Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 18, 2022, 9:31 a.m.	July 18, 2022, 9:38 a.m.

Size	489.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ce2126d6ce78ff9697fb56967d1b8774`
SHA256	`0699ad9d2c1be04e5a335118cab7db196e912bba8b6f0c4fd49a0ade262a5f59`
CRC32	`000A9140`
ssdeep	`12288:pANwRo+mv8QD4+0V16p5MUPVLfAAsmfD2J+mJKUBc5qqajJCtE:pAT8QE+kw2EVJliBwjaItE`
Yara	IsPE32 - (no description) UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

namdoitntn.exe "C:\Users\test22\AppData\Local\Temp\namdoitntn.exe"
2776
- a.exe "C:\Program Files (x86)\Company\NewProduct\a.exe"
  2856
  - vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    2632
- iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2900
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2900 CREDAT:145409
    3024
explorer.exe C:\Windows\Explorer.EXE
1156

Name	Response	Post-Analysis Lookup
iplogger.org	A 148.251.234.83	148.251.234.83

IP Address	Status	Action
103.89.90.61	Active	Moloch
117.18.232.200	Active	Moloch
148.251.234.83	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49172 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49172 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 148.251.234.83:443 -> 192.168.56.101:49174	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
UDP 192.168.56.101:55871 -> 164.124.101.2:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
UDP 192.168.56.101:55871 -> 8.8.8.8:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49169 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49169 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49170 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49170 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49175 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49175 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49172 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49175 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49170 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49169 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 18, 2022, 9:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 18, 2022, 9:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 18, 2022, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 18, 2022, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 18, 2022, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 18, 2022, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 18, 2022, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 18, 2022, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 18, 2022, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 18, 2022, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 18, 2022, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 18, 2022, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 18, 2022, 9:32 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 18, 2022, 9:31 a.m.			0	0
IsDebuggerPresent July 18, 2022, 9:31 a.m.			0	0
IsDebuggerPresent July 18, 2022, 9:31 a.m.			0	0
IsDebuggerPresent July 18, 2022, 9:32 a.m.			0	0
IsDebuggerPresent July 18, 2022, 9:32 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (34 events)

Time & API	Arguments	Status	Return
CryptExportKey July 18, 2022, 9:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db068 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db068 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db068 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db168 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db168 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db168 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a61088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a61088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a61088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a61088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a61108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a61108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a61008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a61008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a61008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a61008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a61008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a612c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a612c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a61b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a61788 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a61bc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a61bc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0c053bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0c053bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2022, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a61dc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 18, 2022, 9:31 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (16 events)

