Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 31, 2023, 5:27 p.m.	July 31, 2023, 5:29 p.m.

Size	6.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`57794b001e1e8c4917aaa864268fec36`
SHA256	`5514e5a91e4b192cae4f78fc9d4d10641704c3778d0fd418f305b081ba5b9862`
CRC32	`CDFA2D3D`
ssdeep	`196608:gbJEeOGZPuknu4TNAzGx2tXuqIg1YJwPj:gbaElhDSus1YJwPj`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature VMProtect_Zero - VMProtect packed file IsPE32 - (no description)

a3e34cb.exe "C:\Users\test22\AppData\Local\Temp\a3e34cb.exe"
2652
- bstyoops.exe "C:\Users\test22\AppData\Local\Temp\c2868ed41c\bstyoops.exe"
  2816
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\c2868ed41c\bstyoops.exe" /F
    2880
  - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "bstyoops.exe" /P "test22:N"&&CACLS "bstyoops.exe" /P "test22:R" /E&&echo Y|CACLS "..\c2868ed41c" /P "test22:N"&&CACLS "..\c2868ed41c" /P "test22:R" /E&&Exit
    2940
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      3008
    - cacls.exe CACLS "bstyoops.exe" /P "test22:N"
      3048
    - cacls.exe CACLS "bstyoops.exe" /P "test22:R" /E
      1152
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      1728
    - cacls.exe CACLS "..\c2868ed41c" /P "test22:N"
      1264
    - cacls.exe CACLS "..\c2868ed41c" /P "test22:R" /E
      2192
  - BRA.exe "C:\Users\test22\AppData\Local\Temp\1000057051\BRA.exe"
    2440
  - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\1000058061\sf64r.dll, rundll
    2716
    - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\1000058061\sf64r.dll, rundll
      2772
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
lobret.co.za	A 41.185.8.154	41.185.8.154
cat.lobret.co.za	A 41.185.8.154	41.185.8.154

IP Address	Status	Action
164.124.101.2	Active	Moloch
41.185.8.154	Active	Moloch
45.9.74.141	Active	Moloch
45.9.74.166	Active	Moloch
5.42.65.67	Active	Moloch
95.143.190.57	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49173 -> 45.9.74.141:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 45.9.74.141:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49174 -> 45.9.74.166:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 45.9.74.166:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 41.185.8.154:80 -> 192.168.56.101:49175	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 41.185.8.154:80 -> 192.168.56.101:49175	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 41.185.8.154:80 -> 192.168.56.101:49180	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 41.185.8.154:80 -> 192.168.56.101:49180	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49178 -> 45.9.74.141:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 95.143.190.57:15647 -> 192.168.56.101:49179	2029217	ET MALWARE Arechclient2 Backdoor CnC Init	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 45.9.74.141:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (14 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 31, 2023, 5:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:28 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 31, 2023, 5:27 p.m.			0	0
IsDebuggerPresent July 31, 2023, 5:27 p.m.			0	0
IsDebuggerPresent July 31, 2023, 5:21 p.m.			0	0

Command line console output was observed (50 out of 79 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 31, 2023, 5:27 p.m.	buffer: SUCCESS: The scheduled task "bstyoops.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW July 31, 2023, 5:27 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\c2868ed41c\bstyoops.exe console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW July 31, 2023, 5:27 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\c2868ed41c\bstyoops.exe console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA July 31, 2023, 5:27 p.m.	buffer: r console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (12 events)

Time & API	Arguments	Status	Return
CryptExportKey July 31, 2023, 5:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00bf0158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00bf0158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00bf0018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00bf08d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00bf08d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00bf0858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00bf08d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00bf08d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00bf0858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00bf08d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00bf0918 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00bf0918 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 31, 2023, 5:27 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.vmp0
section	.vmp1
section	.:.:.:.:

One or more processes crashed (16 events)

