Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 6, 2024, 10:37 a.m.	Sept. 6, 2024, 10:39 a.m.

Size	313.0KB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`324d2a434b8a3e038661a75587e303b8`
SHA256	`5d06ec15c9349e9ae13d477fdab3d1a50b9bf784a726aff3a48dbcd5f99e493a`
CRC32	`A9435AAE`
ssdeep	`6144:xJcrjyufnjS1Ht3pHjDNItvNoCOD6iuh52HK7q1BU0H:HUuufjSVbJnn650K21`
PDB Path	c:\ey554xtmg\obj\Re\ease\U&.pdb
Yara	PE_Header_Zero - PE File Signature Antivirus - Contains references to security software Is_DotNET_EXE - (no description) IsPE32 - (no description)

66d9ddfaa7a23_Porter.exe#main "C:\Users\test22\AppData\Local\Temp\66d9ddfaa7a23_Porter.exe#main"
652
- RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2148
  - conhost.exe "C:\Users\test22\AppData\Local\Temp\conhost.exe"
    2932
    - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\main\main.bat" /S"
      3008
      - mode.com mode 65,10
        1212
      - 7z.exe 7z.exe e file.zip -p29586644319935208542739921766 -oextracted
        2088
      - 7z.exe 7z.exe e extracted/file_11.zip -oextracted
        2196
      - 7z.exe 7z.exe e extracted/file_10.zip -oextracted
        2336
      - 7z.exe 7z.exe e extracted/file_9.zip -oextracted
        2292
      - 7z.exe 7z.exe e extracted/file_8.zip -oextracted
        948
      - 7z.exe 7z.exe e extracted/file_7.zip -oextracted
        2624
      - 7z.exe 7z.exe e extracted/file_6.zip -oextracted
        2584
      - 7z.exe 7z.exe e extracted/file_5.zip -oextracted
        2836
      - 7z.exe 7z.exe e extracted/file_4.zip -oextracted
        1228
      - 7z.exe 7z.exe e extracted/file_3.zip -oextracted
        2376
      - 7z.exe 7z.exe e extracted/file_2.zip -oextracted
        2824
      - 7z.exe 7z.exe e extracted/file_1.zip -oextracted
        2216
      - attrib.exe attrib +H "Installer.exe"
        2508
      - Installer.exe "Installer.exe"
        3044

Name	Response	Post-Analysis Lookup
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	104.26.12.31

IP Address	Status	Action
104.26.12.31	Active	Moloch
147.45.47.81	Active	Moloch
164.124.101.2	Active	Moloch
185.215.113.22	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.22:80 -> 192.168.56.103:49165	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.103:49165 -> 185.215.113.22:80	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 104.26.12.31:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 185.215.113.22:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 185.215.113.22:80	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 185.215.113.22:80 -> 192.168.56.103:49165	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 185.215.113.22:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 185.215.113.22:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 147.45.47.81:80 -> 192.168.56.103:49170	2400022	ET DROP Spamhaus DROP Listed Traffic Inbound group 23	Misc Attack
TCP 192.168.56.103:49170 -> 147.45.47.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 147.45.47.81:80 -> 192.168.56.103:49170	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 147.45.47.81:80 -> 192.168.56.103:49170	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 147.45.47.81:80 -> 192.168.56.103:49170	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 185.215.113.22:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49167 104.26.12.31:443	C=US, O=Google Trust Services, CN=WR1	CN=api.ip.sb	67:55:9d:38:46:36:29:e0:23:80:8c:58:24:25:99:c3:60:63:b7:0f

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 6, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 6, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Sept. 6, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Sept. 6, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Sept. 6, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Sept. 6, 2024, 10:38 a.m.			0	0

