ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 29 62 26 72 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x52c50f registers.esp: 3535264 registers.edi: 45353870 registers.eax: 0 registers.ebp: 3535312 registers.edx: 93743240 registers.ebx: 45353720 registers.esi: 45353940 registers.ecx: 93748592	1
__exception__ Dec. 13, 2021, 10:17 a.m.	stacktrace: 0x52e2d5 0x52e229 0x52be05 0x52b892 0x525ef9 0x521556 0x521240 0x520056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72857610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x742ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 29 62 26 72 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x52c50f registers.esp: 3535268 registers.edi: 41672646 registers.eax: 0 registers.ebp: 3535316 registers.edx: 93743240 registers.ebx: 41672496 registers.esi: 41672716 registers.ecx: 93748592	1
__exception__ Dec. 13, 2021, 10:17 a.m.	stacktrace: 0x52e2d5 0x52e229 0x52be05 0x52b892 0x525ef9 0x521556 0x521240 0x520056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72857610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x742ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 29 62 26 72 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x52c50f registers.esp: 3535268 registers.edi: 42851366 registers.eax: 0 registers.ebp: 3535316 registers.edx: 93743240 registers.ebx: 42851216 registers.esi: 42851436 registers.ecx: 93748592	1
__exception__ Dec. 13, 2021, 10:17 a.m.	stacktrace: 0x52e2d5 0x52e229 0x52be05 0x52b892 0x525ef9 0x521556 0x521240 0x520056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72857610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x742ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 29 62 26 72 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x52c50f registers.esp: 3535268 registers.edi: 44030086 registers.eax: 0 registers.ebp: 3535316 registers.edx: 93743240 registers.ebx: 44029936 registers.esi: 44030156 registers.ecx: 93748592	1
__exception__ Dec. 13, 2021, 10:17 a.m.	stacktrace: 0x52e6c5 0x52e619 0x52be73 0x52b892 0x525ef9 0x521556 0x521240 0x520056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72857610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x742ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 29 62 26 72 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x52c50f registers.esp: 3535272 registers.edi: 45209042 registers.eax: 0 registers.ebp: 3535320 registers.edx: 93743240 registers.ebx: 45208892 registers.esi: 45209112 registers.ecx: 93748592	1
__exception__ Dec. 13, 2021, 10:17 a.m.	stacktrace: 0x52e6c5 0x52e619 0x52be73 0x52b892 0x525ef9 0x521556 0x521240 0x520056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72857610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x742ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 29 62 26 72 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x52c50f registers.esp: 3535272 registers.edi: 41966862 registers.eax: 0 registers.ebp: 3535320 registers.edx: 93743240 registers.ebx: 41966712 registers.esi: 41966932 registers.ecx: 93748592	1
__exception__ Dec. 13, 2021, 10:17 a.m.	stacktrace: 0x52e6c5 0x52e619 0x52be73 0x52b892 0x525ef9 0x521556 0x521240 0x520056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72857610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x742ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 d4 eb 11 e8 29 62 26 72 eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x52c50f registers.esp: 3535272 registers.edi: 43147702 registers.eax: 0 registers.ebp: 3535320 registers.edx: 93743240 registers.ebx: 43147552 registers.esi: 43147772 registers.ecx: 93748592	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET https://bitbucket.org/trustedrootdev/file/downloads/razgon.jpg
suspicious_features	GET method with no useragent header				suspicious_request	GET https://bbuseruploads.s3.amazonaws.com/a0c2d096-5a32-4fc5-bc89-144f91b75eea/downloads/411caa37-48c8-4097-ae07-df03f10a4d1a/razgon.jpg?Signature=0vMst36P5Stk85NrQK%2B54WdYoug%3D&Expires=1639359451&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=WfwOKAr01OAlbnrBEoYk.OM8wgSajWQe&response-content-disposition=attachment%3B%20filename%3D%22razgon.jpg%22

Performs some HTTP requests (2 events)

request	GET https://bitbucket.org/trustedrootdev/file/downloads/razgon.jpg
request	GET https://bbuseruploads.s3.amazonaws.com/a0c2d096-5a32-4fc5-bc89-144f91b75eea/downloads/411caa37-48c8-4097-ae07-df03f10a4d1a/razgon.jpg?Signature=0vMst36P5Stk85NrQK%2B54WdYoug%3D&Expires=1639359451&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=WfwOKAr01OAlbnrBEoYk.OM8wgSajWQe&response-content-disposition=attachment%3B%20filename%3D%22razgon.jpg%22

Allocates read-write-execute memory (usually to unpack itself) (50 out of 129 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 2840 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 2840 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02110000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02280000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00496000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00731000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00733000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00734000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00735000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00736000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00737000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00738000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00739000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002de000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08aa1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08aae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00641000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\Alpha.exe" debug

