Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 24, 2023, 8:50 a.m.	April 24, 2023, 8:58 a.m.

Size	13.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`9f390e9ca00464a6f7e1ce321baceb22`
SHA256	`255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7`
CRC32	`4F1C4326`
ssdeep	`393216:M1xsX4B8eD3F+oI9KtC9I5cfZLxsaZf4nT70mrsMYd:M1GI9FQmOfZLSP0Qc`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	UPX_Zero - UPX packed file Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet OS_Processor_Check_Zero - OS Processor Check Win32_WinRAR_SFX_Zero - Win32 WinRAR SFX IsPE32 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

setup.exe "C:\Users\test22\AppData\Local\Temp\setup.exe"
2052
- nig1r21312312.exe "C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\test22\AppData\Local\Temp\animecool.exe
  2680
  - animecool.exe C:\Users\test22\AppData\Local\Temp\animecool.exe
    2804
    - vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2184
- nig1r21312312.exe "C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\test22\AppData\Local\Temp\animecool2.exe
  2724
  - animecool2.exe C:\Users\test22\AppData\Local\Temp\animecool2.exe
    2904
- nig1r21312312.exe "C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\test22\AppData\Local\Temp\poxuipluspoxui.exe
  2764
  - poxuipluspoxui.exe C:\Users\test22\AppData\Local\Temp\poxuipluspoxui.exe
    2972
    - vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2288
      - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\sdfsfs3wefdsfsdfsd.bat" "
        1968
        
        nig1r21312312.exe nig1r21312312.exe exec hide nig1r21312312.exe exec hide cock123123444.bat
        2620
        
        nig1r21312312.exe nig1r21312312.exe exec hide cock123123444.bat
        2712
        
        cmd.exe cmd /c cock123123444.bat
        2796
        
        MisakaMikoto213213.exe MisakaMikoto213213.exe
        2916
        
        vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2988
        
        cockcreator.exe cockcreator.exe
        3068
- nig1r21312312.exe "C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\test22\AppData\Local\Temp\govno312321412412.bat
  2844
  - cmd.exe cmd /c C:\Users\test22\AppData\Local\Temp\govno312321412412.bat
    3036
    - nig1r21312312.exe nig1r21312312.exe exec hide fds333333333333333.bat
      1792
      - cmd.exe cmd /c fds333333333333333.bat
        2120
        
        timeout.exe timeout 60
        1132

Name	Response	Post-Analysis Lookup
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	104.26.12.31

IP Address	Status	Action
15.228.89.234	Active	Moloch
164.124.101.2	Active	Moloch
172.67.75.172	Active	Moloch
195.20.17.139	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49191 -> 172.67.75.172:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49191 172.67.75.172:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	8b:21:8f:0f:6e:2d:53:34:b7:d3:f5:58:58:99:01:63:93:81:e6:f1

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 24, 2023, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:57 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (7 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 24, 2023, 8:56 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:56 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:56 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:57 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:57 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:57 a.m.			0	0
IsDebuggerPresent April 24, 2023, 8:57 a.m.			0	0

Command line console output was observed (50 out of 112 events)

