Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 12, 2023, 9:12 a.m.	April 12, 2023, 9:20 a.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f6da6da3867f998ae4d9fdc3e92554d0`
SHA256	`dacab6bf94a694ffb32d927da19eaa65a9417cf3af6c51dd7e9bcc9195480267`
CRC32	`136E139F`
ssdeep	`24576:hyG7SzG1vIRLANuN85jUO9/Y7yeKpPi56v1J1ibRO1CM2b2P:UG+ov4LzyDEyeui5cJMbR6H2`
PDB Path	wextract.pdb
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet CAB_file_format - CAB archive file IsPE32 - (no description) PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet

lega.exe "C:\Users\test22\AppData\Local\Temp\lega.exe"
1508
- zap2026.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\zap2026.exe
  1492
  - zap6905.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\zap6905.exe
    2108
    - zap5281.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\zap5281.exe
      2160
      - tz6129.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\tz6129.exe
        2220
      - v8345fm.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\v8345fm.exe
        2668
    - w47iS51.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\w47iS51.exe
      2712
  - xnBuv43.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\xnBuv43.exe
    2760
- y42DC44.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\y42DC44.exe
  3004
  - oneetx.exe "C:\Users\test22\AppData\Local\Temp\5cb6818d6c\oneetx.exe"
    2180
    - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F
      2252
    - cc.exe "C:\Users\test22\AppData\Local\Temp\1000003001\cc.exe"
      2416
    - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
      2884
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
bitbucket.org	A 104.192.141.1	104.192.141.1
transfer.sh	A 144.76.136.153	144.76.136.153

IP Address	Status	Action
104.192.141.1	Active	Moloch
144.76.136.153	Active	Moloch
164.124.101.2	Active	Moloch
179.43.155.247	Active	Moloch
185.161.248.90	Active	Moloch
80.66.79.86	Active	Moloch
193.201.9.43	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49174 -> 80.66.79.86:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 144.76.136.153:443 -> 192.168.56.103:49180	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.103:49179 -> 144.76.136.153:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49179 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2034316	ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2035139	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)	Misc activity
TCP 192.168.56.103:49183 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 104.192.141.1:443 -> 192.168.56.103:49191	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 144.76.136.153:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49183 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.103:49191 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.103:49196	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2034316	ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)	Potentially Bad Traffic
TCP 144.76.136.153:443 -> 192.168.56.103:49185	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2035139	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)	Misc activity
TCP 192.168.56.103:49196 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49187 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.103:49187 -> 144.76.136.153:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49187 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.103:49188 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.103:49188 -> 144.76.136.153:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49188 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 104.192.141.1:443 -> 192.168.56.103:49200	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49200 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 80.66.79.86:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 80.66.79.86:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 80.66.79.86:80 -> 192.168.56.103:49174	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 80.66.79.86:80 -> 192.168.56.103:49174	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49176 -> 179.43.155.247:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.103:49176 -> 179.43.155.247:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 179.43.155.247:80 -> 192.168.56.103:49176	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 179.43.155.247:80 -> 192.168.56.103:49176	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 179.43.155.247:80 -> 192.168.56.103:49176	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.103:49178 -> 144.76.136.153:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49178 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 104.192.141.1:443 -> 192.168.56.103:49192	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49192 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.103:49193	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.103:49184 -> 144.76.136.153:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49184 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 144.76.136.153:443 -> 192.168.56.103:49189	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 104.192.141.1:443 -> 192.168.56.103:49195	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49195 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.103:49197	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 104.192.141.1:443 -> 192.168.56.103:49199	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49199 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.103:49201	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 80.66.79.86:80 -> 192.168.56.103:49174	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.103:49187 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.103:49183 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.103:49178 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 12, 2023, 9:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2023, 9:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2023, 9:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2023, 9:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2023, 9:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2023, 9:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2023, 9:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2023, 9:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2023, 9:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2023, 9:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2023, 9:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2023, 9:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2023, 9:12 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 12, 2023, 9:12 a.m.			0	0
IsDebuggerPresent April 12, 2023, 9:12 a.m.			0	0
IsDebuggerPresent April 12, 2023, 9:12 a.m.			0	0
IsDebuggerPresent April 12, 2023, 9:12 a.m.			0	0
IsDebuggerPresent April 12, 2023, 9:13 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: SUCCESS: The scheduled task "oneetx.exe" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (17 events)