Time & API	Arguments	Status
__exception__ July 31, 2023, 5:27 p.m.	stacktrace: bra+0x3c05a6 @ 0x7c05a6 bra+0x3c0698 @ 0x7c0698 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 88 ad bd 8a 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1638148 registers.edi: 4890624 registers.eax: 1638148 registers.ebp: 1638228 registers.edx: 2130566132 registers.ebx: 1971716070 registers.esi: 1995994155 registers.ecx: 2362638336	1
__exception__ July 31, 2023, 5:27 p.m.	stacktrace: exception.instruction_r: ed e9 e2 bb 0a 00 c3 e9 eb 11 08 00 21 00 00 00 exception.symbol: bra+0x34d34a exception.instruction: in eax, dx exception.module: BRA.exe exception.exception_code: 0xc0000096 exception.offset: 3461962 exception.address: 0x74d34a registers.esp: 1638268 registers.edi: 6364450 registers.eax: 1750617430 registers.ebp: 4890624 registers.edx: 546902 registers.ebx: 0 registers.esi: 13 registers.ecx: 20	1
__exception__ July 31, 2023, 5:27 p.m.	stacktrace: exception.instruction_r: ed e9 41 5d 10 00 be 2e db d9 ff ff 07 c4 ff ff exception.symbol: bra+0x2edd03 exception.instruction: in eax, dx exception.module: BRA.exe exception.exception_code: 0xc0000096 exception.offset: 3071235 exception.address: 0x6edd03 registers.esp: 1638268 registers.edi: 6364450 registers.eax: 1447909480 registers.ebp: 4890624 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1
__exception__ July 31, 2023, 5:28 p.m.	stacktrace: 0x64882d8 0x6487fa6 0x64872f9 0x6486f7c 0x6485336 0x6484a4d 0x6482756 0x58dcfb7 0x58dc643 0x58dc3cd system+0x205d05 @ 0x70f85d05 system+0x205cdf @ 0x70f85cdf mscorlib+0x302367 @ 0x71a02367 mscorlib+0x3022a6 @ 0x71a022a6 mscorlib+0x302261 @ 0x71a02261 system+0x205c60 @ 0x70f85c60 system+0x205467 @ 0x70f85467 mscorlib+0x34bb1e @ 0x71a4bb1e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x727b9dd2 DllGetClassObjectInternal+0x74073 CorDllMainForThunk-0x18488 clr+0x1390ec @ 0x728d90ec LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72817d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72817dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72817e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x727ac3bf DllGetClassObjectInternal+0x7412f CorDllMainForThunk-0x183cc clr+0x1391a8 @ 0x728d91a8 DllGetClassObjectInternal+0x74178 CorDllMainForThunk-0x18383 clr+0x1391f1 @ 0x728d91f1 GetMetaDataInternalInterfaceFromPublic+0xab22 PreBindAssemblyEx-0x982 clr+0x1771e9 @ 0x729171e9 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728ba0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x64883cd registers.esp: 104262280 registers.edi: 44552576 registers.eax: 0 registers.ebp: 104262312 registers.edx: 13213872 registers.ebx: 29 registers.esi: 44552792 registers.ecx: 0	1
__exception__ July 31, 2023, 5:28 p.m.	stacktrace: 0x648dc3f 0x648db39 0x648cd80 0x6489fb2 0x648878e 0x6487341 0x6486f7c 0x6485336 0x6484a4d 0x6482756 0x58dcfb7 0x58dc643 0x58dc3cd system+0x205d05 @ 0x70f85d05 system+0x205cdf @ 0x70f85cdf mscorlib+0x302367 @ 0x71a02367 mscorlib+0x3022a6 @ 0x71a022a6 mscorlib+0x302261 @ 0x71a02261 system+0x205c60 @ 0x70f85c60 system+0x205467 @ 0x70f85467 mscorlib+0x34bb1e @ 0x71a4bb1e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x727b9dd2 DllGetClassObjectInternal+0x74073 CorDllMainForThunk-0x18488 clr+0x1390ec @ 0x728d90ec LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72817d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72817dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72817e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x727ac3bf DllGetClassObjectInternal+0x7412f CorDllMainForThunk-0x183cc clr+0x1391a8 @ 0x728d91a8 DllGetClassObjectInternal+0x74178 CorDllMainForThunk-0x18383 clr+0x1391f1 @ 0x728d91f1 GetMetaDataInternalInterfaceFromPublic+0xab22 PreBindAssemblyEx-0x982 clr+0x1771e9 @ 0x729171e9 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728ba0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 c0 eb 11 e8 85 3d 31 6c eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x648e9b3 registers.esp: 104259692 registers.edi: 0 registers.eax: 0 registers.ebp: 104259764 registers.edx: 102772848 registers.ebx: 44818592 registers.esi: 7 registers.ecx: 102773896	1
__exception__ July 31, 2023, 5:28 p.m.	stacktrace: 0x648dc3f 0x648db39 0x648cd80 0x6489fb2 0x648878e 0x6487341 0x6486f7c 0x6485336 0x6484a4d 0x6482756 0x58dcfb7 0x58dc643 0x58dc3cd system+0x205d05 @ 0x70f85d05 system+0x205cdf @ 0x70f85cdf mscorlib+0x302367 @ 0x71a02367 mscorlib+0x3022a6 @ 0x71a022a6 mscorlib+0x302261 @ 0x71a02261 system+0x205c60 @ 0x70f85c60 system+0x205467 @ 0x70f85467 mscorlib+0x34bb1e @ 0x71a4bb1e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x727b9dd2 DllGetClassObjectInternal+0x74073 CorDllMainForThunk-0x18488 clr+0x1390ec @ 0x728d90ec LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72817d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72817dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72817e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x727ac3bf DllGetClassObjectInternal+0x7412f CorDllMainForThunk-0x183cc clr+0x1391a8 @ 0x728d91a8 DllGetClassObjectInternal+0x74178 CorDllMainForThunk-0x18383 clr+0x1391f1 @ 0x728d91f1 GetMetaDataInternalInterfaceFromPublic+0xab22 PreBindAssemblyEx-0x982 clr+0x1771e9 @ 0x729171e9 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728ba0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 c0 eb 11 e8 85 3d 31 6c eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x648e9b3 registers.esp: 104259692 registers.edi: 0 registers.eax: 0 registers.ebp: 104259764 registers.edx: 102772848 registers.ebx: 46185620 registers.esi: 7 registers.ecx: 102773896	1
__exception__ July 31, 2023, 5:28 p.m.	stacktrace: 0x648dc3f 0x648db39 0x648cd80 0x6489fb2 0x648878e 0x6487341 0x6486f7c 0x6485336 0x6484a4d 0x6482756 0x58dcfb7 0x58dc643 0x58dc3cd system+0x205d05 @ 0x70f85d05 system+0x205cdf @ 0x70f85cdf mscorlib+0x302367 @ 0x71a02367 mscorlib+0x3022a6 @ 0x71a022a6 mscorlib+0x302261 @ 0x71a02261 system+0x205c60 @ 0x70f85c60 system+0x205467 @ 0x70f85467 mscorlib+0x34bb1e @ 0x71a4bb1e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x727b9dd2 DllGetClassObjectInternal+0x74073 CorDllMainForThunk-0x18488 clr+0x1390ec @ 0x728d90ec LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72817d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72817dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72817e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x727ac3bf DllGetClassObjectInternal+0x7412f CorDllMainForThunk-0x183cc clr+0x1391a8 @ 0x728d91a8 DllGetClassObjectInternal+0x74178 CorDllMainForThunk-0x18383 clr+0x1391f1 @ 0x728d91f1 GetMetaDataInternalInterfaceFromPublic+0xab22 PreBindAssemblyEx-0x982 clr+0x1771e9 @ 0x729171e9 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728ba0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 c0 eb 11 e8 85 3d 31 6c eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x648e9b3 registers.esp: 104259692 registers.edi: 0 registers.eax: 0 registers.ebp: 104259764 registers.edx: 102772848 registers.ebx: 47539044 registers.esi: 7 registers.ecx: 102773896	1
__exception__ July 31, 2023, 5:28 p.m.	stacktrace: 0x6ab3dd9 0x6ab39a9 0x648ce1e 0x6489fb2 0x648878e 0x6487341 0x6486f7c 0x6485336 0x6484a4d 0x6482756 0x58dcfb7 0x58dc643 0x58dc3cd system+0x205d05 @ 0x70f85d05 system+0x205cdf @ 0x70f85cdf mscorlib+0x302367 @ 0x71a02367 mscorlib+0x3022a6 @ 0x71a022a6 mscorlib+0x302261 @ 0x71a02261 system+0x205c60 @ 0x70f85c60 system+0x205467 @ 0x70f85467 mscorlib+0x34bb1e @ 0x71a4bb1e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x727b9dd2 DllGetClassObjectInternal+0x74073 CorDllMainForThunk-0x18488 clr+0x1390ec @ 0x728d90ec LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72817d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72817dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72817e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x727ac3bf DllGetClassObjectInternal+0x7412f CorDllMainForThunk-0x183cc clr+0x1391a8 @ 0x728d91a8 DllGetClassObjectInternal+0x74178 CorDllMainForThunk-0x18383 clr+0x1391f1 @ 0x728d91f1 GetMetaDataInternalInterfaceFromPublic+0xab22 PreBindAssemblyEx-0x982 clr+0x1771e9 @ 0x729171e9 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728ba0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 c0 eb 11 e8 85 3d 31 6c eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x648e9b3 registers.esp: 104259328 registers.edi: 0 registers.eax: 0 registers.ebp: 104259400 registers.edx: 102772848 registers.ebx: 44698888 registers.esi: 7 registers.ecx: 102773896	1
__exception__ July 31, 2023, 5:28 p.m.	stacktrace: 0x6ab3dd9 0x6ab39a9 0x648ce1e 0x6489fb2 0x648878e 0x6487341 0x6486f7c 0x6485336 0x6484a4d 0x6482756 0x58dcfb7 0x58dc643 0x58dc3cd system+0x205d05 @ 0x70f85d05 system+0x205cdf @ 0x70f85cdf mscorlib+0x302367 @ 0x71a02367 mscorlib+0x3022a6 @ 0x71a022a6 mscorlib+0x302261 @ 0x71a02261 system+0x205c60 @ 0x70f85c60 system+0x205467 @ 0x70f85467 mscorlib+0x34bb1e @ 0x71a4bb1e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x727b9dd2 DllGetClassObjectInternal+0x74073 CorDllMainForThunk-0x18488 clr+0x1390ec @ 0x728d90ec LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72817d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72817dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72817e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x727ac3bf DllGetClassObjectInternal+0x7412f CorDllMainForThunk-0x183cc clr+0x1391a8 @ 0x728d91a8 DllGetClassObjectInternal+0x74178 CorDllMainForThunk-0x18383 clr+0x1391f1 @ 0x728d91f1 GetMetaDataInternalInterfaceFromPublic+0xab22 PreBindAssemblyEx-0x982 clr+0x1771e9 @ 0x729171e9 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728ba0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 c0 eb 11 e8 85 3d 31 6c eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x648e9b3 registers.esp: 104259328 registers.edi: 0 registers.eax: 0 registers.ebp: 104259400 registers.edx: 102772848 registers.ebx: 46130016 registers.esi: 7 registers.ecx: 102773896	1
__exception__ July 31, 2023, 5:28 p.m.	stacktrace: 0x6ab3dd9 0x6ab39a9 0x648ce1e 0x6489fb2 0x648878e 0x6487341 0x6486f7c 0x6485336 0x6484a4d 0x6482756 0x58dcfb7 0x58dc643 0x58dc3cd system+0x205d05 @ 0x70f85d05 system+0x205cdf @ 0x70f85cdf mscorlib+0x302367 @ 0x71a02367 