Command line console output was observed (6 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 6, 2024, 10:38 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\main> console_handle: 0x0000000000000007	1	1
WriteConsoleW Sept. 6, 2024, 10:38 a.m.	buffer: cls console_handle: 0x0000000000000007	1	1
WriteConsoleW Sept. 6, 2024, 10:38 a.m.	buffer: '■' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x000000000000000b	1	1
WriteConsoleW Sept. 6, 2024, 10:38 a.m.	buffer: 1 file(s) moved. console_handle: 0x0000000000000007	1	1
WriteConsoleW Sept. 6, 2024, 10:38 a.m.	buffer: Launched 'Installer.exe'. console_handle: 0x0000000000000007	1	1
WriteConsoleW Sept. 6, 2024, 10:38 a.m.	buffer: Press any key to continue . . . console_handle: 0x0000000000000007	1	1

Uses Windows APIs to generate a cryptographic key (17 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 6, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007a4468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007a4468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007a4468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007a4468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007a44e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007a44e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007a43e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007a43e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007a43e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007a43e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007a43e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0080ef10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0080ef10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0080f790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007a49a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007a49a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2024, 10:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007a46e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

c:\ey554xtmg\obj\Re\ease\U&.pdb

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 6, 2024, 10:37 a.m.		1	1	0

One or more processes crashed (18 events)