Time & API	Arguments	Status	Return
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: ÐÐ°Ð½Ð½ÑÐµ ÑÑÐ¿ÐµÑÐ½Ð¾ Ð·Ð°Ð¿Ð¸ÑÐ°Ð½Ñ Ð² ÑÐ°Ð¹Ð» console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: output.txt console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: ÐÐ°Ð½Ð½ÑÐµ ÑÑÐ¿ÐµÑÐ½Ð¾ Ð·Ð°Ð¿Ð¸ÑÐ°Ð½Ñ Ð² ÑÐ°Ð¹Ð» console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: output.txt console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: ÐÐ°Ð½Ð½ÑÐµ ÑÑÐ¿ÐµÑÐ½Ð¾ Ð·Ð°Ð¿Ð¸ÑÐ°Ð½Ñ Ð² ÑÐ°Ð¹Ð» console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: output.txt console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: Random vector: console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: Max: console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: ÐÑÑÐ¾ÑÑÐ¸ÑÐ¾Ð²Ð°Ð½Ð½ÑÐ¹ Ð²ÐµÐºÑÐ¾Ñ: console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: ÐÐµÐºÑÐ¾Ñ Ñ ÑÐµÑÐ½ÑÐ¼Ð¸ ÑÐ¸ÑÐ»Ð°Ð¼Ð¸: console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: ÐÑÑÐ¾Ð´Ð½ÑÐ¹ ÑÐµÐºÑÑ: console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: Hello, World! console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: Ð¢ÐµÐºÑÑ Ð² Ð²ÐµÑÑÐ½ÐµÐ¼ ÑÐµÐ³Ð¸ÑÑÑÐµ: console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: HELLO, WORLD! console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: Ð¢ÐµÐºÑÑ Ð² Ð½Ð¸Ð¶Ð½ÐµÐ¼ ÑÐµÐ³Ð¸ÑÑÑÐµ: console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: hello, world! console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: Ð¡Ð»Ð¾Ð²Ð¾ ' console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: level console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: ' Ð¿Ð°Ð»Ð¸Ð½Ð´ÑÐ¾Ð¼? console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: ÐÐ° console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: ÐÐ¾Ð»Ð¸ÑÐµÑÑÐ²Ð¾ ÑÐ¸Ð¼Ð²Ð¾Ð»Ð¾Ð² Ð² ÑÐµÐºÑÑÐµ: console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: H console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: W console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: ÐÐ°Ð½Ð½ÑÐµ ÑÑÐ¿ÐµÑÐ½Ð¾ Ð·Ð°Ð¿Ð¸ÑÐ°Ð½Ñ Ð² ÑÐ°Ð¹Ð» console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: output.txt console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: ÐÐ°Ð½Ð½ÑÐµ ÑÑÐ¿ÐµÑÐ½Ð¾ Ð·Ð°Ð¿Ð¸ÑÐ°Ð½Ñ Ð² ÑÐ°Ð¹Ð» console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: output.txt console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: ÐÐ°Ð½Ð½ÑÐµ ÑÑÐ¿ÐµÑÐ½Ð¾ Ð·Ð°Ð¿Ð¸ÑÐ°Ð½Ñ Ð² ÑÐ°Ð¹Ð» console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: output.txt console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: Random vector: console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: Max: console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: ÐÑÑÐ¾ÑÑÐ¸ÑÐ¾Ð²Ð°Ð½Ð½ÑÐ¹ Ð²ÐµÐºÑÐ¾Ñ: console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: ÐÐµÐºÑÐ¾Ñ Ñ ÑÐµÑÐ½ÑÐ¼Ð¸ ÑÐ¸ÑÐ»Ð°Ð¼Ð¸: console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: ÐÑÑÐ¾Ð´Ð½ÑÐ¹ ÑÐµÐºÑÑ: console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: Hello, World! console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: Ð¢ÐµÐºÑÑ Ð² Ð²ÐµÑÑÐ½ÐµÐ¼ ÑÐµÐ³Ð¸ÑÑÑÐµ: console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: HELLO, WORLD! console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: Ð¢ÐµÐºÑÑ Ð² Ð½Ð¸Ð¶Ð½ÐµÐ¼ ÑÐµÐ³Ð¸ÑÑÑÐµ: console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: hello, world! console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: Ð¡Ð»Ð¾Ð²Ð¾ ' console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: level console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: ' Ð¿Ð°Ð»Ð¸Ð½Ð´ÑÐ¾Ð¼? console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: ÐÐ° console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: ÐÐ¾Ð»Ð¸ÑÐµÑÑÐ²Ð¾ ÑÐ¸Ð¼Ð²Ð¾Ð»Ð¾Ð² Ð² ÑÐµÐºÑÑÐµ: console_handle: 0x00000007	1	1
WriteConsoleA April 24, 2023, 8:56 a.m.	buffer: H console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (17 events)

Time & API	Arguments	Status	Return
CryptExportKey April 24, 2023, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035f2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035f2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035f2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035f2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035f370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035f370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035f270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035f270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035f270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035f270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035f270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035f2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035f2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0035f4f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05832828 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05832828 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2023, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x058326a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 24, 2023, 8:56 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (14 events)