mscorlib+0x3022a6 @ 0x71a022a6 mscorlib+0x302261 @ 0x71a02261 system+0x205c60 @ 0x70f85c60 system+0x205467 @ 0x70f85467 mscorlib+0x34bb1e @ 0x71a4bb1e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x727b9dd2 DllGetClassObjectInternal+0x74073 CorDllMainForThunk-0x18488 clr+0x1390ec @ 0x728d90ec LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72817d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72817dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72817e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x727ac3bf DllGetClassObjectInternal+0x7412f CorDllMainForThunk-0x183cc clr+0x1391a8 @ 0x728d91a8 DllGetClassObjectInternal+0x74178 CorDllMainForThunk-0x18383 clr+0x1391f1 @ 0x728d91f1 GetMetaDataInternalInterfaceFromPublic+0xab22 PreBindAssemblyEx-0x982 clr+0x1771e9 @ 0x729171e9 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728ba0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 c0 eb 11 e8 85 3d 31 6c eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x648e9b3 registers.esp: 104259328 registers.edi: 0 registers.eax: 0 registers.ebp: 104259400 registers.edx: 102772848 registers.ebx: 47968636 registers.esi: 7 registers.ecx: 102773896	1
__exception__ July 31, 2023, 5:28 p.m.	stacktrace: 0x6ab4b95 0x6ab4aa9 0x648ce95 0x6489fb2 0x648878e 0x6487341 0x6486f7c 0x6485336 0x6484a4d 0x6482756 0x58dcfb7 0x58dc643 0x58dc3cd system+0x205d05 @ 0x70f85d05 system+0x205cdf @ 0x70f85cdf mscorlib+0x302367 @ 0x71a02367 mscorlib+0x3022a6 @ 0x71a022a6 mscorlib+0x302261 @ 0x71a02261 system+0x205c60 @ 0x70f85c60 system+0x205467 @ 0x70f85467 mscorlib+0x34bb1e @ 0x71a4bb1e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x727b9dd2 DllGetClassObjectInternal+0x74073 CorDllMainForThunk-0x18488 clr+0x1390ec @ 0x728d90ec LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72817d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72817dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72817e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x727ac3bf DllGetClassObjectInternal+0x7412f CorDllMainForThunk-0x183cc clr+0x1391a8 @ 0x728d91a8 DllGetClassObjectInternal+0x74178 CorDllMainForThunk-0x18383 clr+0x1391f1 @ 0x728d91f1 GetMetaDataInternalInterfaceFromPublic+0xab22 PreBindAssemblyEx-0x982 clr+0x1771e9 @ 0x729171e9 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728ba0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 c0 eb 11 e8 85 3d 31 6c eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x648e9b3 registers.esp: 104259808 registers.edi: 0 registers.eax: 0 registers.ebp: 104259880 registers.edx: 102772848 registers.ebx: 44546204 registers.esi: 7 registers.ecx: 102773896	1
__exception__ July 31, 2023, 5:28 p.m.	stacktrace: 0x6ab4b95 0x6ab4aa9 0x648ce95 0x6489fb2 0x648878e 0x6487341 0x6486f7c 0x6485336 0x6484a4d 0x6482756 0x58dcfb7 0x58dc643 0x58dc3cd system+0x205d05 @ 0x70f85d05 system+0x205cdf @ 0x70f85cdf mscorlib+0x302367 @ 0x71a02367 mscorlib+0x3022a6 @ 0x71a022a6 mscorlib+0x302261 @ 0x71a02261 system+0x205c60 @ 0x70f85c60 system+0x205467 @ 0x70f85467 mscorlib+0x34bb1e @ 0x71a4bb1e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x727b9dd2 DllGetClassObjectInternal+0x74073 CorDllMainForThunk-0x18488 clr+0x1390ec @ 0x728d90ec LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72817d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72817dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72817e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x727ac3bf DllGetClassObjectInternal+0x7412f CorDllMainForThunk-0x183cc clr+0x1391a8 @ 0x728d91a8 DllGetClassObjectInternal+0x74178 CorDllMainForThunk-0x18383 clr+0x1391f1 @ 0x728d91f1 GetMetaDataInternalInterfaceFromPublic+0xab22 PreBindAssemblyEx-0x982 clr+0x1771e9 @ 0x729171e9 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728ba0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 c0 eb 11 e8 85 3d 31 6c eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x648e9b3 registers.esp: 104259808 registers.edi: 0 registers.eax: 0 registers.ebp: 104259880 registers.edx: 102772848 registers.ebx: 44596692 registers.esi: 7 registers.ecx: 102773896	1
__exception__ July 31, 2023, 5:28 p.m.	stacktrace: 0x6ab4b95 0x6ab4aa9 0x648ce95 0x6489fb2 0x648878e 0x6487341 0x6486f7c 0x6485336 0x6484a4d 0x6482756 0x58dcfb7 0x58dc643 0x58dc3cd system+0x205d05 @ 0x70f85d05 system+0x205cdf @ 0x70f85cdf mscorlib+0x302367 @ 0x71a02367 mscorlib+0x3022a6 @ 0x71a022a6 mscorlib+0x302261 @ 0x71a02261 system+0x205c60 @ 0x70f85c60 system+0x205467 @ 0x70f85467 mscorlib+0x34bb1e @ 0x71a4bb1e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x727b9dd2 DllGetClassObjectInternal+0x74073 CorDllMainForThunk-0x18488 clr+0x1390ec @ 0x728d90ec LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72817d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72817dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72817e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x727ac3bf DllGetClassObjectInternal+0x7412f CorDllMainForThunk-0x183cc clr+0x1391a8 @ 0x728d91a8 DllGetClassObjectInternal+0x74178 CorDllMainForThunk-0x18383 clr+0x1391f1 @ 0x728d91f1 GetMetaDataInternalInterfaceFromPublic+0xab22 