Time & API	Arguments	Status
__exception__ Sept. 6, 2024, 10:37 a.m.	stacktrace: 0x7088cd 0x708756 0x70334b 0x702f76 0x7006a3 0x700108 0x70009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73e92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73ea264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73ea2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73f574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73f57610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73fe1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73fe1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73fe1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73fe416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7453f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7089c0 registers.esp: 3403604 registers.edi: 3403656 registers.eax: 0 registers.ebp: 3403668 registers.edx: 7818392 registers.ebx: 3404772 registers.esi: 41671636 registers.ecx: 0	1
__exception__ Sept. 6, 2024, 10:37 a.m.	stacktrace: 0x7c4a340 0x7c4661b 0x7c4608f 0x7c45f8d 0x7c45039 0x7c44237 0x708aaf 0x703395 0x702f76 0x7006a3 0x700108 0x70009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73e92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73ea264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73ea2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73f574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73f57610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73fe1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73fe1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73fe1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73fe416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7453f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7c4a383 registers.esp: 3402464 registers.edi: 3402756 registers.eax: 0 registers.ebp: 3402472 registers.edx: 0 registers.ebx: 3404772 registers.esi: 45094928 registers.ecx: 46217556	1
__exception__ Sept. 6, 2024, 10:37 a.m.	stacktrace: 0x7c4a340 0x7c4661b 0x7c4608f 0x7c45fa5 0x7c45039 0x7c44237 0x708aaf 0x703395 0x702f76 0x7006a3 0x700108 0x70009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73e92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73ea264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73ea2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73f574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73f57610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73fe1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73fe1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73fe1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73fe416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7453f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7c4a383 registers.esp: 3402464 registers.edi: 3402756 registers.eax: 0 registers.ebp: 3402472 registers.edx: 0 registers.ebx: 3404772 registers.esi: 45094928 registers.ecx: 47524376	1
__exception__ Sept. 6, 2024, 10:37 a.m.	stacktrace: 0x7c4a340 0x7c4661b 0x7c4608f 0x7c45fa5 0x7c45039 0x7c44237 0x708aaf 0x703395 0x702f76 0x7006a3 0x700108 0x70009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73e92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73ea264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73ea2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73f574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73f57610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73fe1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73fe1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73fe1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73fe416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7453f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7c4a383 registers.esp: 3402464 registers.edi: 3402756 registers.eax: 0 registers.ebp: 3402472 registers.edx: 0 registers.ebx: 3404772 registers.esi: 45094928 registers.ecx: 41451516	1
__exception__ Sept. 6, 2024, 10:37 a.m.	stacktrace: 0x7c44237 0x708aaf 0x703395 0x702f76 0x7006a3 0x700108 0x70009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73e92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73ea264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73ea2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73f574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73f57610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73fe1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73fe1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73fe1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73fe416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7453f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 39 09 e8 8e ce 0f 6b 89 85 4c fe ff ff 8d bd 44 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7c452cb registers.esp: 3402872 registers.edi: 3403636 registers.eax: 0 registers.ebp: 3403672 registers.edx: 0 registers.ebx: 3404772 registers.esi: 3403464 registers.ecx: 0	1
__exception__ Sept. 6, 2024, 10:37 a.m.	stacktrace: 0x7c4a340 0x7c4b57f 0x7c4b040 0x7c45f8d 0x7c45780 0x7c44237 0x708aaf 0x703395 0x702f76 0x7006a3 0x700108 0x70009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73e92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73ea264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73ea2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73f574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73f57610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73fe1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73fe1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73fe1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73fe416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7453f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7c4a383 registers.esp: 3402472 registers.edi: 3402784 registers.eax: 0 registers.ebp: 3402480 registers.edx: 0 registers.ebx: 3404772 registers.esi: 41234364 registers.ecx: 49098904	1
__exception__ Sept. 6, 2024, 10:37 a.m.	stacktrace: 0x7c4a340 0x7c4b57f 0x7c4b040 0x7c45fa5 0x7c45780 0x7c44237 0x708aaf 0x703395 0x702f76 0x7006a3 0x700108 0x70009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73e92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73ea264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73ea2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73f574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73f57610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73fe1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73fe1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73fe1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73fe416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7453f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7c4a383 registers.esp: 3402472 registers.edi: 3402784 registers.eax: 0 registers.ebp: 3402480 registers.edx: 0 registers.ebx: 3404772 registers.esi: 41234364 registers.ecx: 50450176	1
__exception__ Sept. 6, 2024, 10:37 a.m.	stacktrace: 0x7c4a340 0x7c4b57f 0x7c4b040 0x7c45fa5 0x7c45780 0x7c44237 0x708aaf 0x703395 0x702f76 0x7006a3 0x700108 0x70009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73e92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73ea264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73ea2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73f574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73f57610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73fe1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73fe1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73fe1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73fe416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7453f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7c4a383 registers.esp: 3402472 registers.edi: 3402784 registers.eax: 0 registers.ebp: 3402480 registers.edx: 0 registers.ebx: 3404772 registers.esi: 41234364 registers.ecx: 41781124	1
__exception__ Sept. 6, 2024, 10:37 a.m.	stacktrace: 0x7c4a340 0x7c4bd33 0x7c4b818 0x7c45f8d 0x7c45882 0x7c44237 0x708aaf 0x703395 0x702f76 0x7006a3 0x700108 0x70009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73e92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73ea264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73ea2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73f574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73f57610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73fe1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73fe1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73fe1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73fe416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7453f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7c4a383 registers.esp: 3402484 registers.edi: 3402784 registers.eax: 0 registers.ebp: 3402492 registers.edx: 0 registers.ebx: 3404772 registers.esi: 41234352 registers.ecx: 43132448	1
__exception__ Sept. 6, 2024, 10:37 a.m.	stacktrace: 0x7c4a340 0x7c4bd33 0x7c4b818 0x7c45fa5 0x7c45882 0x7c44237 0x708aaf 