Time & API	Arguments	Status
__exception__ July 18, 2022, 9:32 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76af374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76844387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x76aeef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ae6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x76ae6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ae6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x76b05c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x76b806b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x7691d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x7691d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x7691ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76838a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76838938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7683950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x7691dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x7691db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x7691e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76839367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76839326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76be77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x76be788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x767fa48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x767f853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x767fa4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x7680cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x7680d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 113046552 registers.edi: 84714124 registers.eax: 113046552 registers.ebp: 113046632 registers.edx: 18 registers.ebx: 113046916 registers.esi: 2147746133 registers.ecx: 84717608	1
__exception__ July 18, 2022, 9:32 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76af374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7691f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x76b0414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x767efe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x7691a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x752de99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x752b72ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752aab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752aea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752a87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752aba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76be77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x76be7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x752d516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x752d50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752aa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752a9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752a9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x752d530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x752d57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x7210540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x721052ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x721e0ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x776a7e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x776854f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 78371080 registers.edi: 1988295184 registers.eax: 78371080 registers.ebp: 78371160 registers.edx: 1 registers.ebx: 6636180 registers.esi: 2147746133 registers.ecx: 3787026762	1
__exception__ July 18, 2022, 9:32 a.m.	stacktrace: 0xb1c840 0xb1c71d 0xb177d1 0xb174c0 0xb14986 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72bf264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72bf2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ca74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ca7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d31dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d31e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d31f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d3416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7328f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73577f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73574de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb1c921 registers.esp: 7139348 registers.edi: 43780176 registers.eax: 0 registers.ebp: 7139372 registers.edx: 10760336 registers.ebx: 597007466 registers.esi: 43780344 registers.ecx: 0	1
__exception__ July 18, 2022, 9:32 a.m.	stacktrace: 0xc226870 0xc2267ac 0xc226701 0xc226239 0xc2254d2 0xb1ca48 0xb178c5 0xb174c0 0xb14986 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72bf264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72bf2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ca74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ca7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d31dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d31e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d31f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d3416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7328f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73577f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73574de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 c8 eb 0c e8 c9 b5 9b 66 eb 05 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xc22716f registers.esp: 7138540 registers.edi: 0 registers.eax: 0 registers.ebp: 7138600 registers.edx: 179819532 registers.ebx: 43397048 registers.esi: 270594845 registers.ecx: 179825000	1
__exception__ July 18, 2022, 9:32 a.m.	stacktrace: 0xc226870 0xc2267ac 0xc2266cc 0xc226239 0xc2254d2 0xb1ca48 0xb178c5 0xb174c0 0xb14986 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72bf264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72bf2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ca74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ca7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d31dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d31e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d31f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d3416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7328f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73577f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73574de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 c8 eb 0c e8 c9 b5 9b 66 eb 05 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xc22716f registers.esp: 7138540 registers.edi: 0 registers.eax: 0 registers.ebp: 7138600 registers.edx: 179819532 registers.ebx: 44543416 registers.esi: 270594845 registers.ecx: 179825000	1
__exception__ July 18, 2022, 9:32 a.m.	stacktrace: 0xc226870 0xc2267ac 0xc2266cc 0xc226239 0xc2254d2 0xb1ca48 0xb178c5 0xb174c0 0xb14986 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72bf264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72bf2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ca74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ca7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d31dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d31e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d31f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d3416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7328f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73577f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73574de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 c8 eb 0c e8 c9 b5 9b 66 eb 05 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xc22716f registers.esp: 7138540 registers.edi: 0 registers.eax: 0 registers.ebp: 7138600 registers.edx: 179819532 registers.ebx: 45664980 registers.esi: 270594845 registers.ecx: 179825000	1
__exception__ July 18, 2022, 9:32 a.m.	stacktrace: 0xc229f6c 0xc229e79 0xc226343 0xc2254d2 0xb1ca48 0xb178c5 0xb174c0 0xb14986 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72bf264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72bf2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ca74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ca7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d31dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d31e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d31f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d3416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7328f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73577f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73574de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 c8 eb 0c e8 c9 b5 9b 66 eb 05 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xc22716f registers.esp: 7138608 registers.edi: 0 registers.eax: 0 registers.ebp: 7138668 registers.edx: 179819532 registers.ebx: 46790640 registers.esi: 270594845 registers.ecx: 179825000	1
__exception__ July 18, 2022, 9:32 a.m.	stacktrace: 0xc229f6c 0xc229e79 0xc226343 0xc2254d2 0xb1ca48 0xb178c5 0xb174c0 0xb14986 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72bf264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72bf2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ca74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ca7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d31dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d31e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d31f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d3416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7328f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73577f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73574de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 c8 eb 0c e8 c9 b5 9b 66 eb 05 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xc22716f registers.esp: 7138608 registers.edi: 0 registers.eax: 0 registers.ebp: 7138668 registers.edx: 179819532 registers.ebx: 47831116 registers.esi: 270594845 registers.ecx: 179825000	1
__exception__ July 18, 2022, 9:32 a.m.	stacktrace: 0xc229f6c 0xc229e79 0xc226343 0xc2254d2 0xb1ca48 0xb178c5 0xb174c0 0xb14986 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72bf264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72bf2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ca74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ca7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d31dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d31e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d31f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d3416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7328f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73577f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73574de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 c8 eb 0c e8 c9 b5 9b 66 eb 05 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xc22716f registers.esp: 7138608 registers.edi: 0 registers.eax: 0 registers.ebp: 7138668 registers.edx: 179819532 registers.ebx: 48871592 registers.esi: 270594845 registers.ecx: 179825000	1
__exception__ July 18, 2022, 9:32 a.m.	stacktrace: 0xc22a3b5 0xc22a2d9 0xc225ee1 0xc2254d2 0xb1ca48 0xb178c5 0xb174c0 0xb14986 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72bf264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72bf2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ca74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ca7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d31dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d31e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d31f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d3416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7328f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73577f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73574de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 c8 eb 0c e8 c9 b5 9b 66 eb 05 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xc22716f registers.esp: 7138592 registers.edi: 0 registers.eax: 0 registers.ebp: 7138652 registers.edx: 179819532 registers.ebx: 43762336 registers.esi: 270594845 registers.ecx: 179825000	1
__exception__ July 18, 2022, 9:32 a.m.	stacktrace: 0xc22a3b5 0xc22a2d9 0xc225ee1 0xc2254d2 0xb1ca48 0xb178c5 0xb174c0 0xb14986 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72bf264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72bf2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ca74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ca7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d31dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d31e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d31f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d3416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7328f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73577f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73574de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 c8 eb 0c e8 c9 b5 9b 66 eb 05 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xc22716f registers.esp: 7138592 registers.edi: 0 registers.eax: 0 registers.ebp: 7138652 registers.edx: 179819532 registers.ebx: 44943632 registers.esi: 270594845 registers.ecx: 179825000	1
__exception__ July 18, 2022, 9:32 a.m.	stacktrace: 0xc22a3b5 0xc22a2d9 0xc225ee1 0xc2254d2 0xb1ca48 0xb178c5 0xb174c0 0xb14986 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72bf264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72bf2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ca74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ca7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d31dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d31e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d31f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d3416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7328f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73577f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73574de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 c8 eb 0c e8 c9 b5 9b 66 eb 05 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xc22716f registers.esp: 7138592 registers.edi: 0 registers.eax: 0 registers.ebp: 7138652 registers.edx: 179819532 registers.ebx: 46124928 registers.esi: 270594845 registers.ecx: 179825000	1
__exception__ July 18, 2022, 9:32 a.m.	stacktrace: 0xc22a8f5 0xc22a819 0xc225f79 0xc2254d2 0xb1ca48 0xb178c5 0xb174c0 0xb14986 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72bf264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72bf2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ca74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ca7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d31dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d31e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d31f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d3416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7328f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73577f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73574de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 c8 eb 0c e8 c9 b5 9b 66 eb 05 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xc22716f registers.esp: 7138616 registers.edi: 0 registers.eax: 0 registers.ebp: 7138676 registers.edx: 179819532 registers.ebx: 47306304 registers.esi: 270594845 registers.ecx: 179825000	1
__exception__ July 18, 2022, 9:32 a.m.	stacktrace: 0xc22a8f5 0xc22a819 0xc225f79 0xc2254d2 0xb1ca48 0xb178c5 0xb174c0 0xb14986 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72bf264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72bf2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ca74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ca7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d31dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d31e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d31f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d3416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7328f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73577f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73574de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 c8 eb 0c e8 c9 b5 9b 66 eb 05 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xc22716f registers.esp: 7138616 registers.edi: 0 registers.eax: 0 registers.ebp: 7138676 registers.edx: 179819532 registers.ebx: 43959288 registers.esi: 270594845 registers.ecx: 179825000	1
__exception__ July 18, 2022, 9:32 a.m.	stacktrace: 0xc22a8f5 0xc22a819 0xc225f79 0xc2254d2 0xb1ca48 0xb178c5 0xb174c0 0xb14986 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72bf264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72bf2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ca74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ca7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d31dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d31e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d31f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d3416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7328f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73577f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73574de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 40 04 89 45 c8 eb 0c e8 c9 b5 9b 66 eb 05 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xc22716f registers.esp: 7138616 registers.edi: 0 registers.eax: 0 registers.ebp: 7138676 registers.edx: 179819532 registers.ebx: 45142880 registers.esi: 270594845 registers.ecx: 179825000	1
__exception__ July 18, 2022, 9:32 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x72d91194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72c62ba1 mscorlib+0x36dd51 @ 0x700fdd51 mscorlib+0x32fea6 @ 0x700bfea6 mscorlib+0x30ab40 @ 0x7009ab40 0xc22761f 0xc22c1e8 0xc22b905 0xc22b19d 0xb1ca48 0xb178c5 0xb174c0 0xb14986 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72bf264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72bf2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ca74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ca7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d31dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d31e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d31f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d3416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7328f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73577f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73574de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 7138764 registers.edi: 0 registers.eax: 7138764 registers.ebp: 7138844 registers.edx: 0 registers.ebx: 10870632 registers.esi: 10760336 registers.ecx: 3788989278	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml

Allocates read-write-execute memory (usually to unpack itself) (50 out of 178 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c82000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2856 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2856 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040cf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:32 a.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2900 region_size: 2822144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fd0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03280000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c0c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c2c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c0c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c2c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f43000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76d39000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e02000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76bf2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2900 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c82000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:32 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735b1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 3024 region_size: 2887680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02420000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2022, 9:31 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2900 crashed
__exception__ July 18, 2022, 9:32 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76af374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76844387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x76aeef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ae6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x76ae6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ae6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x76b05c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x76b806b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x7691d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x7691d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x7691ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76838a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76838938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7683950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x7691dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x7691db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x7691e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76839367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76839326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76be77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x76be788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x767fa48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x767f853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x767fa4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x7680cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x7680d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 113046552 registers.edi: 84714124 registers.eax: 113046552 registers.ebp: 113046632 registers.edx: 18 registers.ebx: 113046916 registers.esi: 2147746133 registers.ecx: 84717608	1	0	0
__exception__ July 18, 2022, 9:32 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76af374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7691f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x76b0414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x767efe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x7691a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x752de99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x752b72ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752aab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752aea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752a87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752aba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76be77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x76be7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x752d516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x752d50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752aa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752a9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752a9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x752d530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x752d57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x7210540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x721052ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x721e0ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x776a7e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x776854f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 78371080 registers.edi: 1988295184 registers.eax: 78371080 registers.ebp: 78371160 registers.edx: 1 registers.ebx: 6636180 registers.esi: 2147746133 registers.ecx: 3787026762	1	0	0