PreBindAssemblyEx-0x982 clr+0x1771e9 @ 0x729171e9 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728ba0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 c0 eb 11 e8 85 3d 31 6c eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x648e9b3 registers.esp: 104259808 registers.edi: 0 registers.eax: 0 registers.ebp: 104259880 registers.edx: 102772848 registers.ebx: 46088260 registers.esi: 7 registers.ecx: 102773896	1
__exception__ July 31, 2023, 5:28 p.m.	stacktrace: 0x6ab5182 0x6ab5069 0x648cf0c 0x6489fb2 0x648878e 0x6487341 0x6486f7c 0x6485336 0x6484a4d 0x6482756 0x58dcfb7 0x58dc643 0x58dc3cd system+0x205d05 @ 0x70f85d05 system+0x205cdf @ 0x70f85cdf mscorlib+0x302367 @ 0x71a02367 mscorlib+0x3022a6 @ 0x71a022a6 mscorlib+0x302261 @ 0x71a02261 system+0x205c60 @ 0x70f85c60 system+0x205467 @ 0x70f85467 mscorlib+0x34bb1e @ 0x71a4bb1e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x727b9dd2 DllGetClassObjectInternal+0x74073 CorDllMainForThunk-0x18488 clr+0x1390ec @ 0x728d90ec LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72817d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72817dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72817e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x727ac3bf DllGetClassObjectInternal+0x7412f CorDllMainForThunk-0x183cc clr+0x1391a8 @ 0x728d91a8 DllGetClassObjectInternal+0x74178 CorDllMainForThunk-0x18383 clr+0x1391f1 @ 0x728d91f1 GetMetaDataInternalInterfaceFromPublic+0xab22 PreBindAssemblyEx-0x982 clr+0x1771e9 @ 0x729171e9 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728ba0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 c0 eb 11 e8 85 3d 31 6c eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x648e9b3 registers.esp: 104259244 registers.edi: 0 registers.eax: 0 registers.ebp: 104259316 registers.edx: 102772848 registers.ebx: 44529352 registers.esi: 7 registers.ecx: 102773896	1
__exception__ July 31, 2023, 5:28 p.m.	stacktrace: 0x6ab5182 0x6ab5069 0x648cf0c 0x6489fb2 0x648878e 0x6487341 0x6486f7c 0x6485336 0x6484a4d 0x6482756 0x58dcfb7 0x58dc643 0x58dc3cd system+0x205d05 @ 0x70f85d05 system+0x205cdf @ 0x70f85cdf mscorlib+0x302367 @ 0x71a02367 mscorlib+0x3022a6 @ 0x71a022a6 mscorlib+0x302261 @ 0x71a02261 system+0x205c60 @ 0x70f85c60 system+0x205467 @ 0x70f85467 mscorlib+0x34bb1e @ 0x71a4bb1e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x727b9dd2 DllGetClassObjectInternal+0x74073 CorDllMainForThunk-0x18488 clr+0x1390ec @ 0x728d90ec LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72817d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72817dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72817e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x727ac3bf DllGetClassObjectInternal+0x7412f CorDllMainForThunk-0x183cc clr+0x1391a8 @ 0x728d91a8 DllGetClassObjectInternal+0x74178 CorDllMainForThunk-0x18383 clr+0x1391f1 @ 0x728d91f1 GetMetaDataInternalInterfaceFromPublic+0xab22 PreBindAssemblyEx-0x982 clr+0x1771e9 @ 0x729171e9 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728ba0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 c0 eb 11 e8 85 3d 31 6c eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x648e9b3 registers.esp: 104259244 registers.edi: 0 registers.eax: 0 registers.ebp: 104259316 registers.edx: 102772848 registers.ebx: 46023576 registers.esi: 7 registers.ecx: 102773896	1
__exception__ July 31, 2023, 5:28 p.m.	stacktrace: 0x6ab5182 0x6ab5069 0x648cf0c 0x6489fb2 0x648878e 0x6487341 0x6486f7c 0x6485336 0x6484a4d 0x6482756 0x58dcfb7 0x58dc643 0x58dc3cd system+0x205d05 @ 0x70f85d05 system+0x205cdf @ 0x70f85cdf mscorlib+0x302367 @ 0x71a02367 mscorlib+0x3022a6 @ 0x71a022a6 mscorlib+0x302261 @ 0x71a02261 system+0x205c60 @ 0x70f85c60 system+0x205467 @ 0x70f85467 mscorlib+0x34bb1e @ 0x71a4bb1e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x727b9dd2 DllGetClassObjectInternal+0x74073 CorDllMainForThunk-0x18488 clr+0x1390ec @ 0x728d90ec LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72817d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72817dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72817e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x727ac3bf DllGetClassObjectInternal+0x7412f CorDllMainForThunk-0x183cc clr+0x1391a8 @ 0x728d91a8 DllGetClassObjectInternal+0x74178 CorDllMainForThunk-0x18383 clr+0x1391f1 @ 0x728d91f1 GetMetaDataInternalInterfaceFromPublic+0xab22 PreBindAssemblyEx-0x982 clr+0x1771e9 @ 0x729171e9 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x728ba0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 89 45 c0 eb 11 e8 85 3d 31 6c eb 0a e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x648e9b3 registers.esp: 104259244 registers.edi: 0 registers.eax: 0 registers.ebp: 104259316 registers.edx: 102772848 registers.ebx: 43933800 registers.esi: 7 registers.ecx: 102773896	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://45.9.74.141/b7djSDcPcZ/index.php
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://45.9.74.166/b7djSDcPcZ/index.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://lobret.co.za/BRA.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://cat.lobret.co.za/sf64r.dll