0x703395 0x702f76 0x7006a3 0x700108 0x70009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73e92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73ea264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73ea2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73f574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73f57610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73fe1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73fe1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73fe1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73fe416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7453f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7c4a383 registers.esp: 3402484 registers.edi: 3402784 registers.eax: 0 registers.ebp: 3402492 registers.edx: 0 registers.ebx: 3404772 registers.esi: 41234352 registers.ecx: 44531832	1
__exception__ Sept. 6, 2024, 10:37 a.m.	stacktrace: 0x7c4a340 0x7c4bd33 0x7c4b818 0x7c45fa5 0x7c45882 0x7c44237 0x708aaf 0x703395 0x702f76 0x7006a3 0x700108 0x70009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73e92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73ea264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73ea2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73f574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73f57610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73fe1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73fe1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73fe1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73fe416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7453f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7c4a383 registers.esp: 3402484 registers.edi: 3402784 registers.eax: 0 registers.ebp: 3402492 registers.edx: 0 registers.ebx: 3404772 registers.esi: 41234352 registers.ecx: 41246400	1
__exception__ Sept. 6, 2024, 10:37 a.m.	stacktrace: 0x7c4a340 0x7c4c1c5 0x7c4be70 0x7c45f8d 0x7c4596f 0x7c44237 0x708aaf 0x703395 0x702f76 0x7006a3 0x700108 0x70009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73e92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73ea264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73ea2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73f574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73f57610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73fe1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73fe1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73fe1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73fe416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7453f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7c4a383 registers.esp: 3402568 registers.edi: 3402784 registers.eax: 0 registers.ebp: 3402576 registers.edx: 0 registers.ebx: 3404772 registers.esi: 41234352 registers.ecx: 42469912	1
__exception__ Sept. 6, 2024, 10:37 a.m.	stacktrace: 0x7c4a340 0x7c4c1c5 0x7c4be70 0x7c45fa5 0x7c4596f 0x7c44237 0x708aaf 0x703395 0x702f76 0x7006a3 0x700108 0x70009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73e92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73ea264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73ea2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73f574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73f57610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73fe1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73fe1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73fe1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73fe416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7453f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7c4a383 registers.esp: 3402568 registers.edi: 3402784 registers.eax: 0 registers.ebp: 3402576 registers.edx: 0 registers.ebx: 3404772 registers.esi: 41234352 registers.ecx: 43871968	1
__exception__ Sept. 6, 2024, 10:37 a.m.	stacktrace: 0x7c4a340 0x7c4c1c5 0x7c4be70 0x7c45fa5 0x7c4596f 0x7c44237 0x708aaf 0x703395 0x702f76 0x7006a3 0x700108 0x70009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73e92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73ea264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73ea2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73f574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73f57610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73fe1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73fe1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73fe1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73fe416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7453f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7c4a383 registers.esp: 3402568 registers.edi: 3402784 registers.eax: 0 registers.ebp: 3402576 registers.edx: 0 registers.ebx: 3404772 registers.esi: 41234352 registers.ecx: 45274024	1
__exception__ Sept. 6, 2024, 10:37 a.m.	stacktrace: 0x7c4a340 0x7c4c620 0x7c4c2f8 0x7c45f8d 0x7c45a44 0x7c44237 0x708aaf 0x703395 0x702f76 0x7006a3 0x700108 0x70009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73e92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73ea264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73ea2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73f574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73f57610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73fe1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73fe1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73fe1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73fe416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7453f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7c4a383 registers.esp: 3402580 registers.edi: 3402784 registers.eax: 0 registers.ebp: 3402588 registers.edx: 0 registers.ebx: 3404772 registers.esi: 41234352 registers.ecx: 46252964	1
__exception__ Sept. 6, 2024, 10:37 a.m.	stacktrace: 0x7c4a340 0x7c4c620 0x7c4c2f8 0x7c45fa5 0x7c45a44 0x7c44237 0x708aaf 0x703395 0x702f76 0x7006a3 0x700108 0x70009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73e92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73ea264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73ea2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73f574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73f57610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73fe1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73fe1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73fe1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73fe416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7453f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7c4a383 registers.esp: 3402580 registers.edi: 3402784 registers.eax: 0 registers.ebp: 3402588 registers.edx: 0 registers.ebx: 3404772 registers.esi: 41234352 registers.ecx: 47649608	1
__exception__ Sept. 6, 2024, 10:37 a.m.	stacktrace: 0x7c4a340 0x7c4c620 0x7c4c2f8 0x7c45fa5 0x7c45a44 0x7c44237 0x708aaf 0x703395 0x702f76 0x7006a3 0x700108 0x70009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73e92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73ea264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73ea2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73f574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73f57610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73fe1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73fe1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73fe1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73fe416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7453f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7c4a383 registers.esp: 3402580 registers.edi: 3402784 registers.eax: 0 registers.ebp: 3402588 registers.edx: 0 registers.ebx: 3404772 registers.esi: 41234352 registers.ecx: 49046240	1
__exception__ Sept. 6, 2024, 10:37 a.m.	stacktrace: 0x7c4a340 0x7c4d5e4 0x7c4cdd5 0x7c44265 0x708aaf 0x703395 0x702f76 0x7006a3 0x700108 0x70009b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73e92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73ea264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73ea2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73f574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73f57610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73fe1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73fe1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73fe1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73fe416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7453f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 04 89 45 fc 90 eb 00 8b 45 fc 8b e5 5d c3 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7c4a383 registers.esp: 3403132 registers.edi: 3403380 registers.eax: 0 registers.ebp: 3403140 registers.edx: 0 registers.ebx: 3404772 registers.esi: 49708584 registers.ecx: 49715768	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://147.45.47.81/conhost.exe
suspicious_features	GET method with no useragent header				suspicious_request	GET https://api.ip.sb/ip