Time & API	Arguments	Status
__exception__ April 24, 2023, 8:57 a.m.	stacktrace: 0xaa9909 0xaa970b 0xaa727d 0xaa6a8b 0xaa3c08 0xaa35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7334f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73537f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73534de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaa9a40 registers.esp: 2157456 registers.edi: 2157508 registers.eax: 0 registers.ebp: 2157520 registers.edx: 3482560 registers.ebx: 2158700 registers.esi: 44828652 registers.ecx: 0	1
__exception__ April 24, 2023, 8:57 a.m.	stacktrace: 0x5188918 0x5184a1c 0x51842b2 0x5184185 0x5182a3b 0x5181c54 0xaad4b2 0xaa72fe 0xaa6a8b 0xaa3c08 0xaa35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7334f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73537f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73534de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x518895b registers.esp: 2156016 registers.edi: 2156360 registers.eax: 0 registers.ebp: 2156024 registers.edx: 0 registers.ebx: 2158700 registers.esi: 44982460 registers.ecx: 45026120	1
__exception__ April 24, 2023, 8:57 a.m.	stacktrace: 0x5188918 0x5184a1c 0x51842b2 0x518419d 0x5182a3b 0x5181c54 0xaad4b2 0xaa72fe 0xaa6a8b 0xaa3c08 0xaa35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7334f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73537f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73534de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x518895b registers.esp: 2156016 registers.edi: 2156360 registers.eax: 0 registers.ebp: 2156024 registers.edx: 0 registers.ebx: 2158700 registers.esi: 44409612 registers.ecx: 46330840	1
__exception__ April 24, 2023, 8:57 a.m.	stacktrace: 0x5188918 0x5184a1c 0x51842b2 0x518419d 0x5182a3b 0x5181c54 0xaad4b2 0xaa72fe 0xaa6a8b 0xaa3c08 0xaa35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7334f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73537f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73534de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x518895b registers.esp: 2156016 registers.edi: 2156360 registers.eax: 0 registers.ebp: 2156024 registers.edx: 0 registers.ebx: 2158700 registers.esi: 44409612 registers.ecx: 47634600	1
__exception__ April 24, 2023, 8:57 a.m.	stacktrace: 0x5188918 0x5189426 0x5188ce1 0x5184185 0x5182d24 0x5181c54 0xaad4b2 0xaa72fe 0xaa6a8b 0xaa3c08 0xaa35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7334f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73537f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73534de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x518895b registers.esp: 2155992 registers.edi: 2156384 registers.eax: 0 registers.ebp: 2156000 registers.edx: 0 registers.ebx: 2158700 registers.esi: 44409612 registers.ecx: 44386360	1
__exception__ April 24, 2023, 8:57 a.m.	stacktrace: 0x5188918 0x5189426 0x5188ce1 0x518419d 0x5182d24 0x5181c54 0xaad4b2 0xaa72fe 0xaa6a8b 0xaa3c08 0xaa35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7334f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73537f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73534de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x518895b registers.esp: 2155992 registers.edi: 2156384 registers.eax: 0 registers.ebp: 2156000 registers.edx: 0 registers.ebx: 2158700 registers.esi: 44409612 registers.ecx: 45686424	1
__exception__ April 24, 2023, 8:57 a.m.	stacktrace: 0x5188918 0x5189426 0x5188ce1 0x518419d 0x5182d24 0x5181c54 0xaad4b2 0xaa72fe 0xaa6a8b 0xaa3c08 0xaa35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7334f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73537f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73534de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x518895b registers.esp: 2155992 registers.edi: 2156384 registers.eax: 0 registers.ebp: 2156000 registers.edx: 0 registers.ebx: 2158700 registers.esi: 44409612 registers.ecx: 47033176	1
__exception__ April 24, 2023, 8:57 a.m.	stacktrace: 0x5188918 0x5189d52 0x51896f9 0x5184185 0x5182e3c 0x5181c54 0xaad4b2 0xaa72fe 0xaa6a8b 0xaa3c08 0xaa35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7334f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73537f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73534de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x518895b registers.esp: 2156044 registers.edi: 2156384 registers.eax: 0 registers.ebp: 2156052 registers.edx: 0 registers.ebx: 2158700 registers.esi: 44409612 registers.ecx: 48380048	1
__exception__ April 24, 2023, 8:57 a.m.	stacktrace: 0x5188918 0x5189d52 0x51896f9 0x518419d 0x5182e3c 0x5181c54 0xaad4b2 0xaa72fe 0xaa6a8b 0xaa3c08 0xaa35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7334f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73537f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73534de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x518895b registers.esp: 2156044 registers.edi: 2156384 registers.eax: 0 registers.ebp: 2156052 registers.edx: 0 registers.ebx: 2158700 registers.esi: 44409612 registers.ecx: 45138456	1
__exception__ April 24, 2023, 8:57 a.m.	stacktrace: 0x5188918 0x5189d52 0x51896f9 0x518419d 0x5182e3c 0x5181c54 0xaad4b2 0xaa72fe 0xaa6a8b 0xaa3c08 0xaa35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7334f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73537f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73534de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x518895b registers.esp: 2156044 registers.edi: 2156384 registers.eax: 0 registers.ebp: 2156052 registers.edx: 0 registers.ebx: 2158700 registers.esi: 44409612 registers.ecx: 44607880	1
__exception__ April 24, 2023, 8:57 a.m.	stacktrace: 0x5188918 0x518a464 0x5189ec1 0x5184185 0x5182f42 0x5181c54 0xaad4b2 0xaa72fe 0xaa6a8b 0xaa3c08 0xaa35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7334f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73537f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73534de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x518895b registers.esp: 2156076 registers.edi: 2156384 registers.eax: 0 registers.ebp: 2156084 registers.edx: 0 registers.ebx: 2158700 registers.esi: 44409612 registers.ecx: 46143080	1
__exception__ April 24, 2023, 8:57 a.m.	stacktrace: 0x5188918 0x518a464 0x5189ec1 0x518419d 0x5182f42 0x5181c54 0xaad4b2 0xaa72fe 0xaa6a8b 0xaa3c08 0xaa35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7334f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73537f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73534de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x518895b registers.esp: 2156076 registers.edi: 2156384 registers.eax: 0 registers.ebp: 2156084 registers.edx: 0 registers.ebx: 2158700 registers.esi: 44409612 registers.ecx: 44647680	1
__exception__ April 24, 2023, 8:57 a.m.	stacktrace: 0x5188918 0x518a464 0x5189ec1 0x518419d 0x5182f42 0x5181c54 0xaad4b2 0xaa72fe 0xaa6a8b 0xaa3c08 0xaa35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7334f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73537f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73534de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x518895b registers.esp: 2156076 registers.edi: 2156384 registers.eax: 0 registers.ebp: 2156084 registers.edx: 0 registers.ebx: 2158700 registers.esi: 44391440 registers.ecx: 46043952	1
__exception__ April 24, 2023, 8:57 a.m.	stacktrace: 0x5188918 0x518b7eb 0x518ad96 0x5181cac 0xaad4b2 0xaa72fe 0xaa6a8b 0xaa3c08 0xaa35d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72c42652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72c5264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72c52e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72d074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72d07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72d91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72d91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72d91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72d9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7334f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73537f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73534de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x518895b registers.esp: 2156896 registers.edi: 2157160 registers.eax: 0 registers.ebp: 2156904 registers.edx: 0 registers.ebx: 2158700 registers.esi: 46613204 registers.ecx: 46620180	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://api.ip.sb/ip