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Dec. 13, 2021, 9:41 a.m.	show_type: 0 filepath_r: cmd parameters: /C "C:\Users\test22\AppData\Local\Temp\Alpha.exe" debug filepath: cmd	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 13, 2021, 9:41 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Dec. 13, 2021, 9:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Dec. 13, 2021, 10:17 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: AddressBook base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: Connection Manager base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: DirectDrawEx base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: EditPlus base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: ENTERPRISE base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: Fontcore base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: Google Chrome base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: IE40 base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: IE4Data base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: IE5BAKEX base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: IEData base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: MobileOptionPack base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: SchedulingAgent base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: WIC base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Dec. 13, 2021, 10:17 a.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x00000248 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (1 event)

host

185.181.8.77

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 2232 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000228	1	0	0

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (7 events)

wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_Processor

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Dec. 13, 2021, 9:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÊ©à0Ö À@ x@OÀì èàh H.text´ `.rsrcì À@@.relocà@B base_address: 0x00400000 process_identifier: 2232 process_handle: 0x00000228	1	1
WriteProcessMemory Dec. 13, 2021, 9:41 a.m.	buffer: 0H`x¨ÀØð 0ÁhäÅä¬ÅTäÈêä( @==ÿÿÿ e__'shh'vl-Dx <¬¢:Ú¡9Ú¡;¬Avj^(r``$\OO!{{ÿÿÿc]](xml(Et¢:æ¤:ÿ¦<ÿ¦<ÿ§;ÿ¥9ÿ¤8ÿ¢5æ=qwcc#UGF!jde\XX'wll(?£9ÿ¦=ÿ©?ÿª@ÿ«Aÿ«@ÿª?ÿ¨;ÿ¦9ÿ¢4ÿ8s_^"OAA h``'Fl¢8ÿ¦=ÿº£gÿñéâÿïçÜÿÚÍÿÜÌÿðéÞÿîåÙÿ²Oÿ¦8ÿ¢3ÿ{;h_JJ }oe- 7ö¤;ÿ¯LÿíåÙÿûööÿüøøÿüùùÿýúúÿüùùÿüøøÿÜÎ°ÿ¨:ÿ¤5ÿ 0öx`R&@w¡8ÿ§=ÿ®HÿìãÕÿüøøÿýúúÿþûûÿþüüÿþûûÿýúúÿÔÂÿ©;ÿ¦6ÿ¢2ÿz7t9³¢8ÿ§=ÿ«Bÿ²LÿóíäÿþûûÿþýýÿÿýýÿþüüÿÞÑ³ÿ®Aÿ«<ÿ§7ÿ¢3ÿ~2±4ß¢8ÿ¨=ÿ®EÿµQÿ¶TÿùöñÿÿýýÿÿÿÿÿâÙ¼ÿÏ½ÿýúúÿÉµÿ§7ÿ£2ÿ0ß3ß¡6ÿ¦;ÿÎ¼ÿûööÿàÒµÿ±JÿýüûÿñêÜÿ¯FÿïçÙÿüùùÿÙÊ©ÿ¦6ÿ¢2ÿ.ß~4² 4ÿ¤9ÿÕÅ£ÿúõõÿïåØÿ¯Dÿ°Hÿ¯Eÿ¶UÿÚÊ§ÿûøøÿÀ©pÿ¤3ÿ 1ÿ{/±w7v2ÿ¢6ÿ±RÿàÓºÿÃuÿôìãÿÛÌ«ÿË¸ÿüùùÿÎ»ÿ©9ÿ¦5ÿ£2ÿ/ÿu1sbWL)~/ö 3ÿ£6ÿ§9ÿ´WÿúõõÿìãÕÿÏ¼ÿúööÿÛÎ°ÿ¦5ÿ¤3ÿ 1ÿ~-÷]G:#A<<"u6j/ÿ2ÿ¢4ÿ¥6ÿçÝÍÿÚÌÿ§8ÿÙÊÿ²Tÿ£3ÿ 1ÿ-ÿs0hA22,,,!C<<"x2.ÿ0ÿ 1ÿ¡3ÿ£3ÿ£3ÿ¢2ÿ 1ÿ/ÿ-ÿw.B22.&%^^^--,!=55!q0q~-è.ÿ/ÿ/ÿ/ÿ.ÿ~-ÿ}-çp-oA22-%&QQQ ÿÿÿXXX&&&3.. SE5'q.ty-¬\|,Ù{+Ùx,¬q-tUA1%3(',''HHHÿÿÿ hT4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°´StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0>InternalNameThorniness.exe(LegalCopyright FOriginalFilenameThorniness.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD base_address: 0x0041c000 process_identifier: 2232 process_handle: 0x00000228	1	1
WriteProcessMemory Dec. 13, 2021, 9:41 a.m.	buffer: Ø? base_address: 0x0041e000 process_identifier: 2232 process_handle: 0x00000228	1	1
WriteProcessMemory Dec. 13, 2021, 9:41 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2232 process_handle: 0x00000228	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Dec. 13, 2021, 9:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÊ©à0Ö À@ x@OÀì èàh H.text´ `.rsrcì À@@.relocà@B base_address: 0x00400000 process_identifier: 2232 process_handle: 0x00000228	1	1	0