Performs some HTTP requests (2 events)

request	GET http://147.45.47.81/conhost.exe
request	GET https://api.ip.sb/ip

Allocates read-write-execute memory (usually to unpack itself) (50 out of 123 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 652 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00290000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00290000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 652 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00302000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00395000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00397000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0031c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x745a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744d2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cbb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00495000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e8a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72831000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e0f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73de1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e10e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726db000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00701000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73be1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72601000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x725f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6df51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x725d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6df11000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 6, 2024, 10:38 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 9930088448 root_path: C:\Users\test22\AppData\Local\Temp\main total_number_of_bytes: 0	1	1	0

Steals private information from local Internet browsers (7 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\lockfile
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\conhost.exe
file	C:\Users\test22\AppData\Local\Temp\main\extracted\Installer.exe
file	C:\Users\test22\AppData\Local\Temp\main\KillDuplicate.cmd
file	C:\Users\test22\AppData\Local\Temp\main\7z.dll
file	C:\Users\test22\AppData\Local\Temp\main\main.bat
file	C:\Users\test22\AppData\Local\Temp\main\7z.exe

Creates hidden or system file (4 events)

Time & API	Arguments	Return
NtCreateFile Sept. 6, 2024, 10:37 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile Sept. 6, 2024, 10:37 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile Sept. 6, 2024, 10:37 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile Sept. 6, 2024, 10:37 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\conhost.exe
file	C:\Users\test22\AppData\Local\Temp\main\7z.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\conhost.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 6, 2024, 10:38 a.m.	show_type: 0 filepath_r: main.bat parameters: /S filepath: main.bat	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 6, 2024, 10:37 a.m.	flags: 1158 family: 0	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0004d800', u'virtual_address': u'0x00002000', u'entropy': 7.995831059455287, u'name': u'.text', u'virtual_size': u'0x0004d6e4'}

entropy

7.99583105946

description

A section with a high entropy has been found

entropy

0.992

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (37 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 6, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2024, 10:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (4 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://joxi.net/4Ak49WQH0GE3Nr.mp3
url	http://www.passport.com

Yara rule detected in process memory (44 events)

description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Queries for potentially installed applications (50 out of 51 events)

Time & API	Arguments	Status
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000858 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: 7-Zip base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: AddressBook base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: Adobe AIR base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: Connection Manager base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: DirectDrawEx base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: EditPlus base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: Fontcore base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: Google Chrome base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: IE40 base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: IE4Data base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: IE5BAKEX base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: IEData base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: MobileOptionPack base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: Office15.PROPLUSR base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: SchedulingAgent base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: WIC base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW Sept. 6, 2024, 10:37 a.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x00000858 key_handle: 0x00000864 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	attrib +H "Installer.exe"
cmdline	main.bat /S