Application Crash

Process iexplore.exe with pid 2900 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

July 18, 2022, 9:32 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76af374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76844387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x76aeef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ae6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x76ae6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ae6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x76b05c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x76b806b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x7691d7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x7691d876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x7691ddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76838a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76838938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7683950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x7691dccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x7691db41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x7691e1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76839367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76839326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76be77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x76be788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x767fa48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x767f853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x767fa4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x7680cd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x7680d87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x760cb727
registers.esp: 113046552
registers.edi: 84714124
registers.eax: 113046552
registers.ebp: 113046632
registers.edx: 18
registers.ebx: 113046916
registers.esi: 2147746133
registers.ecx: 84717608

__exception__

July 18, 2022, 9:32 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76af374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7691f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x76b0414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x767efe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x7691a338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x752de99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x752b72ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752aab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752aea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752a87f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752aba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76be77c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x76be7bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x752d516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x752d50ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752aa0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752a9b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752a9aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x752d530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x752d57a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x7210540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x721052ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x721e0ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x776a7e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x776854f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x760cb727
registers.esp: 78371080
registers.edi: 1988295184
registers.eax: 78371080
registers.ebp: 78371160
registers.edx: 1
registers.ebx: 6636180
registers.esi: 2147746133
registers.ecx: 3787026762

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (2 events)

file	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe
file	C:\Program Files (x86)\Company\NewProduct\a.exe

Creates a shortcut to an executable file (12 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk

Drops a binary and executes it (1 event)

file	C:\Program Files (x86)\Company\NewProduct\a.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 18, 2022, 9:31 a.m.	show_type: 0 filepath_r: https://iplogger.org/1RCgX4 parameters: filepath: https://iplogger.org/1RCgX4	1	1	0
ShellExecuteExW July 18, 2022, 9:31 a.m.	show_type: 0 filepath_r: https://iplogger.org/1RCgX4 parameters: filepath: https://iplogger.org/1RCgX4	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 18, 2022, 9:32 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x066e0000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (9 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW July 18, 2022, 9:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 18, 2022, 9:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 18, 2022, 9:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 18, 2022, 9:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 18, 2022, 9:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 18, 2022, 9:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 18, 2022, 9:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 18, 2022, 9:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 18, 2022, 9:32 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (18 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (40 events)

Time & API	Arguments	Status
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000048c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: AddressBook base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: Connection Manager base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: DirectDrawEx base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: EditPlus base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: ENTERPRISE base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: Fontcore base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: Google Chrome base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: IE40 base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: IE4Data base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: IE5BAKEX base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: IEData base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: MobileOptionPack base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: NewProduct 1.00 base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: SchedulingAgent base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: WIC base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW July 18, 2022, 9:32 a.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x0000048c key_handle: 0x00000490 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2900 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (2 events)