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Dec. 13, 2021, 10:17 a.m.	key_handle: 0x000001ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

Cybereason	malicious.829760
BitDefenderTheta	Gen:NN.ZemsilF.34084.qm1@ayu1@Kc
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
Ikarus	Trojan-Downloader.MSIL.Agent
eGambit	PE.Heur.InvalidSig
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Cynet	Malicious (score: 100)
APEX	Malicious
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
CrowdStrike	win/malicious_confidence_100% (W)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3064 called NtSetContextThread to modify thread in remote process 2232
NtSetContextThread Dec. 13, 2021, 9:41 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4296662 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000022c process_identifier: 2232	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3064 resumed a thread in remote process 2232
NtResumeThread Dec. 13, 2021, 9:41 a.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 2232	1	0	0

Executed a process and injected code into it, probably while unpacking (35 events)

Time & API	Arguments	Status	Return
NtResumeThread Dec. 13, 2021, 9:41 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2840	1	0
NtResumeThread Dec. 13, 2021, 9:41 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2840	1	0
NtResumeThread Dec. 13, 2021, 9:41 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2840	1	0
CreateProcessInternalW Dec. 13, 2021, 9:41 a.m.	thread_identifier: 2948 thread_handle: 0x00000350 process_identifier: 2944 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\Alpha.exe" debug filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000358	1	1
CreateProcessInternalW Dec. 13, 2021, 9:41 a.m.	thread_identifier: 3068 thread_handle: 0x00000084 process_identifier: 3064 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\Alpha.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\Alpha.exe debug filepath_r: C:\Users\test22\AppData\Local\Temp\Alpha.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread Dec. 13, 2021, 9:41 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 3064	1	0
NtResumeThread Dec. 13, 2021, 9:41 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 3064	1	0
NtResumeThread Dec. 13, 2021, 9:41 a.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 3064	1	0
NtResumeThread Dec. 13, 2021, 9:41 a.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 3064	1	0
NtResumeThread Dec. 13, 2021, 9:41 a.m.	thread_handle: 0x00000364 suspend_count: 1 process_identifier: 3064	1	0
NtResumeThread Dec. 13, 2021, 9:41 a.m.	thread_handle: 0x000005dc suspend_count: 1 process_identifier: 3064	1	0
CreateProcessInternalW Dec. 13, 2021, 9:41 a.m.	thread_identifier: 2236 thread_handle: 0x0000022c process_identifier: 2232 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\Alpha.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000228	1	1
NtGetContextThread Dec. 13, 2021, 9:41 a.m.	thread_handle: 0x0000022c	1	0
NtAllocateVirtualMemory Dec. 13, 2021, 9:41 a.m.	process_identifier: 2232 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000228	1	0
WriteProcessMemory Dec. 13, 2021, 9:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÊ©à0Ö À@ x@OÀì èàh H.text´ `.rsrcì À@@.relocà@B base_address: 0x00400000 process_identifier: 2232 process_handle: 0x00000228	1	1