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (2 events)

host	147.45.47.81
host	185.215.113.22

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 6, 2024, 10:37 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (9 events)

wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM Win32_Process
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 6, 2024, 10:37 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÔE¼à0ìÐzº @ @(ºO ÄÉº H.text`ê ì `.rsrcÄÉ Ìð@@.reloc¼@B base_address: 0x00400000 process_identifier: 2148 process_handle: 0x0000002c	1	1
WriteProcessMemory Sept. 6, 2024, 10:37 a.m.	buffer: °\|: base_address: 0x00450000 process_identifier: 2148 process_handle: 0x0000002c	1	1
WriteProcessMemory Sept. 6, 2024, 10:37 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2148 process_handle: 0x0000002c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 6, 2024, 10:37 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÔE¼à0ìÐzº @ @(ºO ÄÉº H.text`ê ì `.rsrcÄÉ Ìð@@.reloc¼@B base_address: 0x00400000 process_identifier: 2148 process_handle: 0x0000002c	1	1	0

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW Sept. 6, 2024, 10:37 a.m.	key_handle: 0x00000864 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Attempts to create or modify system certificates (2 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 652 called NtSetContextThread to modify thread in remote process 2148
NtSetContextThread Sept. 6, 2024, 10:37 a.m.	registers.eip: 2005598660 registers.esp: 3407444 registers.edi: 0 registers.eax: 4373114 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 2148	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 652 resumed a thread in remote process 2148
Process injection	Process 3008 resumed a thread in remote process 3044
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 2148	1	0	0
NtResumeThread Sept. 6, 2024, 10:38 a.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 3044	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 57 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 652	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x00000164 suspend_count: 1 process_identifier: 652	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x000001a4 suspend_count: 1 process_identifier: 652	1	0
CreateProcessInternalW Sept. 6, 2024, 10:37 a.m.	thread_identifier: 2152 thread_handle: 0x00000020 process_identifier: 2148 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000002c	1	1
NtGetContextThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x00000020	1	0
NtAllocateVirtualMemory Sept. 6, 2024, 10:37 a.m.	process_identifier: 2148 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0
WriteProcessMemory Sept. 6, 2024, 10:37 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÔE¼à0ìÐzº @ @(ºO ÄÉº H.text`ê ì `.rsrcÄÉ Ìð@@.reloc¼@B base_address: 0x00400000 process_identifier: 2148 process_handle: 0x0000002c	1	1
WriteProcessMemory Sept. 6, 2024, 10:37 a.m.	buffer: base_address: 0x00402000 process_identifier: 2148 process_handle: 0x0000002c	1	1
WriteProcessMemory Sept. 6, 2024, 10:37 a.m.	buffer: base_address: 0x00432000 process_identifier: 2148 process_handle: 0x0000002c	1	1
WriteProcessMemory Sept. 6, 2024, 10:37 a.m.	buffer: °\|: base_address: 0x00450000 process_identifier: 2148 process_handle: 0x0000002c	1	1
WriteProcessMemory Sept. 6, 2024, 10:37 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2148 process_handle: 0x0000002c	1	1
NtSetContextThread Sept. 6, 2024, 10:37 a.m.	registers.eip: 2005598660 registers.esp: 3407444 registers.edi: 0 registers.eax: 4373114 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x0000017c suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x00000234 suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x00000370 suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x00000568 suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x00000740 suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x00000764 suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x000007cc suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x000007ec suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x00000808 suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x00000820 suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x00000838 suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x00000854 suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x0000086c suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x0000088c suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x000008a4 suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x000008bc suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x00000914 suspend_count: 1 process_identifier: 2148	1	0
NtGetContextThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x00000180	1	0
NtGetContextThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x00000180	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x00000180 suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x00000934 suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:37 a.m.	thread_handle: 0x0000075c suspend_count: 1 process_identifier: 2148	1	0