host	103.89.90.61
host	117.18.232.200

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 18, 2022, 9:32 a.m.	process_identifier: 2632 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000274		3221225496	0
NtAllocateVirtualMemory July 18, 2022, 9:32 a.m.	process_identifier: 2632 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000274	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation July 18, 2022, 9:32 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 18, 2022, 9:32 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELs%Äà0Ênè @ @@èSÞ H.texttÈ Ê `.rsrcÞÌ@@.reloc Ò@B base_address: 0x000b0000 process_identifier: 2632 process_handle: 0x00000274	1	1
WriteProcessMemory July 18, 2022, 9:32 a.m.	buffer: P8h TôêT4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°´StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0>InternalNameFormulizes.exe(LegalCopyright FOriginalFilenameFormulizes.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x000f0000 process_identifier: 2632 process_handle: 0x00000274	1	1
WriteProcessMemory July 18, 2022, 9:32 a.m.	buffer: àp8 base_address: 0x000f2000 process_identifier: 2632 process_handle: 0x00000274	1	1
WriteProcessMemory July 18, 2022, 9:32 a.m.	buffer: base_address: 0xfffde008 process_identifier: 2632 process_handle: 0x00000274	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 18, 2022, 9:32 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELs%Äà0Ênè @ @@èSÞ H.texttÈ Ê `.rsrcÞÌ@@.reloc Ò@B base_address: 0x000b0000 process_identifier: 2632 process_handle: 0x00000274	1	1	0

Collects information about installed applications (28 events)

Time & API	Arguments	Status
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: NewProduct 1.00 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW July 18, 2022, 9:32 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2856 called NtSetContextThread to modify thread in remote process 2632
NtSetContextThread July 18, 2022, 9:32 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4450414 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000270 process_identifier: 2632	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2856 resumed a thread in remote process 2632
Process injection	Process 2900 resumed a thread in remote process 3024
NtResumeThread July 18, 2022, 9:32 a.m.	thread_handle: 0x00000270 suspend_count: 1 process_identifier: 2632	1	0	0
NtResumeThread July 18, 2022, 9:31 a.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 3024	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (50 events)

Time & API	Arguments	Status	Return
NtResumeThread July 18, 2022, 9:31 a.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 2776	1	0
CreateProcessInternalW July 18, 2022, 9:31 a.m.	thread_identifier: 2860 thread_handle: 0x0000027c process_identifier: 2856 current_directory: C:\Program Files (x86)\Company\NewProduct\ filepath: C:\Program Files (x86)\Company\NewProduct\a.exe track: 1 command_line: "C:\Program Files (x86)\Company\NewProduct\a.exe" filepath_r: C:\Program Files (x86)\Company\NewProduct\a.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000284	1	1
CreateProcessInternalW July 18, 2022, 9:31 a.m.	thread_identifier: 2904 thread_handle: 0x000002bc process_identifier: 2900 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files (x86)\Internet Explorer\iexplore.exe track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome filepath_r: C:\Program Files (x86)\Internet Explorer\iexplore.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b0	1	1
NtResumeThread July 18, 2022, 9:31 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2856	1	0
NtResumeThread July 18, 2022, 9:31 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2856	1	0
NtResumeThread July 18, 2022, 9:31 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2856	1	0
CreateProcessInternalW July 18, 2022, 9:32 a.m.	thread_identifier: 2656 thread_handle: 0x00000270 process_identifier: 2632 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000274	1	1
NtGetContextThread July 18, 2022, 9:32 a.m.	thread_handle: 0x00000270	1	0
NtAllocateVirtualMemory July 18, 2022, 9:32 a.m.	process_identifier: 2632 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000274		3221225496
NtAllocateVirtualMemory July 18, 2022, 9:32 a.m.	process_identifier: 2632 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000274	1	0
WriteProcessMemory July 18, 2022, 9:32 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELs%Äà0Ênè @ @@èSÞ H.texttÈ Ê `.rsrcÞÌ@@.reloc Ò@B base_address: 0x000b0000 process_identifier: 2632 process_handle: 0x00000274	1	1
WriteProcessMemory July 18, 2022, 9:32 a.m.	buffer: base_address: 0x000b2000 process_identifier: 2632 process_handle: 0x00000274	1	1
WriteProcessMemory July 18, 2022, 9:32 a.m.	buffer: P8h TôêT4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°´StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0>InternalNameFormulizes.exe(LegalCopyright FOriginalFilenameFormulizes.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x000f0000 process_identifier: 2632 process_handle: 0x00000274	1	1
WriteProcessMemory July 18, 2022, 9:32 a.m.	buffer: àp8 base_address: 0x000f2000 process_identifier: 2632 process_handle: 0x00000274	1	1
WriteProcessMemory July 18, 2022, 9:32 a.m.	buffer: base_address: 0xfffde008 process_identifier: 2632 process_handle: 0x00000274	1	1
NtSetContextThread July 18, 2022, 9:32 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4450414 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000270 process_identifier: 2632	1	0
NtResumeThread July 18, 2022, 9:32 a.m.	thread_handle: 0x00000270 suspend_count: 1 process_identifier: 2632	1	0
CreateProcessInternalW July 18, 2022, 9:31 a.m.	thread_identifier: 3028 thread_handle: 0x00000338 process_identifier: 3024 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2900 CREDAT:145409 filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000033c	1	1
NtResumeThread July 18, 2022, 9:31 a.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 3024	1	0
NtResumeThread July 18, 2022, 9:31 a.m.	thread_handle: 0x0000041c suspend_count: 1 process_identifier: 2900	1	0
NtResumeThread July 18, 2022, 9:31 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2900	1	0
NtGetContextThread July 18, 2022, 9:32 a.m.	thread_handle: 0x0000061c	1	0
NtResumeThread July 18, 2022, 9:31 a.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 3024	1	0
NtResumeThread July 18, 2022, 9:31 a.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 3024	1	0
NtResumeThread July 18, 2022, 9:31 a.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 3024	1	0
NtResumeThread July 18, 2022, 9:31 a.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 3024	1	0
NtResumeThread July 18, 2022, 9:32 a.m.	thread_handle: 0x00000654 suspend_count: 1 process_identifier: 3024	1	0
NtResumeThread July 18, 2022, 9:32 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2632	1	0
NtResumeThread July 18, 2022, 9:32 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2632	1	0
NtResumeThread July 18, 2022, 9:32 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2632	1	0
NtResumeThread July 18, 2022, 9:32 a.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 2632	1	0
NtGetContextThread July 18, 2022, 9:32 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread July 18, 2022, 9:32 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread July 18, 2022, 9:32 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2632	1	0
NtGetContextThread July 18, 2022, 9:32 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread July 18, 2022, 9:32 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread July 18, 2022, 9:32 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2632	1	0
NtResumeThread July 18, 2022, 9:32 a.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 2632	1	0
NtResumeThread July 18, 2022, 9:32 a.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 2632	1	0
NtResumeThread July 18, 2022, 9:32 a.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 2632	1	0
NtResumeThread July 18, 2022, 9:32 a.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2632	1	0
NtResumeThread July 18, 2022, 9:32 a.m.	thread_handle: 0x000003f0 suspend_count: 1 process_identifier: 2632	1	0
NtGetContextThread July 18, 2022, 9:32 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread July 18, 2022, 9:32 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread July 18, 2022, 9:32 a.m.	thread_handle: 0x000000e8	1	0
NtSetContextThread July 18, 2022, 9:32 a.m.	registers.eip: 1925589892 registers.esp: 7138972 registers.edi: 64856737 registers.eax: 9634304 registers.ebp: 7139012 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 43185876 thread_handle: 0x000000e8 process_identifier: 2632	1	0
NtResumeThread July 18, 2022, 9:32 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2632	1	0
NtGetContextThread July 18, 2022, 9:32 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread July 18, 2022, 9:32 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread July 18, 2022, 9:32 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2632	1	0