Performs some HTTP requests (1 event)

request

GET https://api.ip.sb/ip

Allocates read-write-execute memory (usually to unpack itself) (50 out of 110 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 24, 2023, 8:56 a.m.	process_identifier: 2288 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:56 a.m.	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:56 a.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:56 a.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c42000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:56 a.m.	process_identifier: 2288 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:56 a.m.	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:56 a.m.	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:56 a.m.	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:56 a.m.	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:56 a.m.	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:56 a.m.	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:56 a.m.	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:56 a.m.	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2988 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x725a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x725a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2988 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c42000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00902000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0091c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00935000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0093b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00937000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0090a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0090c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00926000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (50 out of 66 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Cookies

Creates executable files on the filesystem (10 events)

file	C:\Users\test22\AppData\Local\Temp\cockcreator.exe
file	C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe
file	C:\Users\test22\AppData\Local\Temp\animecool.exe
file	C:\Users\test22\AppData\Local\Temp\animecool2.exe
file	C:\Users\test22\AppData\Local\Temp\cock123123444.bat
file	C:\Users\test22\AppData\Local\Temp\poxuipluspoxui.exe
file	C:\Users\test22\AppData\Local\Temp\fds333333333333333.bat
file	C:\Users\test22\AppData\Local\Temp\MisakaMikoto213213.exe
file	C:\Users\test22\AppData\Local\Temp\govno312321412412.bat
file	C:\Users\test22\AppData\Local\Temp\sdfsfs3wefdsfsdfsd.bat

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe
file	C:\Users\test22\AppData\Local\Temp\sdfsfs3wefdsfsdfsd.bat
file	C:\Users\test22\AppData\Local\Temp\MisakaMikoto213213.exe
file	C:\Users\test22\AppData\Local\Temp\cockcreator.exe

Drops an executable to the user AppData folder (5 events)

file	C:\Users\test22\AppData\Local\Temp\poxuipluspoxui.exe
file	C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe
file	C:\Users\test22\AppData\Local\Temp\MisakaMikoto213213.exe
file	C:\Users\test22\AppData\Local\Temp\animecool.exe
file	C:\Users\test22\AppData\Local\Temp\animecool2.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 24, 2023, 8:57 a.m.	flags: 1158 family: 0	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 24, 2023, 8:57 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (26 events)

description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 51 events)

Time & API	Arguments	Status
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000244 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: 7-Zip base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: AddressBook base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: Adobe AIR base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: Connection Manager base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: DirectDrawEx base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: EditPlus base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: Fontcore base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: Google Chrome base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: IE40 base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: IE4Data base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: IE5BAKEX base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: IEData base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: MobileOptionPack base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: Office15.PROPLUSR base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: SchedulingAgent base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: WIC base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW April 24, 2023, 8:57 a.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x00000244 key_handle: 0x00000248 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Communicates with host for which no DNS query was performed (2 events)

host	15.228.89.234
host	195.20.17.139

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00210000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1
NtAllocateVirtualMemory April 24, 2023, 8:56 a.m.	process_identifier: 2288 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2988 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000024	1

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Potential code injection by writing to the memory of another process (12 events)