NtResumeThread Sept. 6, 2024, 10:38 a.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 2148	1	0
CreateProcessInternalW Sept. 6, 2024, 10:38 a.m.	thread_identifier: 2936 thread_handle: 0x000008a8 process_identifier: 2932 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\conhost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\conhost.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\conhost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000007f0	1	1
CreateProcessInternalW Sept. 6, 2024, 10:38 a.m.	thread_identifier: 3012 thread_handle: 0x00000284 process_identifier: 3008 current_directory: C:\Users\test22\AppData\Local\Temp\main filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\main\main.bat" /S filepath_r: stack_pivoted: 0 creation_flags: 67634176 (CREATE_DEFAULT_ERROR_MODE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000294	1	1
CreateProcessInternalW Sept. 6, 2024, 10:38 a.m.	thread_identifier: 1072 thread_handle: 0x000000000000006c process_identifier: 1212 current_directory: C:\Users\test22\AppData\Local\Temp\main filepath: C:\Windows\System32\mode.com track: 1 command_line: mode 65,10 filepath_r: C:\Windows\system32\mode.com stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000068	1	1
CreateProcessInternalW Sept. 6, 2024, 10:38 a.m.	thread_identifier: 2108 thread_handle: 0x0000000000000068 process_identifier: 2088 current_directory: C:\Users\test22\AppData\Local\Temp\main filepath: C:\Users\test22\AppData\Local\Temp\main\7z.exe track: 1 command_line: 7z.exe e file.zip -p29586644319935208542739921766 -oextracted filepath_r: C:\Users\test22\AppData\Local\Temp\main\7z.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000006c	1	1
CreateProcessInternalW Sept. 6, 2024, 10:38 a.m.	thread_identifier: 2204 thread_handle: 0x000000000000006c process_identifier: 2196 current_directory: C:\Users\test22\AppData\Local\Temp\main filepath: C:\Users\test22\AppData\Local\Temp\main\7z.exe track: 1 command_line: 7z.exe e extracted/file_11.zip -oextracted filepath_r: C:\Users\test22\AppData\Local\Temp\main\7z.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000068	1	1
CreateProcessInternalW Sept. 6, 2024, 10:38 a.m.	thread_identifier: 2328 thread_handle: 0x0000000000000068 process_identifier: 2336 current_directory: C:\Users\test22\AppData\Local\Temp\main filepath: C:\Users\test22\AppData\Local\Temp\main\7z.exe track: 1 command_line: 7z.exe e extracted/file_10.zip -oextracted filepath_r: C:\Users\test22\AppData\Local\Temp\main\7z.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000006c	1	1
CreateProcessInternalW Sept. 6, 2024, 10:38 a.m.	thread_identifier: 2284 thread_handle: 0x000000000000006c process_identifier: 2292 current_directory: C:\Users\test22\AppData\Local\Temp\main filepath: C:\Users\test22\AppData\Local\Temp\main\7z.exe track: 1 command_line: 7z.exe e extracted/file_9.zip -oextracted filepath_r: C:\Users\test22\AppData\Local\Temp\main\7z.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000068	1	1
CreateProcessInternalW Sept. 6, 2024, 10:38 a.m.	thread_identifier: 2424 thread_handle: 0x0000000000000068 process_identifier: 948 current_directory: C:\Users\test22\AppData\Local\Temp\main filepath: C:\Users\test22\AppData\Local\Temp\main\7z.exe track: 1 command_line: 7z.exe e extracted/file_8.zip -oextracted filepath_r: C:\Users\test22\AppData\Local\Temp\main\7z.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000006c	1	1
CreateProcessInternalW Sept. 6, 2024, 10:38 a.m.	thread_identifier: 2640 thread_handle: 0x000000000000006c process_identifier: 2624 current_directory: C:\Users\test22\AppData\Local\Temp\main filepath: C:\Users\test22\AppData\Local\Temp\main\7z.exe track: 1 command_line: 7z.exe e extracted/file_7.zip -oextracted filepath_r: C:\Users\test22\AppData\Local\Temp\main\7z.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000068	1	1
CreateProcessInternalW Sept. 6, 2024, 10:38 a.m.	thread_identifier: 2600 thread_handle: 0x0000000000000068 process_identifier: 2584 current_directory: C:\Users\test22\AppData\Local\Temp\main filepath: C:\Users\test22\AppData\Local\Temp\main\7z.exe track: 1 command_line: 7z.exe e extracted/file_6.zip -oextracted filepath_r: C:\Users\test22\AppData\Local\Temp\main\7z.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000006c	1	1
CreateProcessInternalW Sept. 6, 2024, 10:38 a.m.	thread_identifier: 1700 thread_handle: 0x000000000000006c process_identifier: 2836 current_directory: C:\Users\test22\AppData\Local\Temp\main filepath: C:\Users\test22\AppData\Local\Temp\main\7z.exe track: 1 command_line: 7z.exe e extracted/file_5.zip -oextracted filepath_r: C:\Users\test22\AppData\Local\Temp\main\7z.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000068	1	1
CreateProcessInternalW Sept. 6, 2024, 10:38 a.m.	thread_identifier: 2128 thread_handle: 0x0000000000000068 process_identifier: 1228 current_directory: C:\Users\test22\AppData\Local\Temp\main filepath: C:\Users\test22\AppData\Local\Temp\main\7z.exe track: 1 command_line: 7z.exe e extracted/file_4.zip -oextracted filepath_r: C:\Users\test22\AppData\Local\Temp\main\7z.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000006c	1	1