Time & API	Arguments	Status	Return
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8d48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8d48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8d48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8d48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8dc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8dc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8cc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8cc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8cc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8cc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8cc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8d48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8d48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d9688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d9688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d9548 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 12, 2023, 9:12 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (14 events)

Time & API	Arguments	Status
__exception__ April 12, 2023, 9:12 a.m.	stacktrace: 0x7893a9 0x7891ab 0x787658 0x786e53 0x783c08 0x7835d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7894e0 registers.esp: 3468872 registers.edi: 3468924 registers.eax: 0 registers.ebp: 3468936 registers.edx: 3942736 registers.ebx: 3470164 registers.esi: 41233112 registers.ecx: 0	1
__exception__ April 12, 2023, 9:12 a.m.	stacktrace: 0x2325588 0x23214ec 0x2320d82 0x2320c55 0x78f203 0x78e399 0x78d567 0x78779d 0x786e53 0x783c08 0x7835d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x23255cb registers.esp: 3467400 registers.edi: 3467744 registers.eax: 0 registers.ebp: 3467408 registers.edx: 0 registers.ebx: 3470164 registers.esi: 41777764 registers.ecx: 42904060	1
__exception__ April 12, 2023, 9:12 a.m.	stacktrace: 0x2325588 0x23214ec 0x2320d82 0x2320c6d 0x78f203 0x78e399 0x78d567 0x78779d 0x786e53 0x783c08 0x7835d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x23255cb registers.esp: 3467400 registers.edi: 3467744 registers.eax: 0 registers.ebp: 3467408 registers.edx: 0 registers.ebx: 3470164 registers.esi: 41777764 registers.ecx: 44208768	1
__exception__ April 12, 2023, 9:12 a.m.	stacktrace: 0x2325588 0x23214ec 0x2320d82 0x2320c6d 0x78f203 0x78e399 0x78d567 0x78779d 0x786e53 0x783c08 0x7835d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x23255cb registers.esp: 3467400 registers.edi: 3467744 registers.eax: 0 registers.ebp: 3467408 registers.edx: 0 registers.ebx: 3470164 registers.esi: 41777764 registers.ecx: 41724200	1
__exception__ April 12, 2023, 9:12 a.m.	stacktrace: 0x2325588 0x2326096 0x2325951 0x2320c55 0x78f4ec 0x78e399 0x78d567 0x78779d 0x786e53 0x783c08 0x7835d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x23255cb registers.esp: 3467376 registers.edi: 3467768 registers.eax: 0 registers.ebp: 3467384 registers.edx: 0 registers.ebx: 3470164 registers.esi: 40934472 registers.ecx: 41482876	1
__exception__ April 12, 2023, 9:12 a.m.	stacktrace: 0x2325588 0x2326096 0x2325951 0x2320c6d 0x78f4ec 0x78e399 0x78d567 0x78779d 0x786e53 0x783c08 0x7835d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x23255cb registers.esp: 3467376 registers.edi: 3467768 registers.eax: 0 registers.ebp: 3467384 registers.edx: 0 registers.ebx: 3470164 registers.esi: 40934472 registers.ecx: 42829640	1
__exception__ April 12, 2023, 9:12 a.m.	stacktrace: 0x2325588 0x2326096 0x2325951 0x2320c6d 0x78f4ec 0x78e399 0x78d567 0x78779d 0x786e53 0x783c08 0x7835d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x23255cb registers.esp: 3467376 registers.edi: 3467768 registers.eax: 0 registers.ebp: 3467384 registers.edx: 0 registers.ebx: 3470164 registers.esi: 40934472 registers.ecx: 44176392	1
__exception__ April 12, 2023, 9:12 a.m.	stacktrace: 0x2325588 0x23269c2 0x2326369 0x2320c55 0x78f604 0x78e399 0x78d567 0x78779d 0x786e53 0x783c08 0x7835d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x23255cb registers.esp: 3467428 registers.edi: 3467768 registers.eax: 0 registers.ebp: 3467436 registers.edx: 0 registers.ebx: 3470164 registers.esi: 40934472 registers.ecx: 40949208	1
__exception__ April 12, 2023, 9:12 a.m.	stacktrace: 0x2325588 0x23269c2 0x2326369 0x2320c6d 0x78f604 0x78e399 0x78d567 0x78779d 0x786e53 0x783c08 0x7835d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x23255cb registers.esp: 3467428 registers.edi: 3467768 registers.eax: 0 registers.ebp: 3467436 registers.edx: 0 registers.ebx: 3470164 registers.esi: 40934352 registers.ecx: 42355680	1
__exception__ April 12, 2023, 9:12 a.m.	stacktrace: 0x2325588 0x23269c2 0x2326369 0x2320c6d 0x78f604 0x78e399 0x78d567 0x78779d 0x786e53 0x783c08 0x7835d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x23255cb registers.esp: 3467428 registers.edi: 3467768 registers.eax: 0 registers.ebp: 3467436 registers.edx: 0 registers.ebx: 3470164 registers.esi: 40934352 registers.ecx: 43749328	1
__exception__ April 12, 2023, 9:12 a.m.	stacktrace: 0x2325588 0x23270d4 0x2326b31 0x2320c55 0x78f70a 0x78e399 0x78d567 0x78779d 0x786e53 0x783c08 0x7835d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x23255cb registers.esp: 3467460 registers.edi: 3467768 registers.eax: 0 registers.ebp: 3467468 registers.edx: 0 registers.ebx: 3470164 registers.esi: 40934352 registers.ecx: 40949284	1
__exception__ April 12, 2023, 9:12 a.m.	stacktrace: 0x2325588 0x23270d4 0x2326b31 0x2320c6d 0x78f70a 0x78e399 0x78d567 0x78779d 0x786e53 0x783c08 0x7835d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x23255cb registers.esp: 3467460 registers.edi: 3467768 registers.eax: 0 registers.ebp: 3467468 registers.edx: 0 registers.ebx: 3470164 registers.esi: 40934352 registers.ecx: 42358392	1
__exception__ April 12, 2023, 9:12 a.m.	stacktrace: 0x2325588 0x23270d4 0x2326b31 0x2320c6d 0x78f70a 0x78e399 0x78d567 0x78779d 0x786e53 0x783c08 0x7835d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x23255cb registers.esp: 3467460 registers.edi: 3467768 registers.eax: 0 registers.ebp: 3467468 registers.edx: 0 registers.ebx: 3470164 registers.esi: 40934352 registers.ecx: 43754664	1
__exception__ April 12, 2023, 9:12 a.m.	stacktrace: 0x2325588 0x232845b 0x2327a06 0x78e3f1 0x78d567 0x78779d 0x786e53 0x783c08 0x7835d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x23255cb registers.esp: 3468280 registers.edi: 3468544 registers.eax: 0 registers.ebp: 3468288 registers.edx: 0 registers.ebx: 3470164 registers.esi: 44323572 registers.ecx: 44330548	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://80.66.79.86/joomla/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://179.43.155.247/cc.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://80.66.79.86/joomla/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://80.66.79.86/joomla/Plugins/clip64.dll