Time & API	Arguments	Status	Return
WriteProcessMemory April 24, 2023, 8:57 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL;Ã\|Ãà0 @@ @8 S@>à H.text `.rsrc>@@@.relocà @B base_address: 0x00210000 process_identifier: 2184 process_handle: 0x0000002c	1	1
WriteProcessMemory April 24, 2023, 8:57 a.m.	buffer: 0 base_address: 0x0023e000 process_identifier: 2184 process_handle: 0x0000002c	1	1
WriteProcessMemory April 24, 2023, 8:57 a.m.	buffer: ! base_address: 0xfffde008 process_identifier: 2184 process_handle: 0x0000002c	1	1
WriteProcessMemory April 24, 2023, 8:56 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELñbà"0N* @@ @ü)O@` H.textT `.rsrc@@@.reloc`@B base_address: 0x001f0000 process_identifier: 2288 process_handle: 0x0000002c	1	1
WriteProcessMemory April 24, 2023, 8:56 a.m.	buffer: 0HÔ!(( 0orp( %( ¢%r#p¢%r7p¢%rGp¢%r]p¢%rop¢( rp( ( rp( %¢( ( -( &rp( rp( rp( rp( rp( rp( rp( rp( rp( rp( rp( rp( rp( rp( ( ( rµp( rp( ( -rp( ( ( rßp( s s % o o &BSJBv4.0.30319l`#~Ìø#StringsÄ#USÔ#GUIDäD#BlobG ú%3¡ÈîJS¥rùÚj6O^f<f½¤« S"îÅîÏîS?á ì 1 ¹SæúX õ P M´MM!MA1MP9MPAMPIMPQMPYMPaMPiMqMPyMPMP¡Ø±4±Ì±4!¹Á'¹æ,ÉÁ'Éá2MPÑMÑ9ÑÛ? M..".G.#U.+b.3b.;b.CU.Kh.Sb.[b.c.k¯.s¼úî<Module>System.IOmscorlibFileConsoleWriteLineCombineGuidAttributeDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeputin.exeSystem.Runtime.VersioningStringGetTempPathGetFolderPathProgramSystemMainputinSystem.Reflectionset_StartInfoProcessStartInfoDirectoryInfoSpecialFolder.ctorSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesDebuggingModesargsProcessExistsObjectEnvironmentStartCopyCreateDirectory!huesos ti ebnasiMicrosoftWindowsStart MenuProgramsStartupdolbaeb%poxuipluspoxui.exe)bil bi ti chelovekom-sdfsfs3wefdsfsdfsd.batðzÐ¿NL_´5¦E·z\V4à TWrapNonExceptionThrows AutoRunCopyright Â© 2022 )$afb82541-d16a-4fb8-b0d0-674b41ed694b1.0.0.0G.NETFramework,Version=v4.0TFrameworkDisplayName.NET Framework 4EUa E $> 0*_CorExeMainmscoree.dllÿ% @ base_address: 0x001f2000 process_identifier: 2288 process_handle: 0x0000002c	1	1
WriteProcessMemory April 24, 2023, 8:56 a.m.	buffer: P8h @¤Cê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°dStringFileInfo@000004b0Comments"CompanyName8FileDescriptionAutoRun0FileVersion1.0.0.04 InternalNameputin.exeHLegalCopyrightCopyright © 2022*LegalTrademarks< OriginalFilenameputin.exe0ProductNameAutoRun4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x001f4000 process_identifier: 2288 process_handle: 0x0000002c	1	1
WriteProcessMemory April 24, 2023, 8:56 a.m.	buffer: P: base_address: 0x001f6000 process_identifier: 2288 process_handle: 0x0000002c	1	1
WriteProcessMemory April 24, 2023, 8:56 a.m.	buffer: base_address: 0xfffde008 process_identifier: 2288 process_handle: 0x0000002c	1	1
WriteProcessMemory April 24, 2023, 8:57 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELu-Hcà"0¢À à@ `8ÀSàÆ H.text ¢ `.rsrcÆà¤@@.relocª@B base_address: 0x000b0000 process_identifier: 2988 process_handle: 0x00000024	1	1
WriteProcessMemory April 24, 2023, 8:57 a.m.	buffer: P8h à<Üãê<4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfox000004b0Comments"CompanyNameB FileDescriptionh1m3k0 1n4840FileVersion1.0.0.0BInternalNameh1m3k0 1n484.exeHLegalCopyrightCopyright © 2022*LegalTrademarksJOriginalFilenameh1m3k0 1n484.exe: ProductNameh1m3k0 1n4844ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x000be000 process_identifier: 2988 process_handle: 0x00000024	1	1
WriteProcessMemory April 24, 2023, 8:57 a.m.	buffer: À0 base_address: 0x000c0000 process_identifier: 2988 process_handle: 0x00000024	1	1
WriteProcessMemory April 24, 2023, 8:57 a.m.	buffer: base_address: 0xfffde008 process_identifier: 2988 process_handle: 0x00000024	1	1

Code injection by writing an executable or DLL to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory April 24, 2023, 8:57 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL;Ã\|Ãà0 @@ @8 S@>à H.text `.rsrc>@@@.relocà @B base_address: 0x00210000 process_identifier: 2184 process_handle: 0x0000002c	1	1
WriteProcessMemory April 24, 2023, 8:56 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELñbà"0N* @@ @ü)O@` H.textT `.rsrc@@@.reloc`@B base_address: 0x001f0000 process_identifier: 2288 process_handle: 0x0000002c	1	1
WriteProcessMemory April 24, 2023, 8:57 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELu-Hcà"0¢À à@ `8ÀSàÆ H.text ¢ `.rsrcÆà¤@@.relocª@B base_address: 0x000b0000 process_identifier: 2988 process_handle: 0x00000024	1	1