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Stealer.12!c
Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win32.Generic.fc
ALYac	Gen:Variant.Ser.Lazy.7836
Cylance	Unsafe
VIPRE	Gen:Variant.Ser.Zusy.5202
Sangfor	Infostealer.Msil.Kryptik.Vkre
K7AntiVirus	Trojan ( 700000121 )
BitDefender	Gen:Variant.Ser.Zusy.5202
K7GW	Trojan ( 700000121 )
Cybereason	malicious.34b8a3
Arcabit	Trojan.Ser.Zusy.D1452
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.HBGX
APEX	Malicious
McAfee	Artemis!324D2A434B8A
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
Alibaba	TrojanSpy:MSIL/LummaStealer.ad03e93a
MicroWorld-eScan	Gen:Variant.Ser.Zusy.5202
Rising	Malware.Obfus/MSIL@AI.82 (RDM.MSIL2:mBIGLO1ReLyxdUzxd+m0aA)
Emsisoft	Gen:Variant.Ser.Zusy.5202 (B)
DrWeb	Trojan.PWS.RedLineNET.9
TrendMicro	TrojanSpy.Win32.REDLINE.YXEIFZ
McAfeeD	ti!5D06EC15C934
FireEye	Generic.mg.324d2a434b8a3e03
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Google	Detected
MAX	malware (ai score=81)
Kingsoft	MSIL.Trojan-Spy.Stealer.gen
Gridinsoft	Malware.Win32.RedLine.tr
Microsoft	Trojan:MSIL/LummaStealer.KAP!MTB
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
GData	Gen:Variant.Ser.Zusy.5202
AhnLab-V3	Trojan/Win.Generic.C5665865
BitDefenderTheta	Gen:NN.ZemsilF.36812.tm0@a4t!Ywpi
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Crypt.MSIL
Ikarus	Win32.Outbreak
Panda	Trj/GdSda.A
Tencent	Msil.Trojan-Spy.Stealer.Iajl
huorong	Trojan/MSIL.Agent.li
Fortinet	MSIL/GenKryptik.HBGX!tr
AVG	Win32:PWSX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_90% (D)
alibabacloud	Trojan[spy]:MSIL/LummaStealer.KMD2XJC

66d9ddfaa7a23_Porter.exe#main

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All