Performs some HTTP requests (4 events)

request	POST http://80.66.79.86/joomla/index.php
request	GET http://179.43.155.247/cc.exe
request	GET http://80.66.79.86/joomla/Plugins/cred64.dll
request	GET http://80.66.79.86/joomla/Plugins/clip64.dll

Sends data using the HTTP POST Method (1 event)

request

POST http://80.66.79.86/joomla/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 169 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4033000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001fe0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002090000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b6a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3485000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b6b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002110000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002190000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34d4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93d1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93dcc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93df6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93dd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93d2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1e16000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe52d000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93d3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93d6c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93d3d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

oneetx.exe tried to sleep 140 seconds, actually delayed analysis time by 140 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (8 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW April 12, 2023, 9:12 a.m.	number_of_free_clusters: 2425588 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 12, 2023, 9:12 a.m.	number_of_free_clusters: 2425588 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 12, 2023, 9:12 a.m.	number_of_free_clusters: 2425291 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 12, 2023, 9:12 a.m.	number_of_free_clusters: 2425291 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 12, 2023, 9:12 a.m.	number_of_free_clusters: 2425048 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 12, 2023, 9:12 a.m.	number_of_free_clusters: 2425048 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 12, 2023, 9:12 a.m.	number_of_free_clusters: 2424854 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 12, 2023, 9:12 a.m.	number_of_free_clusters: 2424854 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (11 events)

file	C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\y42DC44.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\xnBuv43.exe
file	C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\v8345fm.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\zap2026.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\tz6129.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\zap6905.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\zap5281.exe
file	C:\Users\test22\AppData\Local\Temp\1000003001\cc.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\w47iS51.exe

Creates a suspicious process (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\5cb6818d6c\oneetx.exe
file	C:\Users\test22\AppData\Local\Temp\1000003001\cc.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\5cb6818d6c\oneetx.exe
file	C:\Users\test22\AppData\Local\Temp\1000003001\cc.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW April 12, 2023, 9:12 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\5cb6818d6c\oneetx.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\5cb6818d6c\oneetx.exe	1	1
ShellExecuteExW April 12, 2023, 9:12 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW April 12, 2023, 9:12 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000003001\cc.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000003001\cc.exe	1	1
ShellExecuteExW April 12, 2023, 9:13 a.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main filepath: rundll32.exe	1	1