Performs some HTTP requests (4 events)

request	POST http://45.9.74.141/b7djSDcPcZ/index.php
request	POST http://45.9.74.166/b7djSDcPcZ/index.php
request	GET http://lobret.co.za/BRA.exe
request	GET http://cat.lobret.co.za/sf64r.dll

Sends data using the HTTP POST Method (2 events)

request	POST http://45.9.74.141/b7djSDcPcZ/index.php
request	POST http://45.9.74.166/b7djSDcPcZ/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1927 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:21 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7598b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7598b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75980000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75703000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755dc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7585f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75868000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755dc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ec000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:27 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7597b000 process_handle: 0xffffffff	1

Steals private information from local Internet browsers (8 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ckpaelocniggkheibcacecnmmlmeodfa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\1000057051\BRA.exe
file	C:\Users\test22\AppData\Local\Temp\1000058061\sf64r.dll

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "bstyoops.exe" /P "test22:N"&&CACLS "bstyoops.exe" /P "test22:R" /E&&echo Y\|CACLS "..\c2868ed41c" /P "test22:N"&&CACLS "..\c2868ed41c" /P "test22:R" /E&&Exit
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\c2868ed41c\bstyoops.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\c2868ed41c\bstyoops.exe" /F
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\c2868ed41c\bstyoops.exe
file	C:\Users\test22\AppData\Local\Temp\1000057051\BRA.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\c2868ed41c\bstyoops.exe
file	C:\Users\test22\AppData\Local\Temp\1000057051\BRA.exe

A process created a hidden window (5 events)

Time & API	Arguments	Status	Return
ShellExecuteExW July 31, 2023, 5:27 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\c2868ed41c\bstyoops.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\c2868ed41c\bstyoops.exe	1	1
ShellExecuteExW July 31, 2023, 5:27 p.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\c2868ed41c\bstyoops.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW July 31, 2023, 5:27 p.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "bstyoops.exe" /P "test22:N"&&CACLS "bstyoops.exe" /P "test22:R" /E&&echo Y\|CACLS "..\c2868ed41c" /P "test22:N"&&CACLS "..\c2868ed41c" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW July 31, 2023, 5:27 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000057051\BRA.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000057051\BRA.exe	1	1
ShellExecuteExW July 31, 2023, 5:27 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Local\Temp\1000058061\sf64r.dll, rundll filepath: rundll32.exe	1	1