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Multi.Generic.4!c
MicroWorld-eScan	IL:Trojan.MSILMamut.5295
FireEye	Generic.mg.ce2126d6ce78ff96
McAfee	RDN/Generic.hbg
Cylance	Unsafe
VIPRE	Gen:Variant.Lazy.221148
K7AntiVirus	Trojan ( 0058ace11 )
Alibaba	Trojan:Win32/runner.ali1000123
K7GW	Trojan ( 0058ace11 )
Cybereason	malicious.ded2c8
BitDefenderTheta	Gen:NN.ZemsilF.34786.wm0@audII94S
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.ADNP
TrendMicro-HouseCall	TROJ_GEN.R002H0DGF22
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	IL:Trojan.MSILMamut.5295
SUPERAntiSpyware	Trojan.Agent/Gen-Dropper
Avast	Win32:CrypterX-gen [Trj]
Emsisoft	IL:Trojan.MSILMamut.5295 (B)
SentinelOne	Static AI - Malicious PE
Gridinsoft	Trojan.Win32.CoinMiner.vb!s8
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	IL:Trojan.MSILMamut.5295
Cynet	Malicious (score: 100)
ALYac	Gen:Variant.Lazy.221148
MAX	malware (ai score=83)
Malwarebytes	Trojan.SmartInstaller
APEX	Malicious
Ikarus	Trojan.Win32.Crypt
MaxSecure	Trojan-Ransom.Win32.Crypmod.zfq
Fortinet	W32/PossibleThreat
AVG	Win32:CrypterX-gen [Trj]
CrowdStrike	win/malicious_confidence_70% (W)

namdoitntn.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All