An executable file was downloaded by the process oneetx.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile April 12, 2023, 9:12 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $:¬KÿTÿKÿTÿKÿTÿUÐÿgÿTÿUÁÿSÿTÿU×ÿÊÿTÿl9/ÿNÿTÿKÿUÿÉÿTÿUÞÿJÿTÿUÀÿJÿTÿUÅÿJÿTÿRichKÿTÿPELk[bà zN°@@[H< °w \ .@´.text: `.dataá°@À.rsrc°w x´@@.relocþ ,@BÔän¦´Îâø.BXjz´Êàò V0BRbn®¼ÊÞü 2HZx¤¸8þ & 8 L ` \| ® º Æ Þ ö ¡¡ ¡8¡J¡X¡d¡r¡\|¡¡¤¡º¡Æ¡Ü¡¢¢6¢L¢f¢t¢¢¢´¢Â¢Ð¢Þ¢ê¢ô¢££$£4£F£Z£j£\|£££´£À£Ð£à£ò£¤¤¤±f@;@ôÕ@½Þ@¡@K>Abg@³(d4`.`"bad allocationÀ.@÷E@êE@Unknown exceptionÔ.@ºH@ð?CorExitProcessmscoree.dll¨T@GT@GT@ÿÿÿÿÿÿïÀ@ðccsUTF-8UTF-16LEUNICODE(null)(null)EEE50P( 8PX700WP `h````xpxxxx_nextafter_logb_yn_y1_y0frexpfmod_hypot_cabsldexpmodffabsfloorceiltancossinsqrtatan2atanacosasintanhcoshsinhlog10logpowexpEncodePointerKERNEL32.DLLDecodePointerFlsFreeFlsSetValueFlsGetValueFlsAllocruntime error TLOSS error SING error DOMAIN error R6034 An application has made an attempt to load the C runtime library incorrectly. Please contact the application's support team for more information. R6033 - Attempt to use MSIL code from this assembly during native code initialization This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain. R6032 - not enough space for locale information R6031 - Attempt to initialize the CRT more than once. This indicates a bug in your application. R6030 - CRT not initialized R6028 - unable to initialize heap R6027 - not enough space for lowio initialization R6026 - not enough space for stdio initialization R6025 - pure virtual function call R6024 - not enough space for _onexit/atexit table R6019 - unable to open console device R6018 - unexpected heap error R6017 - unexpected multithread lock error R6016 - not enough space for thread data This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. R6009 - not enough space for environment R6008 - not enough space for arguments R6002 - floating point support not loaded Microsoft Visual C++ Runtime Library ...<program name unknown>Runtime Error! Program: ÀÀÀÀÀÀÀÀÀÀe+000À~PAÿÿGAIsProcessorFeaturePresentKERNEL32 !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~=EEE00P('8PW700PP (`h`hhhxppwpp Com request_handle: 0x00cc000c	1	1	0