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW April 24, 2023, 8:57 a.m.	key_handle: 0x00000248 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2804 called NtSetContextThread to modify thread in remote process 2184
Process injection	Process 2972 called NtSetContextThread to modify thread in remote process 2288
Process injection	Process 2916 called NtSetContextThread to modify thread in remote process 2988
NtSetContextThread April 24, 2023, 8:57 a.m.	registers.eip: 2005598660 registers.esp: 2161372 registers.edi: 0 registers.eax: 743328445 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 2184	1	0	0
NtSetContextThread April 24, 2023, 8:56 a.m.	registers.eip: 2005598660 registers.esp: 1637336 registers.edi: 0 registers.eax: 743068797 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 2288	1	0	0
NtSetContextThread April 24, 2023, 8:57 a.m.	registers.eip: 2005598660 registers.esp: 4127712 registers.edi: 0 registers.eax: 741796541 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 2988	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2804 resumed a thread in remote process 2184
Process injection	Process 2972 resumed a thread in remote process 2288
Process injection	Process 2916 resumed a thread in remote process 2988
NtResumeThread April 24, 2023, 8:57 a.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 2184	1	0	0
NtResumeThread April 24, 2023, 8:56 a.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 2288	1	0	0
NtResumeThread April 24, 2023, 8:57 a.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 2988	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 64 events)