An executable file was downloaded by the process bstyoops.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile July 31, 2023, 5:27 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELWþ¼dà^Î(<F @ j+: P¿Ë ` 4 `.rsrc¿ËÌ8@@ ` @B.idata @À.themida`; `à.bootú#Fú#``ª¨ö:qÁNóqí#ÞjDÊsF¢izm5æÖ}¸:þÚ©ðóÛhOíu»ý~Ñ¼¦]»òÔ¼HgH¢ì¦÷y¨Ü»³rÉOÛvðé°wçô¥º@Èhh¿-O¿¢ãÆÿ©«³¾¶èÎª ºª°h¿ aâíÝ\|Û\wgÿº7¡Úz"ÁäÒ~¥Ò°<Éþú¹@éáwcüôó:Ðj¡C?ö®£\|´ê\|:ëÆa,º~Æêò«¬´± ëAº74"ñt¡&¸]®ÔÀ÷§«Ôxs}ø¢èF££ ÷' ÄÊ0 Û¨Õâ!ã¡t\|÷x Á ÛØ\"RyIÊÚ!ùu±Õ¡ûtñ©ÚbÞIâÞªx´ºÙj{«Lî@m{Ôì TÓYãüÖá§´vévÄ´îÁ\íæÎÙ³aòØAðBiÜ¬q!VAyg´ûcøìþbÚú¥Õ´uù?£ ªtZöÞqXs4HÛ9¡Ì»üúØ<»ZÚ¯b¥]> y ¬ÑY:C®d1 þb¨Å6ñ¥7°,Õ'sÑäzîÖ.vÉÃwZÓyiY¹W~XÅRÈÛ%Þ¤ådòY9UQ>zuþïÄÔ0Ï¢wÈãó=5&d3Ø_ ³S§Ø!ð>>áXËyÀáÍ` ÜÞò_ë«ØùÑJ.¾ÝµªËVtbâ/°5¬·ÖÿfhSïõIÅÿwÆ8Ü WqßK¾m;Ô ?G¼MnTçáL¨vôïÀRÿ\ êlõ:²>ÕÇâ{þ^^Ê;{øhlÓÿðxxÙvw7õ.À¦²ù=B¢¨U/-Ò£t éÞ²°pþW¬ö°ú÷ÏÛ7ÃdðxÖ Þ²\Ò2{ø±}EóÁ, ú¿ïxXÃdXFÙKý @3ð}w,´&òJ³ ]2díwÿ¯¡Ñ¼v½È _£T]¨úNÁÀíPíõ ºõ®¼$Ï¦é=ºþþãHðs9ÛS}úà?vß;âÿÂþÜøLÛ Gpº@ùà\|ÑUìT=«b®1ã¾ýx4 Êåç\|¼õnüÑÙPWâøìIÒíÐ"pùx§íØSÙªXþò6áú¥¸÷7ßVÈ\«ÐOm_Éû2vçÚFÈ&Kø¨à¼,.Dzå7ü9A½& îpãÁè£äBÏGW".z-byª 1Å ìõ~¸mRW ÇÈÔ¶Â#ï¸PðÝÉÿrHjû^±ãl@Ð¹Ú©V/¹àm0Ê°£OßoxÓÖÌ®ñPj³Ü^kô}F=VêùñÃ¿$Û>}uh²¶ÓÃ¨4[Q4¬ ¦:høw¸&ì¬§ºY®´ÏÓï%Ò¾¤¢ñ¿Øý¡ÍÏâÊÁÀLÖ9dLÈ=?ÞÍ§¬Ñ1Óã:¢3cö 0Q Ãe>¾¥ôáëDvYCÐòÑÿ{F±a ñìÂteÛ^ïÌní`]ÄÌ8dyä§îè¤âÜ} rª¹N÷wëõ{ï> \lZ ÉÏÙ)ÈÚ©"ßh~à¾î;AÒVP¸Ò6Fs×9lQ~ìú´ávûr°Æ ¹7Á%R³ùd~ææÁ}TÖe¹}wövUÒuµ\|×¥íÊú3³fY£hÅÉ5ªw ¯L{BÌ'#Ïxw¬´C»O¾ÑR_ë«RÂ×ÝÀÌ0,XûòzÐV3Yåà¡u§8wº¨¹1s~QÖ¿¹øÙÈHRý,ò=©ÿìL8ô¤ó?îÂÊ1TvHþZk©kÑ89)`Ý¬òPª9ð¢ðKï³TO}+ç¢;È^X%Î¯zû¦ã;L¢G;2 »½Â7 ¯3QSÅsúòÄ\|öØ0Øî¶¡ûÒ¥ Øc.EëåLL,'>ñ3!r¸¸ús}Mº¤æH!àNNç²·)Z[`Çõw £íQT¡¨¿hïîv§Äqø,ìL¡Ò)&ß àbBÛ':õä Ôv2ØPÄÃaIØ-t@+>a¥7c2FàÀùýÕ9îàGt èvÚ¶ðSáâþìÖPÓª"ü´ÿ2§$R¦óñâµw:EÑw)ãÖ'âl}#i<ÌóQ²V3þ¾Ñe0òOCâJEJªVtµe¦~òo.FâOÉØHtcCägâpyÀ{qÐ]+ßQ3%úÇïæÐÜsÇòC ê'ò;,:QÛõ}ÃÄ'+³½`3NüÇãP9z%XT¬éK&ôz`-Ê^Æ÷Éòâ=T¼åk«` }±eqJ[¼§4EíPJúcKypïhÖ§³/Ûñäq¤QXô¬õ]ôÓ#@û¾ÞiÞçÿ×#QÃ[<¿DvÌ<ýcÊñ¦Ñ¤ jõ¿ 8·Ö=ya,úûúF!G&ËP±¤¶«e¹¨-JÙ²·/,LÒÚø§~¼"ðÚ TYiÏ¯ôÊpÜ Oå¨þõHLËÃÖrt-eZ}`ZÒÑ¤·zakÚÖ¶s{Æ75å}\kÕC>Ó¾.ùäÞð¤wõIòµD¸ö\|ÙòLo)z¥´} HÃvîÈ¾>BÍ$("<6PAX@CDüwôö³ÎN1ÌÔÒ"az~¸±ª¡~]s-ñØ#¿>Ï°ô8Ä'?ðhGçFÂ¦ Çfyöõuo{ åa =£¯!ïñ4¤Ùe3ZzâêÎyuÚ7Fz É02D"QÃú½Ïà0«)c4Ö>S,Fç°²fGíì!UQ:~ÌößÒ^jÒ1ü¾b¨ÞJ1%ÄlöºêQË%^Ö9~á{[ã °É`F i"Rø¬.ú1ý ¹¦TÞ¦H¬=or¡þT8¸`ó?ÚìêË-eø¹>÷´"ñ¾¡üu§nÕÏõÂrhj-ëjä£ïBUÛ\|¤¨¼³ÀP !(ýLíØxWY¨-ù´â\|Ô9(è;ò§Ð\¢ãþÄ¤{ioÆ{<fOì'¶ï=m¶P¢7MÕ}¬ÄþyMBY°-¸îC¹Ð ¡³ »¸®qäG]Åð>,½w¬ ¥b·È?Ñ¿´þ¡}äw'ë6x([Ó@ûÅýi¬±"$þt1r&À¸3åäÀ»tÚ_MâûqâB¡Ô·yêCÝ=Þ©1ZâµÖpt k+{³ßööoÂïy?øA*ºÝDßø-9FSY\º¦<¬ñú$«¸XÀ¬, request_handle: 0x00cc000c	1	1	0
InternetReadFile July 31, 2023, 5:27 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd ½ dð" .ôÓ¨¤%d@AEÀ8È¨Lð3¨$-Òc¨p¨´ DÀ.text- `.rdataU @@@.dataSP@À.pdata°`@@..%..%..ô,Dp `..%..%..@ D @À..%..%..±c°D²c`h.reloc´p¨Àc@@.rsrcL¨Âc@@Ø©FÇÄ EN;ìJspûJ,:ÒG½@Ãt°KÂEHÇD$ÓÀ¼ARIºÉRn6GDQH¹tZò!§sHL$E3ÒfE+ÒA÷ÒAº{üvA÷ÒAê5@¢uLT$ÿt$Hd$èdTèË=è³QM\NÙJÍXÙI±Ø¨!IÐË£vµ¡-§¶yUI©k1µàDh¶µöJE2+I¤UIôà»µ ìj¶dfÎ¶MÏmJïUãHIÊê¶¹=¥ÞJtØ¦`I .XµW?ôZ4àú tþ?Öâ¶î¦>0G@²Èú°`©Þi\|j248½«¶>;þÅ2FÆßæ8üð-¨xµ½;Ìq+#Ô`%^ò&(«û9bxTà¶8ô!õ%sÿØv½Ê#mÕ¹ª{iëõ_s Éëja^ßÔâ¡ZNjâT÷¹ÍkñHI68¶Õý¥Õ1ñ>ÿ>eS«Vº×àQG®CÝlD«K¬ÈDbè§¸)B)N»ú®ìDÂoØ¸«7lf»F1G)>6ÂD>o¼D¿â¸jÏ»×b'»þTipG4®ç¡DJÎ»Ö¡7G{¢Dë-\ð¸5£U¹q¯k®S¬ï¢0»Ðä"÷YCåÍ ÇIzíêRßæ¸û`è request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x006a6c00', u'virtual_address': u'0x0054d000', u'entropy': 7.9626956968499885, u'name': u'.:.:.:.:', u'virtual_size': u'0x006a6aa0'}