InternetReadFile April 12, 2023, 9:13 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyáå~Lyáâ~Ryáä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPELS4dà!Þ>ð°@ J<K<øT ?p?@ð,.textVÝÞ `.rdataîaðbâ@@.dataD`D@À.rsrcøP@@.relocTR@Bj h¨<¹phè?#hêèYÃÌÌÌj8hÌ<¹hè#h`êèlYÃÌÌÌj8hÌ<¹ hèÿ"hÀêèLYÃÌÌÌj8hÌ<¹¸hèß"h ëè,YÃÌÌÌj8h=¹Ðhè¿"hëè*YÃÌÌÌj0hD=¹èhè"hàëèì)YÃÌÌÌj0hx=¹iè"h@ìèÌ)YÃÌÌÌhh°=¹iè\"h ìè©)YÃj?h>¹0iè?"híè)YÃÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPèÂ2ÄÆ^]ÂÌÌÌI¸\|<ÉEÁÃÌÌUìVñFÇñPèó2ÄöEtjVè«%ÄÆ^]ÂAÇñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿhJEôPè2ÌÌÌÌUìVñWÀFPÇñfÖEÀPèò1ÄÇìñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPè²1ÄÇ ñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQSZVWQSñè=h3É3À}üÛ~53Ò;ÇþEÐ=h¸phCph~r>A}üB;Ë\|Ë~r_ÆÆ^[å]Ã_ÆÆ^[å]ÃÌÌÌÌÌUììSVWòùQ}ôFPEðè3Û]ø9]ð)D~Ær¾Pè¯KÄÀu-NÆùr< tÆùrÏréÌ~Ær=@i3Ò Diÿt+EÿfD]ÿù¸0iC0i8]øtB;×ráÊÿEÈxr3Àÿt.MÿD=Di¹0i]ÿC 0i8]øt@;ÇrÝÈÿ=Di¹0iC 0iMìMôMøyr MøÏ+È 3Ò÷÷Mì}ô MøC]ø;]ðÜþÿÿrÆÇ_^[å]ÃÆÇ_^[å]ÃÌÌÌÌÌÌÌÌÌÌUìì@SVWÙòQMÄ]ôèçýÿÿEÄÖPMÜèYþÿÿhÇCÇCÆè°"Ø¹Èÿ]øûÄó«3Ò¾8>Bú@\|ðUì3ö3Û~øÒtAMø}ðEÜCEÜ¾øÿt'ÁæðÇxÏÆÓøMôPèUìïMøC;ÚrÂEøÀthPèð!ÄUðúr(MÜBÁúrIüÂ#+ÁÀüøwVRQèÀ!ÄUØÇEìÇEðÆEÜúr(MÄBÁúrIüÂ#+ÁÀüøwRQè~!ÄEô_^[å]ÃèGÌÌÌÌÌÌÌÌÌÌÌUìì4E0SVW3ÿÆEè¾À]ÇEàÇEäÆEÐ;Ç´+ÇMÐ;ÃBØ}4E CE SÇPèþr.MèVÁúrIüÂ#+ÁÀüøhRQè× ÄMÐ}Uó~EàEèCU}äuà]f~ÉMèCÁfÖEø;óu\îr; uÀÂîsïþüî: u7þýßH:Ju&þþÎH:Juþÿ½@:B±E0Guü;øõþÿÿ3ÿUþr/MèFÁþrIüÆ#+ÁÀüøVQè UÄEør'HÂùrRüÁ#+ÂÀüøw`QRèÏÄU4ÇEÇEÆEúr3M BÁúrIüÂ#+ÁÀüøwë uüGéWÿÿÿRQèÄÇ_^[å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌUìQS]Vñ]üWjhÀ>ÇFÇFÆèD3ÿÛ~1}ECE8S¿C ú¶È¶ÃGÈ¶ÁÎPèG;}ü\|ÏUúr(MBÁúrIüÂ#+ÁÀüøwRQèÑÄ_Æ^[å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì0VWj$hÄ>MÐÇEàÇEäÆEÐèEÀu3öéÇ3ÿÀ¸ÇEøÇEüÆEè;ÇF+Ç¹;ÁBÈ}ECEQÇMèPèBìEÐÌPètìEèôìÌPèaÎèªþÿÿÄè¢üÿÿUüÄ0Àúr,MèBÁúrIüÂ#+ÁÀüø¹RQèÇÄEG;øHÿÿÿ¾Uäúr(MÐBÁúrIüÂ#+ÁÀüøwxRQèÄUúr^MBÁúrFIüÂ#+ÁÀüøwHë4úr(MèBÁúrIüÂ#+ÁÀüøw#RQè1Ä3öétÿÿÿRQè Ä_Æ^å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌUìQEUMVÀS@WPè] ÄM}ØÓCM+ÑID ÿÀuóóNFÀuù+ñFVjÿðVøSWÿðPèÇ5ÄWÿðjÿñÿñWjÿñÿ ñUM_[^úr%BÁúrIüÂ#+ÁÀüøwRQèAÄå]ÃèdBÌÌÌÌUìì$SVWùjÇGÇGÆÿñÀj ÿ$ñØ]üÛlSÿðEôÀSjjjjjÿPjhéýÿððuøö.WN;ÊwOÇrÆëFGÙ+Ú+Â;Øw%ÇOrS4jVèE,ÆÄuøëQSÆEøÏÿuøSè¨]üÇrjjVPjÿÿuô request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00113800', u'virtual_address': u'0x0000c000', u'entropy': 7.964183106285193, u'name': u'.rsrc', u'virtual_size': u'0x00114000'}