Time & API	Arguments	Status	Return
NtResumeThread April 24, 2023, 8:50 a.m.	thread_handle: 0x000001d0 suspend_count: 1 process_identifier: 2052	1	0
CreateProcessInternalW April 24, 2023, 8:50 a.m.	thread_identifier: 2684 thread_handle: 0x0000030c process_identifier: 2680 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\test22\AppData\Local\Temp\animecool.exe filepath_r: C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000310	1	1
CreateProcessInternalW April 24, 2023, 8:50 a.m.	thread_identifier: 2728 thread_handle: 0x000002c0 process_identifier: 2724 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\test22\AppData\Local\Temp\animecool2.exe filepath_r: C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000324	1	1
CreateProcessInternalW April 24, 2023, 8:50 a.m.	thread_identifier: 2768 thread_handle: 0x000002bc process_identifier: 2764 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\test22\AppData\Local\Temp\poxuipluspoxui.exe filepath_r: C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000324	1	1
CreateProcessInternalW April 24, 2023, 8:50 a.m.	thread_identifier: 2848 thread_handle: 0x000002b4 process_identifier: 2844 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\test22\AppData\Local\Temp\govno312321412412.bat filepath_r: C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000324	1	1
CreateProcessInternalW April 24, 2023, 8:56 a.m.	thread_identifier: 2808 thread_handle: 0x000000b0 process_identifier: 2804 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\animecool.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000b4	1	1
CreateProcessInternalW April 24, 2023, 8:56 a.m.	thread_identifier: 2908 thread_handle: 0x000000b0 process_identifier: 2904 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\animecool2.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000b4	1	1
CreateProcessInternalW April 24, 2023, 8:56 a.m.	thread_identifier: 2976 thread_handle: 0x000000b0 process_identifier: 2972 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\poxuipluspoxui.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000b4	1	1
CreateProcessInternalW April 24, 2023, 8:57 a.m.	thread_identifier: 1960 thread_handle: 0x00000020 process_identifier: 2184 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000002c	1	1
NtGetContextThread April 24, 2023, 8:57 a.m.	thread_handle: 0x00000020	1	0
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2184 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00210000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0
WriteProcessMemory April 24, 2023, 8:57 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL;Ã\|Ãà0 @@ @8 S@>à H.text `.rsrc>@@@.relocà @B base_address: 0x00210000 process_identifier: 2184 process_handle: 0x0000002c	1	1
WriteProcessMemory April 24, 2023, 8:57 a.m.	buffer: base_address: 0x00212000 process_identifier: 2184 process_handle: 0x0000002c	1	1
WriteProcessMemory April 24, 2023, 8:57 a.m.	buffer: base_address: 0x00234000 process_identifier: 2184 process_handle: 0x0000002c	1	1
WriteProcessMemory April 24, 2023, 8:57 a.m.	buffer: 0 base_address: 0x0023e000 process_identifier: 2184 process_handle: 0x0000002c	1	1
WriteProcessMemory April 24, 2023, 8:57 a.m.	buffer: ! base_address: 0xfffde008 process_identifier: 2184 process_handle: 0x0000002c	1	1
NtSetContextThread April 24, 2023, 8:57 a.m.	registers.eip: 2005598660 registers.esp: 2161372 registers.edi: 0 registers.eax: 743328445 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 2184	1	0
NtResumeThread April 24, 2023, 8:57 a.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 2184	1	0
CreateProcessInternalW April 24, 2023, 8:56 a.m.	thread_identifier: 3040 thread_handle: 0x000000b0 process_identifier: 3036 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\govno312321412412.bat filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000b4	1	1
CreateProcessInternalW April 24, 2023, 8:56 a.m.	thread_identifier: 2292 thread_handle: 0x00000020 process_identifier: 2288 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000002c	1	1
NtGetContextThread April 24, 2023, 8:56 a.m.	thread_handle: 0x00000020	1	0
NtAllocateVirtualMemory April 24, 2023, 8:56 a.m.	process_identifier: 2288 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0
WriteProcessMemory April 24, 2023, 8:56 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELñbà"0N* @@ @ü)O@` H.textT `.rsrc@@@.reloc`@B base_address: 0x001f0000 process_identifier: 2288 process_handle: 0x0000002c	1	1
WriteProcessMemory April 24, 2023, 8:56 a.m.	buffer: 0HÔ!(( 0orp( %( ¢%r#p¢%r7p¢%rGp¢%r]p¢%rop¢( rp( ( rp( %¢( ( -( &rp( rp( rp( rp( rp( rp( rp( rp( rp( rp( rp( rp( rp( rp( ( ( rµp( rp( ( -rp( ( ( rßp( s s % o o &BSJBv4.0.30319l`#~Ìø#StringsÄ#USÔ#GUIDäD#BlobG ú%3¡ÈîJS¥rùÚj6O^f<f½¤« S"îÅîÏîS?á ì 1 ¹SæúX õ P M´MM!MA1MP9MPAMPIMPQMPYMPaMPiMqMPyMPMP¡Ø±4±Ì±4!¹Á'¹æ,ÉÁ'Éá2MPÑMÑ9ÑÛ? M..".G.#U.+b.3b.;b.CU.Kh.Sb.[b.c.k¯.s¼úî<Module>System.IOmscorlibFileConsoleWriteLineCombineGuidAttributeDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeputin.exeSystem.Runtime.VersioningStringGetTempPathGetFolderPathProgramSystemMainputinSystem.Reflectionset_StartInfoProcessStartInfoDirectoryInfoSpecialFolder.ctorSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesDebuggingModesargsProcessExistsObjectEnvironmentStartCopyCreateDirectory!huesos ti ebnasiMicrosoftWindowsStart MenuProgramsStartupdolbaeb%poxuipluspoxui.exe)bil bi ti chelovekom-sdfsfs3wefdsfsdfsd.batðzÐ¿NL_´5¦E·z\V4à TWrapNonExceptionThrows AutoRunCopyright Â© 2022 )$afb82541-d16a-4fb8-b0d0-674b41ed694b1.0.0.0G.NETFramework,Version=v4.0TFrameworkDisplayName.NET Framework 4EUa E $> 0*_CorExeMainmscoree.dllÿ% @ base_address: 0x001f2000 process_identifier: 2288 process_handle: 0x0000002c	1	1
WriteProcessMemory April 24, 2023, 8:56 a.m.	buffer: P8h @¤Cê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°dStringFileInfo@000004b0Comments"CompanyName8FileDescriptionAutoRun0FileVersion1.0.0.04 InternalNameputin.exeHLegalCopyrightCopyright © 2022*LegalTrademarks< OriginalFilenameputin.exe0ProductNameAutoRun4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x001f4000 process_identifier: 2288 process_handle: 0x0000002c	1	1
WriteProcessMemory April 24, 2023, 8:56 a.m.	buffer: P: base_address: 0x001f6000 process_identifier: 2288 process_handle: 0x0000002c	1	1
WriteProcessMemory April 24, 2023, 8:56 a.m.	buffer: base_address: 0xfffde008 process_identifier: 2288 process_handle: 0x0000002c	1	1
NtSetContextThread April 24, 2023, 8:56 a.m.	registers.eip: 2005598660 registers.esp: 1637336 registers.edi: 0 registers.eax: 743068797 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 2288	1	0
NtResumeThread April 24, 2023, 8:56 a.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 2288	1	0
CreateProcessInternalW April 24, 2023, 8:56 a.m.	thread_identifier: 2088 thread_handle: 0x00000088 process_identifier: 1792 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe track: 1 command_line: nig1r21312312.exe exec hide fds333333333333333.bat filepath_r: C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW April 24, 2023, 8:56 a.m.	thread_identifier: 2176 thread_handle: 0x000000b0 process_identifier: 2120 current_directory: filepath: track: 1 command_line: fds333333333333333.bat filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000b4	1	1
CreateProcessInternalW April 24, 2023, 8:56 a.m.	thread_identifier: 524 thread_handle: 0x00000084 process_identifier: 1132 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout 60 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
NtResumeThread April 24, 2023, 8:56 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2288	1	0
NtResumeThread April 24, 2023, 8:56 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2288	1	0
NtResumeThread April 24, 2023, 8:56 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2288	1	0
NtResumeThread April 24, 2023, 8:56 a.m.	thread_handle: 0x00000224 suspend_count: 1 process_identifier: 2288	1	0
CreateProcessInternalW April 24, 2023, 8:56 a.m.	thread_identifier: 2200 thread_handle: 0x0000039c process_identifier: 1968 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\sdfsfs3wefdsfsdfsd.bat" filepath_r: stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003a0	1	1
CreateProcessInternalW April 24, 2023, 8:56 a.m.	thread_identifier: 2628 thread_handle: 0x00000088 process_identifier: 2620 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe track: 1 command_line: nig1r21312312.exe exec hide nig1r21312312.exe exec hide cock123123444.bat filepath_r: C:\Users\test22\AppData\Local\Temp\nig1r21312312.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW April 24, 2023, 8:56 a.m.	thread_identifier: 2708 thread_handle: 0x000000b0 process_identifier: 2712 current_directory: filepath: track: 1 command_line: nig1r21312312.exe exec hide cock123123444.bat filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000b4	1	1
CreateProcessInternalW April 24, 2023, 8:56 a.m.	thread_identifier: 2828 thread_handle: 0x000000b0 process_identifier: 2796 current_directory: filepath: track: 1 command_line: cock123123444.bat filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000b4	1	1
CreateProcessInternalW April 24, 2023, 8:56 a.m.	thread_identifier: 2132 thread_handle: 0x00000088 process_identifier: 2916 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\MisakaMikoto213213.exe track: 1 command_line: MisakaMikoto213213.exe filepath_r: C:\Users\test22\AppData\Local\Temp\MisakaMikoto213213.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW April 24, 2023, 8:57 a.m.	thread_identifier: 3064 thread_handle: 0x00000084 process_identifier: 3068 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\cockcreator.exe track: 1 command_line: cockcreator.exe filepath_r: C:\Users\test22\AppData\Local\Temp\cockcreator.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW April 24, 2023, 8:57 a.m.	thread_identifier: 2992 thread_handle: 0x00000020 process_identifier: 2988 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000024	1	1
NtGetContextThread April 24, 2023, 8:57 a.m.	thread_handle: 0x00000020	1	0
NtAllocateVirtualMemory April 24, 2023, 8:57 a.m.	process_identifier: 2988 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000024	1	0
WriteProcessMemory April 24, 2023, 8:57 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELu-Hcà"0¢À à@ `8ÀSàÆ H.text ¢ `.rsrcÆà¤@@.relocª@B base_address: 0x000b0000 process_identifier: 2988 process_handle: 0x00000024	1	1
WriteProcessMemory April 24, 2023, 8:57 a.m.	buffer: base_address: 0x000b2000 process_identifier: 2988 process_handle: 0x00000024	1	1
WriteProcessMemory April 24, 2023, 8:57 a.m.	buffer: P8h à<Üãê<4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfox000004b0Comments"CompanyNameB FileDescriptionh1m3k0 1n4840FileVersion1.0.0.0BInternalNameh1m3k0 1n484.exeHLegalCopyrightCopyright © 2022*LegalTrademarksJOriginalFilenameh1m3k0 1n484.exe: ProductNameh1m3k0 1n4844ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x000be000 process_identifier: 2988 process_handle: 0x00000024	1	1
WriteProcessMemory April 24, 2023, 8:57 a.m.	buffer: À0 base_address: 0x000c0000 process_identifier: 2988 process_handle: 0x00000024	1	1
WriteProcessMemory April 24, 2023, 8:57 a.m.	buffer: base_address: 0xfffde008 process_identifier: 2988 process_handle: 0x00000024	1	1