entropy

7.96269569685

description

A section with a high entropy has been found

entropy

0.972305496074

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000464 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: AddressBook base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: Connection Manager base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: DirectDrawEx base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: EditPlus base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: ENTERPRISE base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: Fontcore base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: Google Chrome base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: IE40 base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: IE4Data base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: IE5BAKEX base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: IEData base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: MobileOptionPack base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: SchedulingAgent base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: WIC base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW July 31, 2023, 5:28 p.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x00000464 key_handle: 0x00000468 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\c2868ed41c\bstyoops.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\c2868ed41c\bstyoops.exe" /F

The executable is likely packed with VMProtect (2 events)

section	.vmp0				description	Section name indicates VMProtect
section	.vmp1				description	Section name indicates VMProtect

Communicates with host for which no DNS query was performed (4 events)

host	45.9.74.141
host	45.9.74.166
host	5.42.65.67
host	95.143.190.57

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known windows from debuggers and forensic tools (12 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA July 31, 2023, 5:27 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 31, 2023, 5:27 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 31, 2023, 5:27 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 31, 2023, 5:27 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 31, 2023, 5:27 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 31, 2023, 5:27 p.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA July 31, 2023, 5:27 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 31, 2023, 5:27 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 31, 2023, 5:27 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 31, 2023, 5:27 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 31, 2023, 5:27 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 31, 2023, 5:27 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation July 31, 2023, 5:27 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

BRA.exe tried to sleep 5456546 seconds, actually delayed analysis time by 5456546 seconds

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\BRA.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000057051\BRA.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sf64r.dll	reg_value	rundll32 C:\Users\test22\AppData\Local\Temp\1000058061\sf64r.dll, rundll
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\c2868ed41c\bstyoops.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\c2868ed41c\bstyoops.exe" /F

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW July 31, 2023, 5:28 p.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "bstyoops.exe" /P "test22:N"&&CACLS "bstyoops.exe" /P "test22:R" /E&&echo Y\|CACLS "..\c2868ed41c" /P "test22:N"&&CACLS "..\c2868ed41c" /P "test22:R" /E&&Exit
cmdline	CACLS "..\c2868ed41c" /P "test22:R" /E
cmdline	cmd /k echo Y\|CACLS "bstyoops.exe" /P "test22:N"&&CACLS "bstyoops.exe" /P "test22:R" /E&&echo Y\|CACLS "..\c2868ed41c" /P "test22:N"&&CACLS "..\c2868ed41c" /P "test22:R" /E&&Exit
cmdline	CACLS "bstyoops.exe" /P "test22:R" /E
cmdline	CACLS "..\c2868ed41c" /P "test22:N"
cmdline	CACLS "bstyoops.exe" /P "test22:N"

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation July 31, 2023, 5:27 p.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 31, 2023, 5:27 p.m.	stacktrace: exception.instruction_r: ed e9 41 5d 10 00 be 2e db d9 ff ff 07 c4 ff ff exception.symbol: bra+0x2edd03 exception.instruction: in eax, dx exception.module: BRA.exe exception.exception_code: 0xc0000096 exception.offset: 3071235 exception.address: 0x6edd03 registers.esp: 1638268 registers.edi: 6364450 registers.eax: 1447909480 registers.ebp: 4890624 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1	0	0

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
FireEye	Generic.mg.57794b001e1e8c49
McAfee	Artemis!57794B001E1E
Cylance	unsafe
Sangfor	Trojan.Win32.Gencbl.V3df
BitDefenderTheta	Gen:NN.ZexaF.36318.@R2@amG8Msli
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/GenCBL.DWH
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	FileRepMalware [Bot]
Sophos	Mal/Generic-S
TrendMicro	TrojanSpy.Win32.LUMMASTEALER.YXDG5Z
McAfee-GW-Edition	Artemis!Trojan
Trapmine	malicious.high.ml.score
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Win32.Trojan-Downloader.Amadey.XMRQ4N
AhnLab-V3	Trojan/Win.Generic.R593962
Malwarebytes	Malware.AI.3621495015
Rising	Trojan.GenCBL!8.12138 (CLOUD)
Fortinet	W32/GenCBL.DWH!tr
AVG	FileRepMalware [Bot]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_90% (W)

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

5.42.65.67:4298

a3e34cb.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All