entropy

7.96418310629

description

A section with a high entropy has been found

entropy

0.971353018951

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 12, 2023, 9:12 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 12, 2023, 9:12 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Queries for potentially installed applications (50 out of 51 events)

Time & API	Arguments	Status
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: 7-Zip base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: AddressBook base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: Adobe AIR base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: Connection Manager base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: DirectDrawEx base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: EditPlus base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: Fontcore base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: Google Chrome base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: IE40 base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: IE4Data base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: IE5BAKEX base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: IEData base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: MobileOptionPack base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: Office15.PROPLUSR base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: SchedulingAgent base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: WIC base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW April 12, 2023, 9:12 a.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x000003ac key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (4 events)

host	179.43.155.247
host	185.161.248.90
host	80.66.79.86
host	193.201.9.43

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService April 12, 2023, 9:12 a.m.	service_handle: 0x000000001aa44ba0 service_name: None control_code: 1		0	0
ControlService April 12, 2023, 9:12 a.m.	service_handle: 0x000000001aa44e40 service_name: None control_code: 1		0	0

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP003.TMP\"
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW April 12, 2023, 9:12 a.m.	key_handle: 0x000003a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (12 events)

Time & API	Arguments	Status	Return
HttpSendRequestA April 12, 2023, 9:12 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.70&sd=04910b&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA April 12, 2023, 9:12 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.70&sd=04910b&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA April 12, 2023, 9:12 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.70&sd=04910b&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA April 12, 2023, 9:12 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.70&sd=04910b&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA April 12, 2023, 9:12 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.70&sd=04910b&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA April 12, 2023, 9:12 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.70&sd=04910b&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA April 12, 2023, 9:12 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.70&sd=04910b&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA April 12, 2023, 9:12 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.70&sd=04910b&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA April 12, 2023, 9:12 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.70&sd=04910b&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA April 12, 2023, 9:12 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.70&sd=04910b&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA April 12, 2023, 9:12 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.70&sd=04910b&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA April 12, 2023, 9:12 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.70&sd=04910b&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

lega.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All