WriteProcessMemory Dec. 13, 2021, 9:41 a.m.	buffer: base_address: 0x00402000 process_identifier: 2232 process_handle: 0x00000228	1	1
WriteProcessMemory Dec. 13, 2021, 9:41 a.m.	buffer: 0H`x¨ÀØð 0ÁhäÅä¬ÅTäÈêä( @==ÿÿÿ e__'shh'vl-Dx <¬¢:Ú¡9Ú¡;¬Avj^(r``$\OO!{{ÿÿÿc]](xml(Et¢:æ¤:ÿ¦<ÿ¦<ÿ§;ÿ¥9ÿ¤8ÿ¢5æ=qwcc#UGF!jde\XX'wll(?£9ÿ¦=ÿ©?ÿª@ÿ«Aÿ«@ÿª?ÿ¨;ÿ¦9ÿ¢4ÿ8s_^"OAA h``'Fl¢8ÿ¦=ÿº£gÿñéâÿïçÜÿÚÍÿÜÌÿðéÞÿîåÙÿ²Oÿ¦8ÿ¢3ÿ{;h_JJ }oe- 7ö¤;ÿ¯LÿíåÙÿûööÿüøøÿüùùÿýúúÿüùùÿüøøÿÜÎ°ÿ¨:ÿ¤5ÿ 0öx`R&@w¡8ÿ§=ÿ®HÿìãÕÿüøøÿýúúÿþûûÿþüüÿþûûÿýúúÿÔÂÿ©;ÿ¦6ÿ¢2ÿz7t9³¢8ÿ§=ÿ«Bÿ²LÿóíäÿþûûÿþýýÿÿýýÿþüüÿÞÑ³ÿ®Aÿ«<ÿ§7ÿ¢3ÿ~2±4ß¢8ÿ¨=ÿ®EÿµQÿ¶TÿùöñÿÿýýÿÿÿÿÿâÙ¼ÿÏ½ÿýúúÿÉµÿ§7ÿ£2ÿ0ß3ß¡6ÿ¦;ÿÎ¼ÿûööÿàÒµÿ±JÿýüûÿñêÜÿ¯FÿïçÙÿüùùÿÙÊ©ÿ¦6ÿ¢2ÿ.ß~4² 4ÿ¤9ÿÕÅ£ÿúõõÿïåØÿ¯Dÿ°Hÿ¯Eÿ¶UÿÚÊ§ÿûøøÿÀ©pÿ¤3ÿ 1ÿ{/±w7v2ÿ¢6ÿ±RÿàÓºÿÃuÿôìãÿÛÌ«ÿË¸ÿüùùÿÎ»ÿ©9ÿ¦5ÿ£2ÿ/ÿu1sbWL)~/ö 3ÿ£6ÿ§9ÿ´WÿúõõÿìãÕÿÏ¼ÿúööÿÛÎ°ÿ¦5ÿ¤3ÿ 1ÿ~-÷]G:#A<<"u6j/ÿ2ÿ¢4ÿ¥6ÿçÝÍÿÚÌÿ§8ÿÙÊÿ²Tÿ£3ÿ 1ÿ-ÿs0hA22,,,!C<<"x2.ÿ0ÿ 1ÿ¡3ÿ£3ÿ£3ÿ¢2ÿ 1ÿ/ÿ-ÿw.B22.&%^^^--,!=55!q0q~-è.ÿ/ÿ/ÿ/ÿ.ÿ~-ÿ}-çp-oA22-%&QQQ ÿÿÿXXX&&&3.. SE5'q.ty-¬\|,Ù{+Ùx,¬q-tUA1%3(',''HHHÿÿÿ hT4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°´StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0>InternalNameThorniness.exe(LegalCopyright FOriginalFilenameThorniness.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD base_address: 0x0041c000 process_identifier: 2232 process_handle: 0x00000228	1	1
WriteProcessMemory Dec. 13, 2021, 9:41 a.m.	buffer: Ø? base_address: 0x0041e000 process_identifier: 2232 process_handle: 0x00000228	1	1
WriteProcessMemory Dec. 13, 2021, 9:41 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2232 process_handle: 0x00000228	1	1
NtSetContextThread Dec. 13, 2021, 9:41 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4296662 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000022c process_identifier: 2232	1	0
NtResumeThread Dec. 13, 2021, 9:41 a.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread Dec. 13, 2021, 10:17 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread Dec. 13, 2021, 10:17 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread Dec. 13, 2021, 10:17 a.m.	thread_handle: 0x0000017c suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread Dec. 13, 2021, 10:17 a.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread Dec. 13, 2021, 10:17 a.m.	thread_handle: 0x000003e4 suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread Dec. 13, 2021, 10:17 a.m.	thread_handle: 0x000002d8 suspend_count: 1 process_identifier: 2232	1	0
NtGetContextThread Dec. 13, 2021, 10:17 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Dec. 13, 2021, 10:17 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Dec. 13, 2021, 10:17 a.m.	thread_handle: 0x000000e4	1	0
NtSetContextThread Dec. 13, 2021, 10:17 a.m.	registers.eip: 1921067908 registers.esp: 3535244 registers.edi: 64024576 registers.eax: 97780224 registers.ebp: 3535284 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 40914916 thread_handle: 0x000000e4 process_identifier: 2232	1	0
NtResumeThread Dec. 13, 2021, 10:17 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2232	1	0
NtGetContextThread Dec. 13, 2021, 10:17 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Dec. 13, 2021, 10:17 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread Dec. 13, 2021, 10:17 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2232	1	0

Alpha.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All