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Cerbu.4!c
MicroWorld-eScan	Trojan.Generic.33507606
FireEye	Generic.mg.9f390e9ca00464a6
McAfee	Artemis!9F390E9CA004
Malwarebytes	Generic.Trojan.Malicious.DDS
VIPRE	Trojan.Generic.33507606
Sangfor	Spyware.Win32.Agent.Vctd
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.Generic.33507606
K7GW	Riskware ( 00584baa1 )
K7AntiVirus	Riskware ( 00584baa1 )
Cyren	W32/S-f2662838!Eldorado
Symantec	Trojan Horse
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
APEX	Malicious
Kaspersky	Trojan-Spy.Win32.Stealer.duhy
Alibaba	TrojanSpy:Win32/Stealer.6fd2de70
Sophos	Generic Reputation PUA (PUA)
F-Secure	Heuristic.HEUR/AGEN.1318801
DrWeb	Trojan.Siggen20.2847
TrendMicro	TrojanSpy.Win32.REDLINE.YXDDUZ
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Emsisoft	Trojan.Generic.33507606 (B)
Ikarus	Trojan.Win32.Krypt
MAX	malware (ai score=87)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Gridinsoft	Ransom.Win32.Sabsik.sa
Arcabit	Trojan.Generic.D1FF4916
ZoneAlarm	Trojan-Spy.Win32.Stealer.duhy
GData	Trojan.Generic.33507606
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5416736
Acronis	suspicious
VBA32	BScope.Trojan.Inject
DeepInstinct	MALICIOUS
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H0DDL23
Rising	Trojan.Generic@AI.93 (RDML:/GjY3skbUxB8C6UUWD+QLA)
SentinelOne	Static AI - Suspicious SFX
Fortinet	W32/ESWU!tr
AVG	Win32:Evo-gen [Trj]
Avast	Win32:Evo-gen [Trj]

setup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All